[Swan] iOS IKEv2 "ISAKMP_v2_IKE_SA_INIT message received on 172.31.2.1:500 but no suitable connection found with IKEv2 policy"r

Heting Wang meow at imlibra.me
Sun Jul 23 03:04:29 EEST 2023 

Hello,

It’s listening, I tried "ipsec whack —listen" many times but it’s still the same:


Jul 22 22:38:36.582586: "cert": added IKEv2 connection
Jul 22 22:38:36.582671: listening for IKE messages
Jul 22 22:38:36.582748: Kernel supports NIC esp-hw-offload
Jul 22 22:38:36.582865: adding UDP interface docker0 172.17.0.1:500
Jul 22 22:38:36.583132: adding UDP interface docker0 172.17.0.1:4500
Jul 22 22:38:36.583173: adding UDP interface eth1 172.31.2.1:500
Jul 22 22:38:36.583197: adding UDP interface eth1 172.31.2.1:4500
Jul 22 22:38:36.583223: adding UDP interface eth0 172.31.1.1:500
Jul 22 22:38:36.583247: adding UDP interface eth0 172.31.1.1:4500
Jul 22 22:38:36.583270: adding UDP interface lo 127.0.0.1:500
Jul 22 22:38:36.583295: adding UDP interface lo 127.0.0.1:4500
Jul 22 22:38:36.583324: adding UDP interface lo [::1]:500
Jul 22 22:38:36.583352: adding UDP interface lo [::1]:4500
Jul 22 22:38:36.583378: adding UDP interface eth0 [2406:da14:5db:f400::e60]:500
Jul 22 22:38:36.583401: adding UDP interface eth0 [2406:da14:5db:f400::e60]:4500
Jul 22 22:38:36.583423: adding UDP interface eth0 [2406:da14:5db:f400:abcd::]:500
Jul 22 22:38:36.583460: adding UDP interface eth0 [2406:da14:5db:f400:abcd::]:4500
Jul 22 22:38:36.583484: adding UDP interface eth0 [2406:da14:5db:f400:e9d7:64ca:b008:4182]:500
Jul 22 22:38:36.583508: adding UDP interface eth0 [2406:da14:5db:f400:e9d7:64ca:b008:4182]:4500
Jul 22 22:38:36.583535: adding UDP interface eth1 [2406:da14:5db:f400:810a:b1ea:b7d5:47bd]:500
Jul 22 22:38:36.583561: adding UDP interface eth1 [2406:da14:5db:f400:810a:b1ea:b7d5:47bd]:4500
Jul 22 22:38:36.585769: loading secrets from "/etc/ipsec.secrets"
Jul 22 22:38:36.585812: no secrets filename matched "/etc/ipsec.d/*.secrets"
Jul 22 22:39:24.962183: listening for IKE messages
Jul 22 22:39:24.962393: loading secrets from "/etc/ipsec.secrets"
Jul 22 22:39:24.962423: no secrets filename matched "/etc/ipsec.d/*.secrets"
Jul 22 22:40:14.605540: listening for IKE messages
Jul 22 22:40:14.605798: loading secrets from "/etc/ipsec.secrets"
Jul 22 22:40:14.605840: no secrets filename matched "/etc/ipsec.d/*.secrets"
Jul 22 22:40:27.791023: listening for IKE messages
Jul 22 22:40:27.791184: loading secrets from "/etc/ipsec.secrets"
Jul 22 22:40:27.791215: no secrets filename matched "/etc/ipsec.d/*.secrets"
Jul 22 22:42:11.073335: listening for IKE messages
Jul 22 22:42:11.073494: loading secrets from "/etc/ipsec.secrets"
Jul 22 22:42:11.073523: no secrets filename matched "/etc/ipsec.d/*.secrets"
Jul 22 22:42:16.885759: packet from 114.246.198.250:500: ISAKMP_v2_IKE_SA_INIT message received on 172.31.2.1:500 but no suitable connection found with IKEv2 policy
Jul 22 22:42:16.885784: packet from 114.246.198.250:500: responding to IKE_SA_INIT (34) message (Message ID 0) with unencrypted notification NO_PROPOSAL_CHOSEN
Jul 22 22:42:17.855101: packet from 114.246.198.250:500: ISAKMP_v2_IKE_SA_INIT message received on 172.31.2.1:500 but no suitable connection found with IKEv2 policy
Jul 22 22:42:17.855131: packet from 114.246.198.250:500: responding to IKE_SA_INIT (34) message (Message ID 0) with unencrypted notification NO_PROPOSAL_CHOSEN

> On Jul 23, 2023, at 5:01 AM, Paul Wouters <paul at nohats.ca> wrote:
> 
> On Sat, 22 Jul 2023, Heting Wang wrote:
> 
>> I’m now migrating from StrongSwan to LibreSwan, it seems like it will never work with iOS
> 
> Your error is not related to iOS.
> 
>> conn cert
>> ikev2=insist
>> left=%defaultroute
> 
>> tail -f /var/log/pluto.log
>> Jul 22 19:49:36.532020: adding UDP interface eth0 [2406:da14:5db:f400::e60]:500
>> Jul 22 19:49:36.532049: adding UDP interface eth0 [2406:da14:5db:f400::e60]:4500
>> Jul 22 19:49:36.532072: adding UDP interface eth0 [2406:da14:5db:f400🔡:]:500
>> Jul 22 19:49:36.532096: adding UDP interface eth0 [2406:da14:5db:f400🔡:]:4500
>> Jul 22 19:49:36.532119: adding UDP interface eth0 [2406:da14:5db:f400:e9d7:64ca:b008:4182]:500
>> Jul 22 19:49:36.532142: adding UDP interface eth0 [2406:da14:5db:f400:e9d7:64ca:b008:4182]:4500
>> Jul 22 19:49:36.532165: adding UDP interface eth1 [2406:da14:5db:f400:810a:b1ea:b7d5:47bd]:500
>> Jul 22 19:49:36.532188: adding UDP interface eth1 [2406:da14:5db:f400:810a:b1ea:b7d5:47bd]:4500
> 
> It seems you are not listening on IPv4 IP addresses. Meaning libreswan
> got started before the IP 172.31.2.1 was configured on the system?
> 
>> Jul 22 19:50:03.652462: packet from 114.246.198.250:500: ISAKMP_v2_IKE_SA_INIT message received on 172.31.2.1:500 but no suitable connection found with
>> IKEv2 policy
>> Jul 22 19:50:03.652512: packet from 114.246.198.250:500: responding to IKE_SA_INIT (34) message (Message ID 0) with unencrypted notification
>> NO_PROPOSAL_CHOSEN
> 
> As a workaround, you can try after the boot to issue "ipsec whack --listen" which should redo the IP
> binding and pick up the now added 172.31.2.1 IP.
> 
> Paul
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2244 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20230723/51252f87/attachment-0001.p7s>

More information about the Swan mailing list