Facing issues in setting up VPN connection(IKEv1) using iphone (Defult Cisco VPN client) and Strongswan 4.5.0 server

Posted by Kushagra Bhatnagar on Server Fault See other posts from Server Fault or by Kushagra Bhatnagar
Published on 2012-04-26T21:31:46Z Indexed on 2012/10/13 3:39 UTC
Read the original article Hit count: 377

Filed under:

I am facing issues in setting up VPN connection(IKEv1) using iPhone (Defult Cisco VPN client) and Strongswan 4.5.0 server.

The Strongswan server is running on Ubuntu Linux, which is connected to some wifi hotspot. This is the guide which was used. I generated CA, server and client certificate, with the only difference mentioned below.

“While generating server certificate, as per link CN=vpn.strongswan.org instead of this I changed CN name to CN=192.168.43.212.”

Once certificates are generated, following (clientCert.p12 and caCert.pem) are sent to mobile via mail and installed on iphone. After installation I notice that certificates are considered as trusted also.

Below are the ip addresses assigned to various interfaces

Linux server wlan0 interface ip where server is running: 192.168.43.212 Iphone eth0 interface ip address: 192.168.43.72. iphone is also attached with the same wifi hotspot.

Below is the snapshot of client configurations.

  • Description Strong swan
  • Server 192.168.43.212
  • Account ipsecvpn
  • Password *****
  • Use certificate ON
  • Certificate client

The above username and password are in sync with the ipsec.secrets file. I am using the following ipsec.conf configuration:

 # basic configuration
 config setup
        plutodebug=all
        # crlcheckinterval=600
        # strictcrlpolicy=yes
        # cachecrls=yes
        nat_traversal=yes
        # charonstart=yes
        plutostart=yes

# Add connections here.
# Sample VPN connections
conn ios1
        keyexchange=ikev1
        authby=xauthrsasig
        xauth=server
        left=%defaultroute
        leftsubnet=0.0.0.0/0
        leftfirewall=yes
        leftcert=serverCert.pem
        right=192.168.43.72
        rightsubnet=10.0.0.0/24
        rightsourceip=10.0.0.2
        rightcert=clientCert.pem
        pfs=no
        auto=add

With the above configurations when I enable VPN on iphone, it says

Could not able to verify server certificate.

I ran Wireshark on a Linux server and observe that initially some ISAKMP message exchanges happens between client and server, which are successful but before authorization, client is sending some informational message and soon after this client is showing error as popup

Could not able to verify server certificate.

Capture logs on Strongswan server and in server logs below errors are observed:

From auth.log

Apr 25 20:16:08 Linux pluto[4025]: |    ISAKMP version: ISAKMP Version 1.0
Apr 25 20:16:08 Linux pluto[4025]: |    exchange type: ISAKMP_XCHG_INFO
Apr 25 20:16:08 Linux pluto[4025]: |    flags: ISAKMP_FLAG_ENCRYPTION
Apr 25 20:16:08 Linux pluto[4025]: |    message ID:  9d 1a ea 4d
Apr 25 20:16:08 Linux pluto[4025]: |    length: 76
Apr 25 20:16:08 Linux pluto[4025]: | ICOOKIE:  f6 b7 06 b2  b1 84 5b 93
Apr 25 20:16:08 Linux pluto[4025]: | RCOOKIE:  86 92 a0 c2  a6 2f ac be
Apr 25 20:16:08 Linux pluto[4025]: | peer:  c0 a8 2b 48
Apr 25 20:16:08 Linux pluto[4025]: | state hash entry 8
Apr 25 20:16:08 Linux pluto[4025]: | state object not found
Apr 25 20:16:08 Linux pluto[4025]: **packet from 192.168.43.72:500: Informational Exchange is for an unknown (expired?) SA**
Apr 25 20:16:08 Linux pluto[4025]: | next event EVENT_RETRANSMIT in 8 seconds for #8
Apr 25 20:16:16 Linux pluto[4025]: | 
Apr 25 20:16:16 Linux pluto[4025]: | *time to handle event
Apr 25 20:16:16 Linux pluto[4025]: | event after this is EVENT_RETRANSMIT in 2 seconds
Apr 25 20:16:16 Linux pluto[4025]: | handling event EVENT_RETRANSMIT for 192.168.43.72 "ios1" #8
Apr 25 20:16:16 Linux pluto[4025]: | sending 76 bytes for EVENT_RETRANSMIT through wlan0 to 192.168.43.72:500:
Apr 25 20:16:16 Linux pluto[4025]: |   a6 a5 86 41  4b fb ff 99  c9 18 34 61  01 7b f1 d9
Apr 25 20:16:16 Linux pluto[4025]: |   08 10 06 01  e9 1c ea 60  00 00 00 4c  ba 7d c8 08
Apr 25 20:16:16 Linux pluto[4025]: |   13 47 95 18  19 31 45 30  2e 22 f9 4d  85 2c 27 bc
Apr 25 20:16:16 Linux pluto[4025]: |   9e 9b e1 ae  1e 35 51 6f  ab 80 f5 73  3c 15 8d 20
Apr 25 20:16:16 Linux pluto[4025]: |   4b 46 47 86  50 24 3f 13  15 7d d5 17
Apr 25 20:16:16 Linux pluto[4025]: | inserting event EVENT_RETRANSMIT, timeout in 40 seconds for #8
Apr 25 20:16:16 Linux pluto[4025]: | next event EVENT_RETRANSMIT in 2 seconds for #10
Apr 25 20:16:16 Linux pluto[4025]: | rejected packet:
Apr 25 20:16:16 Linux pluto[4025]: | 
Apr 25 20:16:16 Linux pluto[4025]: | control:
Apr 25 20:16:16 Linux pluto[4025]: |   30 00 00 00  00 00 00 00  00 00 00 00  0b 00 00 00
Apr 25 20:16:16 Linux pluto[4025]: |   6f 00 00 00  02 03 03 00  00 00 00 00  00 00 00 00
Apr 25 20:16:16 Linux pluto[4025]: |   02 00 00 00  c0 a8 2b 48  00 00 00 00  00 00 00 00
Apr 25 20:16:16 Linux pluto[4025]: | name:
Apr 25 20:16:16 Linux pluto[4025]: |   02 00 01 f4  c0 a8 2b 48  00 00 00 00  00 00 00 00
Apr 25 20:16:16 Linux pluto[4025]: **ERROR: asynchronous network error report on wlan0 for message to 192.168.43.72 port 500, complainant 192.168.43.72: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]**

Anybody please provide some update about this error and how to solve this issue.

© Server Fault or respective owner

Related posts about vpn