[Swan] iOS IKEv2 "ISAKMP_v2_IKE_SA_INIT message received on 172.31.2.1:500 but no suitable connection found with IKEv2 policy"r

[Paul Wouters]

On Sat, 22 Jul 2023, Heting Wang wrote:

> I’m now migrating from StrongSwan to LibreSwan, it seems like it will never work with iOS

Your error is not related to iOS.

> conn cert
> ikev2=insist
> left=%defaultroute

> tail -f /var/log/pluto.log
> Jul 22 19:49:36.532020: adding UDP interface eth0 [2406:da14:5db:f400::e60]:500
> Jul 22 19:49:36.532049: adding UDP interface eth0 [2406:da14:5db:f400::e60]:4500
> Jul 22 19:49:36.532072: adding UDP interface eth0 [2406:da14:5db:f400🔡:]:500
> Jul 22 19:49:36.532096: adding UDP interface eth0 [2406:da14:5db:f400🔡:]:4500
> Jul 22 19:49:36.532119: adding UDP interface eth0 [2406:da14:5db:f400:e9d7:64ca:b008:4182]:500
> Jul 22 19:49:36.532142: adding UDP interface eth0 [2406:da14:5db:f400:e9d7:64ca:b008:4182]:4500
> Jul 22 19:49:36.532165: adding UDP interface eth1 [2406:da14:5db:f400:810a:b1ea:b7d5:47bd]:500
> Jul 22 19:49:36.532188: adding UDP interface eth1 [2406:da14:5db:f400:810a:b1ea:b7d5:47bd]:4500

It seems you are not listening on IPv4 IP addresses. Meaning libreswan
got started before the IP 172.31.2.1 was configured on the system?

> Jul 22 19:50:03.652462: packet from 114.246.198.250:500: ISAKMP_v2_IKE_SA_INIT message received on 172.31.2.1:500 but no suitable connection found with
> IKEv2 policy
> Jul 22 19:50:03.652512: packet from 114.246.198.250:500: responding to IKE_SA_INIT (34) message (Message ID 0) with unencrypted notification
> NO_PROPOSAL_CHOSEN

As a workaround, you can try after the boot to issue "ipsec whack --listen" which should redo the IP
binding and pick up the now added 172.31.2.1 IP.

Paul