RESOLVED
I have managed to fix this, the cause was that I was using the same left
subnet ip address as the one I connect into by hostname creating two
routes, I noticed this by running a ping from the ipsec adapter to the
server and it worked.
when I changed the left subnet side, I was able to telnet to the ports
the server provides on that left subnet.
On 04/07/2022 15:01, Lewis Robson wrote:
Hello all,
I am having issues under certain conditions with IOS devices not
correctly connecting into my ipsec solution.
my full set up consists of two parts:
An android connection using the strongswan application which works as
expected, the device connects and the server / client can ping each other.
The device can fully access the servers listening ports and the solution
works.
An Iphone connection which connects and works on mobile data that is
only provided an ipv6 address, however, does not work on ipv4 addresses,
including the same network that the android solution works on.
Iphone 11, software version: 15.5
In addition to this and worth a mention in case it's related:
when attempting connection from a macbook (Monterey 12.3.1), the device
connects and gets assigned an IP, the server can then ping the device
and receive a response, however, the device cant ping the server
directly or connect to any of the ports, we dont require for the mac to
be a part of the final solution currently so this isnt an issue however
maybe this is a clue?
I believe it is likely I am missing a policy rule in one of the
strongswan config files because the android device works without issue
and the iphone works over mobile data with only an ipv6 address (the
provider using nat64 translate to ipv4).
the ipsec.conf is as follows:
config setup
charondebug="all"
uniqueids=no
conn android
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@cerberus.conscious.co.uk
leftcert=cerberus.conscious.co.uk.crt
leftsendcert=always
leftsubnet=156.67.0.0/16
right=%any
rightid=%any
rightauth=pubkey
rightsourceip=10.10.10.0/16
rightdns=10.1.0.50,8.8.8.8,8.8.4.4
rightsendcert=never
eap_identity=%identity
ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1!
conn apple
inactivity = 6000
dpdtimeout =6000s
dpddelay = 30
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@cerberus.conscious.co.uk
leftcert=cerberus.conscious.co.uk.crt
leftsendcert=always
leftsubnet=156.67.0.0/16
right=%any
rightid=%any
rightauth=eap-tls #pubkey didnt work so using eap-tls
rightsourceip=10.10.10.0/24
rightdns=10,1,0,50,8.8.8.8,8.8.4.4
rightsendcert=never
eap_identity=%identity
ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!
here is the last few lines from the logs when connection is attempted
from the iphone over wifi / with an ipv4 address.
Jul 4 14:22:43 cerberus charon[3945804]: 05[ENC] parsed IKE_AUTH
request 9 [ EAP/RES/TLS ]
Jul 4 14:22:43 cerberus charon[3945804]: 05[IKE] EAP method EAP_TLS
succeeded, MSK established
Jul 4 14:22:43 cerberus charon[3945804]: 05[ENC] generating IKE_AUTH
response 9 [ EAP/SUCC ]
Jul 4 14:22:43 cerberus charon[3945804]: 05[NET] sending packet: from
external-ip[4500] to clients-ip[4500] (76 bytes)
Jul 4 14:22:43 cerberus charon[3945804]: 07[NET] received packet: from
clients-ip[4500] to external-ip[4500] (92 bytes)
Jul 4 14:22:43 cerberus charon[3945804]: 07[ENC] parsed IKE_AUTH
request 10 [ AUTH ]
Jul 4 14:22:43 cerberus charon[3945804]: 07[IKE] authentication of
'u...@conscious.co.uk' with EAP successful
Jul 4 14:22:43 cerberus charon[3945804]: 07[IKE] authentication of
'cerberus.conscious.co.uk' (myself) with EAP
Jul 4 14:22:43 cerberus charon[3945804]: 07[IKE] IKE_SA apple[4]
established between
external-ip[cerberus.conscious.co.uk]...clients-ip[u...@conscious.co.uk]
Jul 4 14:22:43 cerberus charon[3945804]: 07[IKE] peer requested virtual
IP %any
Jul 4 14:22:43 cerberus charon[3945804]: 07[CFG] reassigning offline
lease to 'u...@conscious.co.uk'
Jul 4 14:22:43 cerberus charon[3945804]: 07[IKE] assigning virtual IP
10.10.10.1 to peer 'u...@conscious.co.uk'
Jul 4 14:22:43 cerberus charon[3945804]: 07[IKE] peer requested virtual
IP %any6
Jul 4 14:22:43 cerberus charon[3945804]: 07[IKE] no virtual IP found
for %any6 requested by 'u...@conscious.co.uk'
Jul 4 14:22:43 cerberus charon[3945804]: 07[CFG] selected proposal:
ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Jul 4 14:22:43 cerberus charon[3945804]: 07[IKE] CHILD_SA apple{2}
established with SPIs c1c88d8d_i 0e330f25_o and TS external-ip/32 ===
10.10.10.1/32
Jul 4 14:22:43 cerberus charon[3945804]: 07[ENC] generating IKE_AUTH
response 10 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP)
N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Jul 4 14:22:43 cerberus charon[3945804]: 07[NET] sending packet: from
external-ip[4500] to clients-ip[4500] (252 bytes)
Jul 4 14:22:43 cerberus charon[3945804]: 07[ENC] generating IKE_AUTH
response 10 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP)
N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Jul 4 14:22:43 cerberus charon[3945804]: 07[NET] sending packet: from
external-ip[4500] to clients-ip[4500] (252 bytes)
Jul 4 14:23:29 cerberus charon[3945804]: 01[NET] received packet: from
clients-ip[4500] to external-ip[4500] (76 bytes)
Jul 4 14:23:29 cerberus charon[3945804]: 01[ENC] parsed INFORMATIONAL
request 11 [ D ]
Jul 4 14:23:29 cerberus charon[3945804]: 01[IKE] received DELETE for
IKE_SA apple[4]
Jul 4 14:23:29 cerberus charon[3945804]: 01[IKE] deleting IKE_SA
apple[4] between
external-ip[cerberus.conscious.co.uk]...clients-ip[a...@conscious.co.uk]
Jul 4 14:23:29 cerberus charon[3945804]: 01[IKE] IKE_SA deleted
Jul 4 14:23:29 cerberus charon[3945804]: 01[ENC] generating
INFORMATIONAL response 11 [ ]
Jul 4 14:23:29 cerberus charon[3945804]: 01[NET] sending packet: from
external-ip[4500] to clients-ip4500] (76 bytes)
Jul 4 14:23:29 cerberus charon[3945804]: 01[CFG] lease 10.10.10.1 by
'u...@conscious.co.uk' went offline
==> /var/log/secure <==
Jul 4 14:22:43 cerberus charon[3945804]: 15[IKE] clients-ip is
initiating an IKE_SA
Jul 4 14:22:43 cerberus charon[3945804]: 06[IKE] clients-ip is
initiating an IKE_SA
Jul 4 14:22:43 cerberus charon[3945804]: 07[IKE] IKE_SA apple[4]
established between
external-ip[cerberus.conscious.co.uk]...clients-ip[u...@conscious.co.uk]
Jul 4 14:22:43 cerberus charon[3945804]: 07[IKE] CHILD_SA apple{2}
established with SPIs c1c88d8d_i 0e330f25_o and TS external-ip/32 ===
10.10.10.1/32
does anyone have any thoughts and / or suggestions as to what I could be
missing or guidance on where to look to fix this?
Thankyou
--
Lewis Robson
Systems Administrator
Conscious Solutions Limited
Tel: 0117 325 0200
Web: https://www.conscious.co.uk
