Почмеу яблофон не хочет коннектиться по ikev2 к strongswan?
Добротного дня.
Имеется android, win7 и iphone на ios9.
Android и win7 успешно соединяются с сервером на strongswan по IKEv2, но яблофон не хочет. Делн НЕ в CA. Кто-нибудь сталкивался?
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
conn %default
keyexchange=ikev2
ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! # Win7 is aes256, sha-1, modp1024; iOS is aes256, sha-256, modp1024; OS X is 3DES, sha-1, modp1024
esp=aes256-sha256,aes256-sha1,3des-sha1! # Win 7 is aes256-sha1, iOS is aes256-sha256, OS X is 3des-shal1
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid="my.left.id"
leftsubnet=0.0.0.0/0
leftcert=fullchain.pem
right=%any
rightdns=172.16.0.1
rightsourceip=10.168.30.0/24
conn IPSec-IKEv2
keyexchange=ikev2
auto=add
conn IPSec-IKEv2-EAP
also="IPSec-IKEv2"
rightauth=eap-radius
rightsendcert=never
eap_identity=%any
логи:
Jun 1 08:19:34 11[NET] <24> received packet: from 49.195.16.33[32585] to 185.98.61.44[500] (476 bytes)
Jun 1 08:19:34 11[ENC] <24> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Jun 1 08:19:34 11[IKE] <24> 49.195.16.33 is initiating an IKE_SA
Jun 1 08:19:34 11[IKE] <24> remote host is behind NAT
Jun 1 08:19:34 11[IKE] <24> sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
Jun 1 08:19:34 11[ENC] <24> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jun 1 08:19:34 11[NET] <24> sending packet: from 185.98.61.44[500] to 49.195.16.33[32585] (337 bytes)
Jun 1 08:19:34 13[NET] <24> received packet: from 49.195.16.33[4500] to 185.98.61.44[4500] (508 bytes)
Jun 1 08:19:34 13[ENC] <24> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Jun 1 08:19:34 13[CFG] <24> looking for peer configs matching 185.98.61.44[my.left.id]...49.195.16.33[100.99.124.203]
Jun 1 08:19:34 13[CFG] <IPSec-IKEv2|24> selected peer config 'IPSec-IKEv2'
Jun 1 08:19:34 13[IKE] <IPSec-IKEv2|24> peer requested EAP, config inacceptable
Jun 1 08:19:34 13[CFG] <IPSec-IKEv2|24> switching to peer config 'IPSec-IKEv2-EAP'
Jun 1 08:19:34 13[IKE] <IPSec-IKEv2-EAP|24> initiating EAP_IDENTITY method (id 0x00)
Jun 1 08:19:34 13[IKE] <IPSec-IKEv2-EAP|24> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jun 1 08:19:34 13[IKE] <IPSec-IKEv2-EAP|24> peer supports MOBIKE
Jun 1 08:19:34 13[IKE] <IPSec-IKEv2-EAP|24> authentication of '*****' (myself) with RSA signature successful
Jun 1 08:19:34 13[ENC] <IPSec-IKEv2-EAP|24> generating IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]
Jun 1 08:19:34 13[NET] <IPSec-IKEv2-EAP|24> sending packet: from 185.98.61.44[4500] to 49.195.16.33[4500] (364 bytes)
Jun 1 08:19:42 03[NET] ignoring IKE_SA setup from 49.195.16.33, peer too aggressive