In iOS IPSec VPN Server on Ubuntu, I host a VPN on Ubuntu 13.10 based on StrongSwan 4.x, working for iOS, but not for OSX.
Then I upgraded to Ubuntu 14.04, which has StrongSwan upgraded to 5.x, error like:
|
1 |
Apr 24 14:56:46 sskaje charon: 15[CFG] no XAuth method found |
To fix this, install all strongswan’s plugins by:
|
1 |
apt-get install strongswan-* |
And make some changes to configurations:
/etc/ipsec.conf:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
config setup # plutodebug=all # crlcheckinterval=600 # strictcrlpolicy=yes # cachecrls=yes #nat_traversal=yes #charonstart=yes #plutostart=yes ... conn %default left=%defaultroute leftsubnet=0.0.0.0/0 forceencaps=yes compress=yes auto=add #pfs=no ... |
/etc/strongswan.conf:
Replace with strongswan.conf.dpkg-dist
After these, VPN is connectable by OS X but DNS settings is not pushed to the client-side
/etc/strongswan.d/charon.conf:
|
1 2 3 4 5 6 7 |
... # DNS server assigned to peer via configuration payload (CP). dns1 = 8.8.8.8 # DNS server assigned to peer via configuration payload (CP). dns2 = 8.8.4.4 ... |
DONE.
If you get a error saying the certificate is not trusted, and then check /var/log/system.log, you may found
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
Apr 26 23:38:25 sskajedemini kernel[0]: flow_divert_kctl_disconnect (0): disconnecting group 1 Apr 26 23:38:27 sskajedemini configd[24]: IPSec connecting to server ipsec.sskaje.me Apr 26 23:38:27 sskajedemini configd[24]: SCNC: start, triggered by (691) com.apple.prefe, type IPSec, status 0, trafficClass 0 Apr 26 23:38:27 sskajedemini configd[24]: network changed: v4(en1:192.168.1.121) DNS Proxy SMB Apr 26 23:38:27 sskajedemini configd[24]: IPSec Phase1 starting. Apr 26 23:38:27 sskajedemini racoon[702]: plogsetfile: about to add racoon log file: /var/log/racoon.log Apr 26 23:38:27 sskajedemini racoon[702]: accepted connection on vpn control socket. Apr 26 23:38:27 sskajedemini racoon[702]: IPSec connecting to server 106.186.27.96 Apr 26 23:38:27 sskajedemini racoon[702]: Connecting. Apr 26 23:38:27 sskajedemini racoon[702]: IPSec Phase 1 started (Initiated by me). Apr 26 23:38:27 sskajedemini racoon[702]: IKE Packet: transmit success. (Initiator, Main-Mode message 1). Apr 26 23:38:27 sskajedemini racoon[702]: >>>>> phase change status = Phase 1 started by us Apr 26 23:38:27 sskajedemini configd[24]: network changed. Apr 26 23:38:27 sskajedemini racoon[702]: >>>>> phase change status = Phase 1 started by peer Apr 26 23:38:27 sskajedemini racoon[702]: IKE Packet: receive success. (Initiator, Main-Mode message 2). Apr 26 23:38:27 sskajedemini configd[24]: network changed. Apr 26 23:38:27 sskajedemini racoon[702]: IKE Packet: transmit success. (Initiator, Main-Mode message 3). Apr 26 23:38:27 sskajedemini racoon[702]: IKE Packet: receive success. (Initiator, Main-Mode message 4). Apr 26 23:38:27 sskajedemini racoon[702]: IKE Packet: transmit success. (Initiator, Main-Mode message 5). Apr 26 23:38:28 sskajedemini racoon[702]: Error evaluating certificate. Apr 26 23:38:28 sskajedemini racoon[702]: ---------------Returned error strings: ---------------. Apr 26 23:38:28 sskajedemini racoon[702]: -----------------------------------------------------. Apr 26 23:38:28 sskajedemini racoon[702]: the peer's certificate is not verified. Apr 26 23:38:28 sskajedemini racoon[702]: IKEv1 Phase 1 AUTH: failed. (Initiator, Main-Mode Message 6). Apr 26 23:38:28 sskajedemini racoon[702]: IKE Packet: transmit success. (Information message). Apr 26 23:38:28 sskajedemini configd[24]: IPSec Controller: IKE FAILED. phase 3, assert 0 Apr 26 23:38:28 sskajedemini racoon[702]: IKEv1 Information-Notice: transmit success. (ISAKMP-SA). Apr 26 23:38:28 sskajedemini racoon[702]: IKE Packet: receive failed. (Initiator, Main-Mode Message 6). Apr 26 23:38:28 sskajedemini racoon[702]: mode config 6 from 106.186.27.96[4500], but ISAKMP-SA 833200190d7bf5d0:9d4bf610953dbb0b isn't established. Apr 26 23:38:28 sskajedemini configd[24]: IPSec disconnecting from server 106.186.27.96 Apr 26 23:38:28 sskajedemini racoon[702]: IPSec disconnecting from server 106.186.27.96 Apr 26 23:38:28 --- last message repeated 1 time --- Apr 26 23:38:28 sskajedemini racoon[702]: glob found no matches for path "/var/run/racoon/*.conf" Apr 26 23:38:28 sskajedemini configd[24]: network changed. Apr 26 23:38:58 --- last message repeated 1 time --- Apr 26 23:39:26 sskajedemini ServerEventAgent[138]: CertsKeychainMonitor: received a keychain delete event |
If you have debug logging enabled in /etc/racoon/racoon.conf like
|
1 2 3 4 |
# "log" specifies logging level. It is followed by either "notify", "debug" # or "debug2". log debug; path logfile "/var/log/racoon.log"; |
You may see more detail in /var/log/racoon.log, kSecTrustResultRecoverableTrustFailure might be a useful keyword.
Google it, the only useful article is http://www.traud.de/vpn/ but still not working here.
I tried on my macbook pro, and also as a dude told me, the Root CA I gave and the mobileconfig worked without any error nor warning.
But on my mac mini and from some others, error like above, which stopped me getting ipsec on os x work before.
I tried to delete the certificate, both root ca and client’s, from Keychain Access app, and the mobileconfig from Profiles in Preferences, reinstall like firstly CA secondly mobileconfig, check if the mobileconfig is signed and has passed the certificate verification, green light on then there it goes.