iPhone и прочие Apple к strongswan IKEv2 штатными средствами не коннектится.

0

1

Всем привет!

Попробовал настроить strongswam ipsec IKEv2 по «простому пути», т.е. установив пакеты (Debian) и запустив strongMan WebUI ну и от туда настроить. Ну и как бы даже работает, но вот клиенты iPhone подключиться не могут. А вот почему? Как понять что не так? Android и Windows коннектятся корректно.

Не могу по логу идентифицировать что не так...

Вот такой лог имею попытки подключения

Oct 05 17:18:49 vpn.spider.net charon[18972]: 13[NET] received packet: from 85.140.160.28[748] to XXX.XXX.XXX.XXX[500] (370 bytes)
Oct 05 17:18:49 vpn.spider.net charon[18972]: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Oct 05 17:18:49 vpn.spider.net charon[18972]: 13[IKE] 85.140.160.28 is initiating an IKE_SA
Oct 05 17:18:49 vpn.spider.net charon[18972]: 13[IKE] 85.140.160.28 is initiating an IKE_SA
Oct 05 17:18:49 vpn.spider.net charon[18972]: 13[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Oct 05 17:18:49 vpn.spider.net charon[18972]: 13[IKE] remote host is behind NAT
Oct 05 17:18:49 vpn.spider.net charon[18972]: 13[IKE] DH group ECP_256 unacceptable, requesting MODP_2048
Oct 05 17:18:49 vpn.spider.net charon[18972]: 13[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Oct 05 17:18:49 vpn.spider.net charon[18972]: 13[NET] sending packet: from XXX.XXX.XXX.XXX[500] to 85.140.160.28[748] (38 bytes)
Oct 05 17:18:49 vpn.spider.net charon[18972]: 15[NET] received packet: from 85.140.160.28[748] to XXX.XXX.XXX.XXX[500] (562 bytes)
Oct 05 17:18:49 vpn.spider.net charon[18972]: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Oct 05 17:18:49 vpn.spider.net charon[18972]: 15[IKE] 85.140.160.28 is initiating an IKE_SA
Oct 05 17:18:49 vpn.spider.net charon[18972]: 15[IKE] 85.140.160.28 is initiating an IKE_SA
Oct 05 17:18:49 vpn.spider.net charon[18972]: 15[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Oct 05 17:18:49 vpn.spider.net charon[18972]: 15[IKE] remote host is behind NAT
Oct 05 17:18:49 vpn.spider.net charon[18972]: 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Oct 05 17:18:49 vpn.spider.net charon[18972]: 15[NET] sending packet: from XXX.XXX.XXX.XXX[500] to 85.140.160.28[748] (472 bytes)
Oct 05 17:18:49 vpn.spider.net charon[18972]: 16[NET] received packet: from 85.140.160.28[41574] to XXX.XXX.XXX.XXX[4500] (384 bytes)
Oct 05 17:18:49 vpn.spider.net charon[18972]: 16[ENC] unknown attribute type INTERNAL_DNS_DOMAIN
Oct 05 17:18:49 vpn.spider.net charon[18972]: 16[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
Oct 05 17:18:49 vpn.spider.net charon[18972]: 16[CFG] looking for peer configs matching XXX.XXX.XXX.XXX[vpn.spider.net]...85.140.160.287[10.78.193.56]
Oct 05 17:18:49 vpn.spider.net charon[18972]: 16[CFG] selected peer config 'vpn.spider.net'
Oct 05 17:18:49 vpn.spider.net charon[18972]: 16[IKE] initiating EAP_MSCHAPV2 method (id 0x2D)
Oct 05 17:18:49 vpn.spider.net charon[18972]: 16[IKE] peer supports MOBIKE
Oct 05 17:18:49 vpn.spider.net charon[18972]: 16[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Oct 05 17:18:49 vpn.spider.net charon[18972]: 16[IKE] authentication of 'vpn.spider.net' (myself) with ECDSA_WITH_SHA256_DER successful
Oct 05 17:18:49 vpn.spider.net charon[18972]: 16[ENC] generating IKE_AUTH response 1 [ IDr AUTH EAP/REQ/MSCHAPV2 ]
Oct 05 17:18:49 vpn.spider.net charon[18972]: 16[NET] sending packet: from XXX.XXX.XXX.XXX[4500] to 85.140.160.28[41574] (224 bytes)
Oct 05 17:18:50 vpn.spider.net charon[18972]: 15[NET] received packet: from 85.140.160.28[748] to XXX.XXX.XXX.XXX[500] (370 bytes)
Oct 05 17:18:50 vpn.spider.net charon[18972]: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Oct 05 17:18:50 vpn.spider.net charon[18972]: 15[IKE] 85.140.160.28 is initiating an IKE_SA
Oct 05 17:18:50 vpn.spider.net charon[18972]: 15[IKE] 85.140.160.28 is initiating an IKE_SA
Oct 05 17:18:50 vpn.spider.net charon[18972]: 15[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Oct 05 17:18:50 vpn.spider.net charon[18972]: 15[IKE] remote host is behind NAT
Oct 05 17:18:50 vpn.spider.net charon[18972]: 15[IKE] DH group ECP_256 unacceptable, requesting MODP_2048
Oct 05 17:18:50 vpn.spider.net charon[18972]: 15[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Oct 05 17:18:50 vpn.spider.net charon[18972]: 15[NET] sending packet: from XXX.XXX.XXX.XXX[500] to 85.140.160.28[748] (38 bytes)
Oct 05 17:18:50 vpn.spider.net charon[18972]: 16[NET] received packet: from 85.140.160.28[748] to XXX.XXX.XXX.XXX[500] (562 bytes)
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 16[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 16[IKE] remote host is behind NAT
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 16[NET] sending packet: from XXX.XXX.XXX.XXX[500] to 85.140.160.28[748] (472 bytes)
