I am trying to create vpn connection in my app. On the sever side use IKEv2 VPN Server with StrongSwan on Ubuntu 16.04. Build by this guid (https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-16-04).
When I'm trying to connect. Server send this logs:
- May 5 08:58:21 ip-2 charon: 05[NET] received packet: from 3[500] to 2[500] (432 bytes)
- May 5 08:58:21 ip-2 charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
- May 5 08:58:21 ip-2 charon: 05[IKE] 3 is initiating an IKE_SA
- May 5 08:58:21 ip-2 charon: 05[IKE] local host is behind NAT, sending keep alives
- May 5 08:58:21 ip-2 charon: 05[IKE] remote host is behind NAT
- May 5 08:58:21 ip-2 charon: 05[IKE] received proposals inacceptable
- May 5 08:58:21 ip-2 charon: 05[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
- May 5 08:58:21 ip-2 charon: 05[NET] sending packet: from 2[500] to 3[500] (36 bytes)
- May 5 08:58:22 ip-2 charon: 16[NET] received packet: from 3[500] to 2[500] (432 bytes)
- May 5 08:58:22 ip-2 charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
- May 5 08:58:22 ip-2 charon: 16[IKE] 3 is initiating an IKE_SA
- May 5 08:58:22 ip-2 charon: 16[IKE] local host is behind NAT, sending keep alives
- May 5 08:58:22 ip-2 charon: 16[IKE] remote host is behind NAT
- May 5 08:58:22 ip-2 charon: 16[IKE] received proposals inacceptable
- May 5 08:58:22 ip-2 charon: 16[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
- May 5 08:58:22 ip-2 charon: 16[NET] sending packet: from 2[500] to 3[500] (36 bytes)
I use this configuration on server:
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
lifetime=8h
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=<IP>
leftcert=server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.10.10.0/24
rightdns=8.8.8.8,8.8.4.4
rightsendcert=never
eap_identity=%identity
ike=aes256-sha1-modp1024,3des-sha1-modp1024!
esp=aes256-sha1,3des-sha1!
On iOS use this code:
class VpnManager {
let vpnManager = NEVPNManager.shared()
let info = VPNINFO()
func connectToVPN() {
vpnManager.loadFromPreferences { error in
guard error == nil else {
print(error)
return
}
let IKEv2Protocol = NEVPNProtocolIKEv2()
IKEv2Protocol.serverAddress = self.info.serverAddress
IKEv2Protocol.authenticationMethod = .certificate
let certificate = SecCertificateCreateWithData(nil, Data(base64Encoded: self.info.cert)! as CFData)!
let certificateData = SecCertificateCopyData(certificate) as Data
IKEv2Protocol.identityData = certificateData
self.vpnManager.protocolConfiguration = IKEv2Protocol
self.vpnManager.isEnabled = true
self.vpnManager.saveToPreferences { error in
guard error == nil else {
print(error)
return
}
do {
try self.vpnManager.connection.startVPNTunnel(
options: ([
NEVPNConnectionStartOptionUsername: "username",
NEVPNConnectionStartOptionPassword: KeychainWrapper.passwordRefForVPNID("MY_PASSWORD")
] as! [String: NSObject]))
} catch let error {
print(error)
}
}
}
}
}
Expected result: Connected
Actual result: Connection -> Disconnected
Last console logs:
Jun 4 15:44:51 charon: 06[NET] received packet: from <my ip>[500] to <server ip>[500] (304 bytes)
Jun 4 15:44:51 charon: 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Jun 4 15:44:51 charon: 06[IKE] <my ip> is initiating an IKE_SA
Jun 4 15:44:51 charon: 06[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jun 4 15:44:51 charon: 06[IKE] local host is behind NAT, sending keep alives
Jun 4 15:44:51 charon: 06[IKE] remote host is behind NAT
Jun 4 15:44:51 charon: 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jun 4 15:44:51 charon: 06[NET] sending packet: from <server ip>[500] to <my ip>[500] (328 bytes)
Jun 4 15:44:51 charon: 05[NET] received packet: from <my ip>[500] to <server ip>[500] (304 bytes)
Jun 4 15:44:51 charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Jun 4 15:44:51 charon: 05[IKE] <my ip> is initiating an IKE_SA
Jun 4 15:44:51 charon: 05[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jun 4 15:44:51 charon: 05[IKE] local host is behind NAT, sending keep alives
Jun 4 15:44:51 charon: 05[IKE] remote host is behind NAT
Jun 4 15:44:51 charon: 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jun 4 15:44:51 charon: 05[NET] sending packet: from <server ip>[500] to <my ip>[500] (328 bytes)
Jun 4 15:45:11 charon: 08[IKE] sending keep alive to <my ip>[500]
Jun 4 15:45:11 charon: 09[IKE] sending keep alive to <my ip>[500]
Jun 4 15:45:21 charon: 10[JOB] deleting half open IKE_SA with <my ip> after timeout
Jun 4 15:45:21 charon: 11[JOB] deleting half open IKE_SA with <my ip> after timeout
Your strongswan server is configured with the following encryption algorithm.
Solution
You need to specify the Cipher in NEVPNProtocolIKEv2 instance that is supported by VPN Server.