Vpn connect between iOS NEVPNManager and StrongSwan on Ubuntu 16.04

638 views Asked by At

I am trying to create vpn connection in my app. On the sever side use IKEv2 VPN Server with StrongSwan on Ubuntu 16.04. Build by this guid (https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-16-04).

When I'm trying to connect. Server send this logs:

 - May  5 08:58:21 ip-2 charon: 05[NET] received packet: from 3[500] to 2[500] (432 bytes)
 - May  5 08:58:21 ip-2 charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
 - May  5 08:58:21 ip-2 charon: 05[IKE] 3 is initiating an IKE_SA
 - May  5 08:58:21 ip-2 charon: 05[IKE] local host is behind NAT, sending keep alives
 - May  5 08:58:21 ip-2 charon: 05[IKE] remote host is behind NAT
 - May  5 08:58:21 ip-2 charon: 05[IKE] received proposals inacceptable
 - May  5 08:58:21 ip-2 charon: 05[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
 - May  5 08:58:21 ip-2 charon: 05[NET] sending packet: from 2[500] to 3[500] (36 bytes)
 - May  5 08:58:22 ip-2 charon: 16[NET] received packet: from 3[500] to 2[500] (432 bytes)
 - May  5 08:58:22 ip-2 charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
 - May  5 08:58:22 ip-2 charon: 16[IKE] 3 is initiating an IKE_SA
 - May  5 08:58:22 ip-2 charon: 16[IKE] local host is behind NAT, sending keep alives
 - May  5 08:58:22 ip-2 charon: 16[IKE] remote host is behind NAT
 - May  5 08:58:22 ip-2 charon: 16[IKE] received proposals inacceptable
 - May  5 08:58:22 ip-2 charon: 16[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
 - May  5 08:58:22 ip-2 charon: 16[NET] sending packet: from 2[500] to 3[500] (36 bytes)

I use this configuration on server:

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    lifetime=8h
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=<IP>
    leftcert=server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.10.10.0/24
    rightdns=8.8.8.8,8.8.4.4
    rightsendcert=never
    eap_identity=%identity
    ike=aes256-sha1-modp1024,3des-sha1-modp1024!
    esp=aes256-sha1,3des-sha1! 

On iOS use this code:

class VpnManager {
    
    let vpnManager = NEVPNManager.shared()
    let info = VPNINFO()
    
    func connectToVPN() {
        vpnManager.loadFromPreferences { error in
            guard error == nil else {
                print(error)
                return
            }

            let IKEv2Protocol = NEVPNProtocolIKEv2()
            IKEv2Protocol.serverAddress = self.info.serverAddress
            IKEv2Protocol.authenticationMethod = .certificate
            
            let certificate = SecCertificateCreateWithData(nil, Data(base64Encoded: self.info.cert)! as CFData)!
            let certificateData = SecCertificateCopyData(certificate) as Data
            IKEv2Protocol.identityData = certificateData
            
            self.vpnManager.protocolConfiguration = IKEv2Protocol
            self.vpnManager.isEnabled = true
            
            self.vpnManager.saveToPreferences { error in
                guard error == nil else {
                    print(error)
                    return
                }
                do {
                    try self.vpnManager.connection.startVPNTunnel(
                        options: ([
                            NEVPNConnectionStartOptionUsername: "username",
                            NEVPNConnectionStartOptionPassword: KeychainWrapper.passwordRefForVPNID("MY_PASSWORD")
                        ] as! [String: NSObject]))
                } catch let error {
                    print(error)
                }
            }
        }
    }
    
    
}

Expected result: Connected

Actual result: Connection -> Disconnected

Last console logs:

Jun  4 15:44:51 charon: 06[NET] received packet: from <my ip>[500] to <server ip>[500] (304 bytes)
Jun  4 15:44:51 charon: 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Jun  4 15:44:51 charon: 06[IKE] <my ip> is initiating an IKE_SA
Jun  4 15:44:51 charon: 06[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jun  4 15:44:51 charon: 06[IKE] local host is behind NAT, sending keep alives
Jun  4 15:44:51 charon: 06[IKE] remote host is behind NAT
Jun  4 15:44:51 charon: 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jun  4 15:44:51 charon: 06[NET] sending packet: from <server ip>[500] to <my ip>[500] (328 bytes)
Jun  4 15:44:51 charon: 05[NET] received packet: from <my ip>[500] to <server ip>[500] (304 bytes)
Jun  4 15:44:51 charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Jun  4 15:44:51 charon: 05[IKE] <my ip> is initiating an IKE_SA
Jun  4 15:44:51 charon: 05[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jun  4 15:44:51 charon: 05[IKE] local host is behind NAT, sending keep alives
Jun  4 15:44:51 charon: 05[IKE] remote host is behind NAT
Jun  4 15:44:51 charon: 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jun  4 15:44:51 charon: 05[NET] sending packet: from <server ip>[500] to <my ip>[500] (328 bytes)
Jun  4 15:45:11 charon: 08[IKE] sending keep alive to <my ip>[500]
Jun  4 15:45:11 charon: 09[IKE] sending keep alive to <my ip>[500]
Jun  4 15:45:21 charon: 10[JOB] deleting half open IKE_SA with <my ip> after timeout
Jun  4 15:45:21 charon: 11[JOB] deleting half open IKE_SA with <my ip> after timeout
1

There are 1 answers

3
munibsiddiqui On

Your strongswan server is configured with the following encryption algorithm.

ike=aes256-sha1-modp1024,3des-sha1-modp1024!
esp=aes256-sha1,3des-sha1!

Solution

You need to specify the Cipher in NEVPNProtocolIKEv2 instance that is supported by VPN Server.

    IKEv2Protocol.ikeSecurityAssociationParameters.encryptionAlgorithm = .algorithmAES256
    IKEv2Protocol.ikeSecurityAssociationParameters.integrityAlgorithm = .SHA96
    IKEv2Protocol.ikeSecurityAssociationParameters.diffieHellmanGroup = .group2 
    IKEv2Protocol.ikeSecurityAssociationParameters.lifetimeMinutes = 480
    
    IKEv2Protocol.childSecurityAssociationParameters.encryptionAlgorithm = .algorithmAES256
    IKEv2Protocol.childSecurityAssociationParameters.integrityAlgorithm = .SHA96
    IKEv2Protocol.childSecurityAssociationParameters.diffieHellmanGroup = .group2
    IKEv2Protocol.childSecurityAssociationParameters.lifetimeMinutes = 60