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 09[NET] received packet: from 85.140.160.28[41574] to XXX.XXX.XXX.XXX[4500] (384 bytes)
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 09[ENC] unknown attribute type INTERNAL_DNS_DOMAIN
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 09[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 09[CFG] looking for peer configs matching XXX.XXX.XXX.XXX[vpn.spider.net]...85.140.160.28[10.78.193.56]
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 09[CFG] selected peer config 'vpn.spider.net'
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 09[IKE] initiating EAP_MSCHAPV2 method (id 0xE1)
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 09[IKE] peer supports MOBIKE
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 09[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 09[IKE] authentication of 'vpn.spider.net' (myself) with ECDSA_WITH_SHA256_DER successful
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 09[ENC] generating IKE_AUTH response 1 [ IDr AUTH EAP/REQ/MSCHAPV2 ]
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 09[NET] sending packet: from XXX.XXX.XXX.XXX[4500] to 85.140.160.28[41574] (224 bytes)
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 13[JOB] deleting half open IKE_SA with 85.140.160.28 after timeout
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 13[NET] received packet: from 85.140.160.28[748] to XXX.XXX.XXX.XXX[500] (370 bytes)
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 13[IKE] 85.140.160.28 is initiating an IKE_SA
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 13[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 13[IKE] remote host is behind NAT
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 13[IKE] DH group ECP_256 unacceptable, requesting MODP_2048
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 13[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 13[NET] sending packet: from XXX.XXX.XXX.XXX[500] to 85.140.160.28[748] (38 bytes)
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 15[NET] received packet: from 85.140.160.28[748] to XXX.XXX.XXX.XXX[500] (562 bytes)
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Oct 05 17:18:50 vpn.spider.net charon[18972]: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 15[IKE] 85.140.160.28 is initiating an IKE_SA
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 15[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 15[IKE] remote host is behind NAT
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 15[NET] sending packet: from XXX.XXX.XXX.XXX[500] to 85.140.160.28[748] (472 bytes)
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 16[NET] received packet: from 85.140.160.28[41574] to XXX.XXX.XXX.XXX[4500] (384 bytes)
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 16[ENC] unknown attribute type INTERNAL_DNS_DOMAIN
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 16[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 16[CFG] looking for peer configs matching XXX.XXX.XXX.XXX[vpn.spider.net]...85.140.160.28[10.78.193.56]
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 16[CFG] selected peer config 'vpn.spider.net'
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 16[IKE] initiating EAP_MSCHAPV2 method (id 0x2D)
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 16[IKE] peer supports MOBIKE
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 16[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 16[IKE] authentication of 'vpn.spider.net' (myself) with ECDSA_WITH_SHA256_DER successful
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 16[ENC] generating IKE_AUTH response 1 [ IDr AUTH EAP/REQ/MSCHAPV2 ]
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 16[NET] sending packet: from XXX.XXX.XXX.XXX[4500] to 85.140.160.28[41574] (224 bytes)
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 15[NET] received packet: from 85.140.160.28[748] to XXX.XXX.XXX.XXX[500] (370 bytes)
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 15[IKE] 85.140.160.28 is initiating an IKE_SA
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 15[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 15[IKE] remote host is behind NAT
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 15[IKE] DH group ECP_256 unacceptable, requesting MODP_2048
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 15[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 15[NET] sending packet: from XXX.XXX.XXX.XXX[500] to 85.140.160.28[748] (38 bytes)
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 16[NET] received packet: from 85.140.160.28[748] to XXX.XXX.XXX.XXX[500] (562 bytes)
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 16[IKE] 85.140.160.28 is initiating an IKE_SA
Oct 05 17:18:50 vpn.spider.net charon[18972]: 16[IKE] 85.140.160.28 is initiating an IKE_SA
