Hello. I tried to use my old iphone with strongswan. I created profile [1] installed on iphone and tried to connect: But on I phone I got "User Authentication failed" and I do not how to debug this. Any hints?
>From strongswan side everything seems to be ok. 2022-06-21T06:19:06.545474+02:00 alfa charon-systemd: 12[NET] received packet: from 5.172.255.70[4651] to 192.168.22.200[500] (432 bytes) 2022-06-21T06:19:06.546008+02:00 alfa charon-systemd: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] 2022-06-21T06:19:06.546483+02:00 alfa charon-systemd: 12[IKE] 5.172.255.70 is initiating an IKE_SA 2022-06-21T06:19:06.546818+02:00 alfa charon-systemd: 12[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 2022-06-21T06:19:06.552315+02:00 alfa charon-systemd: 12[IKE] local host is behind NAT, sending keep alives 2022-06-21T06:19:06.552676+02:00 alfa charon-systemd: 12[IKE] remote host is behind NAT 2022-06-21T06:19:06.562881+02:00 alfa charon-systemd: 12[IKE] sending cert request for "C=PL, ST=Mazowieckie, L=Warszawa, O=kjonca.kjonca, OU=ipsec, CN=openswan--kjonca.kjonca" 2022-06-21T06:19:06.563275+02:00 alfa charon-systemd: 12[IKE] sending cert request for "C=PL, ST=Mazowieckie, L=Warszawa, O=alfa, OU=ipsec, CN=alfa-ipsec-client-ca" 2022-06-21T06:19:06.563724+02:00 alfa charon-systemd: 12[IKE] sending cert request for "C=PL, ST=Mazowieckie, L=Warszawa, O=alfa, OU=ipsec, CN=alfa-ipsec-ca" 2022-06-21T06:19:06.564174+02:00 alfa charon-systemd: 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ] 2022-06-21T06:19:06.564382+02:00 alfa charon-systemd: 12[NET] sending packet: from 192.168.22.200[500] to 5.172.255.70[4651] (521 bytes) 2022-06-21T06:19:06.825283+02:00 alfa charon-systemd: 11[NET] received packet: from 5.172.255.70[4646] to 192.168.22.200[4500] (532 bytes) 2022-06-21T06:19:06.825839+02:00 alfa charon-systemd: 11[ENC] parsed IKE_AUTH request 1 [ EF(1/7) ] 2022-06-21T06:19:06.826287+02:00 alfa charon-systemd: 11[ENC] received fragment #1 of 7, waiting for complete IKE message 2022-06-21T06:19:06.826730+02:00 alfa charon-systemd: 13[NET] received packet: from 5.172.255.70[4646] to 192.168.22.200[4500] (532 bytes) 2022-06-21T06:19:06.827181+02:00 alfa charon-systemd: 13[ENC] parsed IKE_AUTH request 1 [ EF(2/7) ] 2022-06-21T06:19:06.827660+02:00 alfa charon-systemd: 13[ENC] received fragment #2 of 7, waiting for complete IKE message 2022-06-21T06:19:06.828198+02:00 alfa charon-systemd: 14[NET] received packet: from 5.172.255.70[4646] to 192.168.22.200[4500] (532 bytes) 2022-06-21T06:19:06.828666+02:00 alfa charon-systemd: 14[ENC] parsed IKE_AUTH request 1 [ EF(3/7) ] 2022-06-21T06:19:06.829262+02:00 alfa charon-systemd: 14[ENC] received fragment #3 of 7, waiting for complete IKE message 2022-06-21T06:19:06.829817+02:00 alfa charon-systemd: 09[NET] received packet: from 5.172.255.70[4646] to 192.168.22.200[4500] (532 bytes) 2022-06-21T06:19:06.830394+02:00 alfa charon-systemd: 09[ENC] parsed IKE_AUTH request 1 [ EF(4/7) ] 2022-06-21T06:19:06.831010+02:00 alfa charon-systemd: 09[ENC] received fragment #4 of 7, waiting for complete IKE message 2022-06-21T06:19:06.831574+02:00 alfa charon-systemd: 07[NET] received packet: from 5.172.255.70[4646] to 192.168.22.200[4500] (532 bytes) 2022-06-21T06:19:06.832188+02:00 alfa charon-systemd: 07[ENC] parsed IKE_AUTH request 1 [ EF(5/7) ] 2022-06-21T06:19:06.832697+02:00 alfa charon-systemd: 07[ENC] received fragment #5 of 7, waiting for complete IKE message 2022-06-21T06:19:06.833227+02:00 alfa charon-systemd: 05[NET] received packet: from 5.172.255.70[4646] to 192.168.22.200[4500] (532 bytes) 2022-06-21T06:19:06.833731+02:00 alfa charon-systemd: 05[ENC] parsed IKE_AUTH request 1 [ EF(6/7) ] 2022-06-21T06:19:06.834266+02:00 alfa charon-systemd: 05[ENC] received fragment #6 of 7, waiting for complete IKE message 2022-06-21T06:19:06.834804+02:00 alfa charon-systemd: 06[NET] received packet: from 5.172.255.70[4646] to 192.168.22.200[4500] (148 bytes) 2022-06-21T06:19:06.835059+02:00 alfa charon-systemd: 06[ENC] parsed IKE_AUTH