Hi,
I am trying to setup my VPN server on my OpenWrt following this guide:
wiki.openwrt.org/doc/howto/vpn.ipsec.roadwarrior
Is there anyone who has successfully created a VPN server with this setup for Mac OS X 10.12+ and iOS 10+ clients?
I am trying the whole day to set this up, without any luck.
Here is my full config:
/etc/strongswan.conf
charon {
load_modular = yes
dns1 = 192.168.2.1
nbns1 = 192.168.2.1
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.confcat /etc/ipsec.conf
config setup
conn %default
keyexchange=ikev2
conn roadwarrior
left=%any
leftauth=pubkey
leftcert=serverCert.pem
leftsendcert=always
leftid="C=US, O=xxx, CN=my.domain.com"
leftsubnet=0.0.0.0/0,::/0
right=%any
rightsourceip=192.168.2.160/28
rightauth=pubkey
rightcert=clientCert.pem
rightauth2=eap-mschapv2
auto=addcat /etc/ipsec.secrets
: RSA serverKey.pem
myusername : EAP "mypassword"Making keys:
#!/bin/sh
ipsec pki --gen --outform pem > caKey.pem
ipsec pki --self --in caKey.pem --dn "C=US, O=xxx, CN=xxxx" --ca --outform pem > caCert.pem
ipsec pki --gen --outform pem > serverKey.pem
ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=US, O=xxx, CN=my.domain.com" --san="my.domain.com" --flag serverAuth --flag ikeIntermediate --outform pem > serverCert.pem
ipsec pki --gen --outform pem > clientKey.pem
ipsec pki --pub --in clientKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=US, O=xxx, CN=client" --outform pem > clientCert.pem
openssl pkcs12 -export -inkey clientKey.pem -in clientCert.pem -name "client" -certfile caCert.pem -caname "xxxx" -out clientCert.p12
# where to put them...
mv caCert.pem /etc/ipsec.d/cacerts/
mv serverCert.pem /etc/ipsec.d/certs/
mv serverKey.pem /etc/ipsec.d/private/
mv clientCert.pem /etc/ipsec.d/certs/
mv clientKey.pem /etc/ipsec.d/private/
mv caKey.pem /etc/ipsec.d/private/Then I import the two key into my clients.
Mac Os X config:
VPN type: IKEV2
server address: my.domain.com
Remote ID: C=US, O=xxx, CN=my.domain.com
local id: blank
Authetication settings:
username: myusername
password: mypassword
Result:
lsSat Aug 19 23:38:19 2017 daemon.info syslog: 09[NET] received packet: from 192.168.1.1[500] to 192.168.1.134[500] (604 bytes)
Sat Aug 19 23:38:19 2017 daemon.info syslog: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Sat Aug 19 23:38:19 2017 daemon.info syslog: 09[IKE] 192.168.1.1 is initiating an IKE_SA
Sat Aug 19 23:38:19 2017 authpriv.info syslog: 09[IKE] 192.168.1.1 is initiating an IKE_SA
Sat Aug 19 23:38:20 2017 daemon.info syslog: 09[IKE] local host is behind NAT, sending keep alives
Sat Aug 19 23:38:20 2017 daemon.info syslog: 09[IKE] remote host is behind NAT
Sat Aug 19 23:38:20 2017 daemon.info syslog: 09[IKE] sending cert request for "C=US, O=xxx, CN=xxxx"
Sat Aug 19 23:38:20 2017 daemon.info syslog: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Sat Aug 19 23:38:20 2017 daemon.info syslog: 09[NET] sending packet: from 192.168.1.134[500] to 192.168.1.1[500] (465 bytes)
Sat Aug 19 23:38:20 2017 daemon.info syslog: 07[NET] received packet: from 192.168.1.1[4500] to 192.168.1.134[4500] (528 bytes)
Sat Aug 19 23:38:20 2017 daemon.info syslog: 07[ENC] unknown attribute type (25)
Sat Aug 19 23:38:20 2017 daemon.info syslog: 07[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Sat Aug 19 23:38:20 2017 daemon.info syslog: 07[CFG] looking for peer configs matching 192.168.1.134[C=US, O=xxx, CN=my.domain.com]...192.168.1.1[192.168.2.122]
Sat Aug 19 23:38:20 2017 daemon.info syslog: 07[CFG] no matching peer config found
Sat Aug 19 23:38:20 2017 daemon.info syslog: 07[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sat Aug 19 23:38:20 2017 daemon.info syslog: 07[IKE] peer supports MOBIKE
Sat Aug 19 23:38:20 2017 daemon.info syslog: 07[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Sat Aug 19 23:38:20 2017 daemon.info syslog: 07[NET] sending packet: from 192.168.1.134[4500] to 192.168.1.1[4500] (80 bytes)Any ideas?