Oct 05 17:18:50 vpn.spider.net ipsec[18972]: 16[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Oct 05 17:18:50 vpn.spider.net charon[18972]: 16[IKE] 85.140.160.28 is initiating an IKE_SA
Oct 05 17:18:50 vpn.spider.net charon[18972]: 16[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Oct 05 17:18:50 vpn.spider.net charon[18972]: 16[IKE] remote host is behind NAT
Oct 05 17:18:50 vpn.spider.net charon[18972]: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Oct 05 17:18:50 vpn.spider.net charon[18972]: 16[NET] sending packet: from XXX.XXX.XXX.XXX[500] to 85.140.160.28[748] (472 bytes)
Oct 05 17:18:51 vpn.spider.net charon[18972]: 09[NET] received packet: from 85.140.160.28[41574] to XXX.XXX.XXX.XXX[4500] (384 bytes)
Oct 05 17:18:51 vpn.spider.net charon[18972]: 09[ENC] unknown attribute type INTERNAL_DNS_DOMAIN
Oct 05 17:18:51 vpn.spider.net charon[18972]: 09[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
Oct 05 17:18:51 vpn.spider.net charon[18972]: 09[CFG] looking for peer configs matching XXX.XXX.XXX.XXX[vpn.spider.net]...85.140.160.28[10.78.193.56]
Oct 05 17:18:51 vpn.spider.net charon[18972]: 09[CFG] selected peer config 'vpn.spider.net'
Oct 05 17:18:51 vpn.spider.net charon[18972]: 09[IKE] initiating EAP_MSCHAPV2 method (id 0xB0)
Oct 05 17:18:51 vpn.spider.net charon[18972]: 09[IKE] peer supports MOBIKE
Oct 05 17:18:51 vpn.spider.net charon[18972]: 09[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Oct 05 17:18:51 vpn.spider.net charon[18972]: 09[IKE] authentication of 'vpn.spider.net' (myself) with ECDSA_WITH_SHA256_DER successful
Oct 05 17:18:51 vpn.spider.net charon[18972]: 09[ENC] generating IKE_AUTH response 1 [ IDr AUTH EAP/REQ/MSCHAPV2 ]
Oct 05 17:18:51 vpn.spider.net charon[18972]: 09[NET] sending packet: from XXX.XXX.XXX.XXX[4500] to 85.140.160.28[41574] (224 bytes)
Oct 05 17:18:52 vpn.spider.net charon[18972]: 12[NET] received packet: from 85.140.160.28[748] to XXX.XXX.XXX.XXX[500] (370 bytes)
Oct 05 17:18:52 vpn.spider.net charon[18972]: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Oct 05 17:18:52 vpn.spider.net charon[18972]: 12[IKE] 85.140.160.28 is initiating an IKE_SA
Oct 05 17:18:52 vpn.spider.net charon[18972]: 12[IKE] 85.140.160.28 is initiating an IKE_SA
Oct 05 17:18:52 vpn.spider.net charon[18972]: 12[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Oct 05 17:18:52 vpn.spider.net charon[18972]: 12[IKE] remote host is behind NAT
Oct 05 17:18:52 vpn.spider.net charon[18972]: 12[IKE] DH group ECP_256 unacceptable, requesting MODP_2048
Oct 05 17:18:52 vpn.spider.net charon[18972]: 12[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Oct 05 17:18:52 vpn.spider.net charon[18972]: 12[NET] sending packet: from XXX.XXX.XXX.XXX[500] to 85.140.160.28[748] (38 bytes)
Oct 05 17:18:52 vpn.spider.net charon[18972]: 11[NET] received packet: from 85.140.160.28[748] to XXX.XXX.XXX.XXX[500] (562 bytes)
Oct 05 17:18:52 vpn.spider.net charon[18972]: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Oct 05 17:18:52 vpn.spider.net charon[18972]: 11[IKE] 85.140.160.28 is initiating an IKE_SA
Oct 05 17:18:52 vpn.spider.net charon[18972]: 11[IKE] 85.140.160.28 is initiating an IKE_SA
Oct 05 17:18:52 vpn.spider.net charon[18972]: 11[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Oct 05 17:18:52 vpn.spider.net charon[18972]: 11[IKE] remote host is behind NAT
Oct 05 17:18:52 vpn.spider.net charon[18972]: 11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Oct 05 17:18:52 vpn.spider.net charon[18972]: 11[NET] sending packet: from XXX.XXX.XXX.XXX[500] to 85.140.160.28[748] (472 bytes)
Oct 05 17:18:53 vpn.spider.net charon[18972]: 14[NET] received packet: from 85.140.160.28[41574] to XXX.XXX.XXX.XXX[4500] (384 bytes)
Oct 05 17:18:53 vpn.spider.net charon[18972]: 14[ENC] unknown attribute type INTERNAL_DNS_DOMAIN
Oct 05 17:18:53 vpn.spider.net charon[18972]: 14[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
Oct 05 17:18:53 vpn.spider.net charon[18972]: 14[CFG] looking for peer configs matching XXX.XXX.XXX.XXX[vpn.spider.net]...85.140.160.28[10.78.193.56]
Oct 05 17:18:53 vpn.spider.net charon[18972]: 14[CFG] selected peer config 'vpn.spider.net'
Oct 05 17:18:53 vpn.spider.net charon[18972]: 14[IKE] initiating EAP_MSCHAPV2 method (id 0x33)
Oct 05 17:18:53 vpn.spider.net charon[18972]: 14[IKE] peer supports MOBIKE
Oct 05 17:18:53 vpn.spider.net charon[18972]: 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Oct 05 17:18:53 vpn.spider.net charon[18972]: 14[IKE] authentication of 'vpn.spider.net' (myself) with ECDSA_WITH_SHA256_DER successful
Oct 05 17:18:53 vpn.spider.net charon[18972]: 14[ENC] generating IKE_AUTH response 1 [ IDr AUTH EAP/REQ/MSCHAPV2 ]
Oct 05 17:18:53 vpn.spider.net charon[18972]: 14[NET] sending packet: from XXX.XXX.XXX.XXX[4500] to 85.140.160.28[41574] (224 bytes)