request 1 [ EF(7/7) ] 2022-06-21T06:19:06.835318+02:00 alfa charon-systemd: 06[ENC] received fragment #7 of 7, reassembled fragmented IKE message (2912 bytes) 2022-06-21T06:19:06.835581+02:00 alfa charon-systemd: 06[ENC] unknown attribute type INTERNAL_DNS_DOMAIN 2022-06-21T06:19:06.835861+02:00 alfa charon-systemd: 06[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) IDr AUTH CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ] 2022-06-21T06:19:06.836124+02:00 alfa charon-systemd: 06[IKE] received end entity cert "C=PL, ST=Mazowieckie, O=alfa, OU=ipsec, OU=Iphone 8, CN=jaszczurka" 2022-06-21T06:19:06.836370+02:00 alfa charon-systemd: 06[CFG] looking for peer configs matching 192.168.22.200[my-server.hopto.org]...5.172.255.70[jaszczurka.kjonca] 2022-06-21T06:19:06.836613+02:00 alfa charon-systemd: 06[CFG] selected peer config 'rw-dhcp' 2022-06-21T06:19:06.836894+02:00 alfa charon-systemd: 06[CFG] using certificate "C=PL, ST=Mazowieckie, O=alfa, OU=ipsec, OU=Iphone 8, CN=jaszczurka" 2022-06-21T06:19:06.837151+02:00 alfa charon-systemd: 06[CFG] using trusted ca certificate "C=PL, ST=Mazowieckie, L=Warszawa, O=alfa, OU=ipsec, CN=alfa-ipsec-ca" 2022-06-21T06:19:06.837416+02:00 alfa charon-systemd: 06[CFG] checking certificate status of "C=PL, ST=Mazowieckie, O=alfa, OU=ipsec, OU=Iphone 8, CN=jaszczurka" 2022-06-21T06:19:06.837669+02:00 alfa charon-systemd: 06[CFG] certificate status is not available 2022-06-21T06:19:06.837924+02:00 alfa charon-systemd: 06[CFG] reached self-signed root ca with a path length of 0 2022-06-21T06:19:06.838168+02:00 alfa charon-systemd: 06[IKE] authentication of 'jaszczurka.kjonca' with RSA signature successful 2022-06-21T06:19:06.838408+02:00 alfa charon-systemd: 06[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding 2022-06-21T06:19:06.838638+02:00 alfa charon-systemd: 06[IKE] peer supports MOBIKE 2022-06-21T06:19:06.838883+02:00 alfa charon-systemd: 06[IKE] authentication of 'my-server.hopto.org' (myself) with RSA signature successful 2022-06-21T06:19:06.839134+02:00 alfa charon-systemd: 06[IKE] destroying duplicate IKE_SA for peer 'jaszczurka.kjonca', received INITIAL_CONTACT 2022-06-21T06:19:06.850410+02:00 alfa charon-systemd: 06[CFG] sending DHCP RELEASE for 192.168.22.245 to 192.168.22.200 2022-06-21T06:19:06.850912+02:00 alfa charon-systemd: 06[IKE] IKE_SA rw-dhcp[8] established between 192.168.22.200[my-server.hopto.org]...5.172.255.70[jaszczurka.kjonca] 2022-06-21T06:19:06.851392+02:00 alfa charon-systemd: 06[IKE] scheduling rekeying in 13134s 2022-06-21T06:19:06.851879+02:00 alfa charon-systemd: 06[IKE] maximum IKE_SA lifetime 14574s 2022-06-21T06:19:06.852112+02:00 alfa charon-systemd: 06[IKE] peer requested virtual IP %any 2022-06-21T06:19:06.852325+02:00 alfa charon-systemd: 06[CFG] sending DHCP DISCOVER for 7a:a7:b1:87:2e:dd to 192.168.22.200 2022-06-21T06:19:06.852555+02:00 alfa charon-systemd: 06[CFG] received DHCP OFFER 192.168.22.245 from 192.168.22.200 2022-06-21T06:19:06.853021+02:00 alfa charon-systemd: 06[CFG] sending DHCP REQUEST for 192.168.22.245 to 192.168.22.200 2022-06-21T06:19:06.853927+02:00 alfa charon-systemd: 06[CFG] received DHCP ACK for 192.168.22.245 2022-06-21T06:19:06.854243+02:00 alfa charon-systemd: 06[IKE] assigning virtual IP 192.168.22.245 to peer 'jaszczurka.kjonca' 2022-06-21T06:19:06.854648+02:00 alfa charon-systemd: 06[IKE] peer requested virtual IP %any6 2022-06-21T06:19:06.855138+02:00 alfa charon-systemd: 06[IKE] no virtual IP found for %any6 requested by 'jaszczurka.kjonca' 2022-06-21T06:19:06.855467+02:00 alfa charon-systemd: 06[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ 2022-06-21T06:19:06.855691+02:00 alfa charon-systemd: 06[IKE] CHILD_SA net-alfa-server{7} established with SPIs c342fbc2_i 02a72a68_o and TS 192.168.22.0/24 === 192.168.22.245/32 2022-06-21T06:19:06.877474+02:00 alfa charon-systemd: 06[ENC] generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) ] 2022-06-21T06:19:06.877930+02:00 alfa charon-systemd: 06[NET] sending packet: from 192.168.22.200[4500] to 5.172.255.70[4646] (400 bytes) below (little redacted) profile: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>Password</key> <string>.......