Далее интерфейс iPhone говорит что попытка не удалась и предлагает попробовать снова.
По логам же через несколько минут появится пара строк, что клиент скинут по timeout.

# swanctl -L
vpn.spider.net: IKEv2, no reauthentication, no rekeying
  local:  %any
  remote: %any
  local public key authentication:
    id: vpn.spider.net
    certs: CN=vpn.spider.net
  remote EAP_MSCHAPV2 authentication:
  vpn.spider.net: TUNNEL, rekeying every 3600s
    local:  0.0.0.0/0
    remote: dynamic

Конфиг конечно «из загрузки» ибо strongMan там как-то через vici его запихивал.

# swanctl --list-conns -P
list-conn event {
  vpn.spider.net {
    local_addrs = [
      %any
    ]
    remote_addrs = [
      %any
    ]
    version = IKEv2
    reauth_time = 0
    rekey_time = 14400
    unique = UNIQUE_NO
    local-1 {
      id = vpn.spider.net
      class = public key
      groups = [
      ]
      cert_policy = [
      ]
      certs = [
        CN=vpn.spider.net
      ]
      cacerts = [
      ]
    }
    remote-1 {
      eap-type = EAP_MSCHAPV2
      class = EAP
      groups = [
      ]
      cert_policy = [
      ]
      certs = [
      ]
      cacerts = [
      ]
    }
    children {
      vpn.spider.net {
        mode = TUNNEL
        rekey_time = 3600
        rekey_bytes = 0
        rekey_packets = 0
        dpd_action = none
        close_action = none
        local-ts = [
          0.0.0.0/0
        ]
        remote-ts = [
          dynamic
        ]
      }
    }
  }
}

Поддержка фрагментации средствами протокола на сервере включена?

https://docs.strongswan.org/docs/5.9/support/faq.html#_public_key_authentication_fails_with_retransmissions

ValdikSS ★★★★★
(06.10.24 16:09:46 MSK)

EAP_MSCHAPV2

падазрительна.

Dark_SavanT ★★★★★
(06.10.24 20:02:50 MSK)

Ответ на: комментарий от ValdikSS 06.10.24 16:09:46 MSK

Ну я нигде не нашёл чтобы его кто-то отключал (fragmentation), а по умолчанию он включен.

Так же, там написано что ECDSA значительно меньше не доводит до фрагментации, а у меня именно он, если верить приватному ключу.

Spider55 ★
(07.10.24 06:32:56 MSK) автор топика

Оказалось все банально.
Let's Encrypt по умолчанию сгенерил EC пару ключей ключей, перегенерил на RSA и огрызки стали довольные.
При этом Windows клиент нормально работал.

Spider55 ★
(09.10.24 14:19:34 MSK) автор топика

Похожие темы