</string> <key>PayloadCertificateFileName</key> <string>jaszczurka.p12</string> <key>PayloadContent</key> <data> [...] </data> <key>PayloadDescription</key> <string>Adds a PKCS#12-formatted certificate</string> <key>PayloadDisplayName</key> <string>jaszczurka.p12</string> <key>PayloadIdentifier</key> <string>com.apple.security.pkcs12.9DDAE0AF-CBB3-43E1-8324-AEAF242CC195</string> <key>PayloadType</key> <string>com.apple.security.pkcs12</string> <key>PayloadUUID</key> <string>9DDAE0AF-CBB3-43E1-8324-AEAF242CC195</string> <key>PayloadVersion</key> <integer>1</integer> </dict> <dict> <key>PayloadCertificateFileName</key> <string>ca-ipsec-server.crt</string> <key>PayloadContent</key> <data> [...] </data> <key>PayloadDescription</key> <string>Adds a CA root certificate</string> <key>PayloadDisplayName</key> <string>alfa-ipsec-server-ca</string> <key>PayloadIdentifier</key> <string>com.apple.security.root.54701D3C-F0CB-11EC-A9E3-CB16CA9A3C74</string> <key>PayloadType</key> <string>com.apple.security.root</string> <key>PayloadUUID</key> <string>54701D3C-F0CB-11EC-A9E3-CB16CA9A3C74</string> <key>PayloadVersion</key> <integer>1</integer> </dict> <dict> <key>PayloadCertificateFileName</key> <string>ca-ipsec-client.crt</string> <key>PayloadContent</key> <data> [....] </data> <key>PayloadDescription</key> <string>Adds a CA root certificate</string> <key>PayloadDisplayName</key> <string>alfa-ipsec-client-ca</string> <key>PayloadIdentifier</key> <string>com.apple.security.root.0ECA6B37-3D06-4AA0-999C-0B85E4417F88</string> <key>PayloadType</key> <string>com.apple.security.root</string> <key>PayloadUUID</key> <string>0ECA6B37-3D06-4AA0-999C-0B85E4417F88</string> <key>PayloadVersion</key> <integer>1</integer> </dict> <dict> <!-- This is an extension of the identifier given above --> <key>PayloadIdentifier</key> <string>jaszczurka.kjonca</string> <!-- A globally unique identifier for this payload --> <key>PayloadUUID</key> <string>e0a61906-f0c0-11ec-80b1-63d2f53e7b05</string> <key>PayloadType</key> <string>com.apple.vpn.managed</string> <key>PayloadVersion</key> <integer>1</integer> <!-- This is the name of the VPN connection as seen in the VPN application later --> <key>UserDefinedName</key> <string>my-server.hopto.org</string> <key>VPNType</key> <string>IKEv2</string> <key>IKEv2</key> <dict> <!-- Hostname or IP address of the VPN server --> <key>RemoteAddress</key> <string>my-server.hopto.org</string> <!-- Remote identity, can be a FQDN, a userFQDN, an IP or (theoretically) a certificate's subject DN. Can't be empty. IMPORTANT: DNs are currently not handled correctly, they are always sent as identities of type FQDN --> <key>RemoteIdentifier</key> <string>my-server.hopto.org</string> <!-- Local IKE identity, same restrictions as above. If it is empty the client's IP address will be used --> <key>LocalIdentifier</key> <string>jaszczurka.kjonca</string> <key>PayloadCertificateUUID</key> <string>9DDAE0AF-CBB3-43E1-8324-AEAF242CC195</string> <!-- Optional, if it matches the CN of the root CA certificate (not the full subject DN) a certificate request will be sent NOTE: If this is not configured make sure to configure leftsendcert=always on the server, otherwise it won't send its certificate --> <key>ServerCertificateCommonName</key> <string>my-server.hopto.org</string> <!-- The server is authenticated using a certificate --> <key>AuthenticationMethod</key> <string>Certificate</string> <!-- The client uses EAP to authenticate --> </dict> </dict> </array> <key>PayloadDisplayName</key> <string>alfa</string> <key>PayloadIdentifier</key> <string>KAMJON.12E5D94D-BB3A-4936-9D6D-37557FC1D9F1</string> <key>PayloadRemovalDisallowed</key> <false/> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>C8E29C14-A468-4237-A8B6-BFA43924CEA6</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist> -- http://stopstopnop.pl/stop_stopnop.pl_o_nas.html