Strongswan swanctl config

AndreyRz · February 27, 2025, 7:45pm

Greetings, could someone share an up-to-date guide on configuring strongswan with swanctl, as I understand it, the information in the official documentation is already outdated because some of it did not work for me on OpenWRT 23.05.5, and unfortunately some are not clear to me. I don't have a domain, but I have a static ip, as a result, when I try to connect from android smartphone. homeIP= my home static adress. I have the following logs:


Thu Feb 27 22:13:09 2025 daemon.info ipsec: 05[NET] received packet: from phoneIP[46126] to homeIP[500] (1072 bytes)
Thu Feb 27 22:13:09 2025 daemon.info ipsec: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Thu Feb 27 22:13:09 2025 daemon.info ipsec: 05[IKE] phoneIP is initiating an IKE_SA
Thu Feb 27 22:13:09 2025 daemon.info ipsec: 05[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
Thu Feb 27 22:13:09 2025 daemon.info ipsec: 05[IKE] remote host is behind NAT
Thu Feb 27 22:13:09 2025 daemon.info ipsec: 05[IKE] DH group MODP_4096 unacceptable, requesting MODP_3072
Thu Feb 27 22:13:09 2025 daemon.info ipsec: 05[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Thu Feb 27 22:13:09 2025 daemon.info ipsec: 05[NET] sending packet: from homeIP[500] to phoneIP[46126] (38 bytes)
Thu Feb 27 22:13:09 2025 daemon.info ipsec: 08[NET] received packet: from phoneIP[41630] to homeIP[500] (944 bytes)
Thu Feb 27 22:13:09 2025 daemon.info ipsec: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Thu Feb 27 22:13:09 2025 daemon.info ipsec: 08[IKE] phoneIP is initiating an IKE_SA
Thu Feb 27 22:13:09 2025 daemon.info ipsec: 08[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
Thu Feb 27 22:13:09 2025 daemon.info ipsec: 08[IKE] remote host is behind NAT
Thu Feb 27 22:13:09 2025 daemon.info ipsec: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Thu Feb 27 22:13:09 2025 daemon.info ipsec: 08[NET] sending packet: from homeIP[500] to phoneIP[41630] (600 bytes)
Thu Feb 27 22:13:09 2025 daemon.info ipsec: 11[NET] received packet: from phoneIP[44305] to homeIP[4500] (544 bytes)
Thu Feb 27 22:13:09 2025 daemon.info ipsec: 11[ENC] parsed IKE_AUTH request 1 [ IDi IDr N(MOBIKE_SUP) SA TSi TSr CPRQ(ADDR ADDR6 DNS DNS6 MASK VER) ]
Thu Feb 27 22:13:09 2025 daemon.info ipsec: 11[CFG] looking for peer configs matching homeIP[homeIP]...phoneIP[andrey]
Thu Feb 27 22:13:09 2025 daemon.info ipsec: 11[CFG] selected peer config 'rw-eaptlsios'
Thu Feb 27 22:13:09 2025 daemon.info ipsec: 11[IKE] initiating EAP_TLS method (id 0x52)
Thu Feb 27 22:13:09 2025 daemon.info ipsec: 11[IKE] peer supports MOBIKE
Thu Feb 27 22:13:09 2025 daemon.info ipsec: 11[IKE] authentication of 'homeIP' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Thu Feb 27 22:13:09 2025 daemon.info ipsec: 11[IKE] sending end entity cert "C=RU, O=homelab, CN=homeIP"
Thu Feb 27 22:13:09 2025 daemon.info ipsec: 11[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/TLS ]
Thu Feb 27 22:13:09 2025 daemon.info ipsec: 11[NET] sending packet: from homeIP[4500] to phoneIP[44305] (1216 bytes)
Thu Feb 27 22:13:39 2025 daemon.info ipsec: 12[JOB] deleting half open IKE_SA with phoneIP after timeout
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 14[NET] received packet: from phoneIP[49028] to homeIP[500] (1072 bytes)
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 14[IKE] phoneIP is initiating an IKE_SA
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 14[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 14[IKE] remote host is behind NAT
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 14[IKE] DH group MODP_4096 unacceptable, requesting MODP_3072
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 14[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 14[NET] sending packet: from homeIP[500] to phoneIP[49028] (38 bytes)
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 15[NET] received packet: from phoneIP[52148] to homeIP[500] (944 bytes)
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 15[IKE] phoneIP is initiating an IKE_SA
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 15[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 15[IKE] remote host is behind NAT
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 15[NET] sending packet: from homeIP[500] to phoneIP[52148] (600 bytes)
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 05[NET] received packet: from phoneIP[39416] to homeIP[4500] (436 bytes)
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 05[ENC] parsed IKE_AUTH request 1 [ EF(2/2) ]
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 05[ENC] received fragment #2 of 2, waiting for complete IKE message
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 09[NET] received packet: from phoneIP[39416] to homeIP[4500] (1268 bytes)
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 09[ENC] parsed IKE_AUTH request 1 [ EF(1/2) ]
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 09[ENC] received fragment #1 of 2, reassembled fragmented IKE message (1632 bytes)
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 09[ENC] parsed IKE_AUTH request 1 [ IDi IDr N(MOBIKE_SUP) CERT AUTH SA TSi TSr CPRQ(ADDR ADDR6 DNS DNS6 MASK VER) ]
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 09[IKE] received end entity cert "C=RU, O=homelab, CN=andrey"
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 09[CFG] looking for peer configs matching homeIP[homeIP]...phoneIP[andrey]
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 09[CFG] selected peer config 'rw-eaptlsios'
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 09[CFG]   using trusted certificate "C=RU, O=homelab, CN=andrey"
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 09[CFG]   using trusted ca certificate "C=RU, O=homelab, CN=homeIP"
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 09[CFG]   reached self-signed root ca with a path length of 0
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 09[CFG] checking certificate status of "C=RU, O=homelab, CN=andrey"
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 09[CFG] certificate status is not available
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 09[IKE] authentication of 'andrey' with RSA_EMSA_PKCS1_SHA2_512 successful
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 09[CFG] constraint requires EAP_TLS, but EAP_NAK was used
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 09[CFG] selected peer config 'rw-eaptlsios' unacceptable: non-matching authentication done
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 09[CFG] switching to peer config 'rw-eapmschapv2'
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 09[CFG] constraint check failed: EAP identity '%any' required
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 09[CFG] selected peer config 'rw-eapmschapv2' unacceptable: non-matching authentication done
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 09[CFG] switching to peer config 'rw-eapmschapv2ios'
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 09[CFG] constraint check failed: EAP identity '%any' required
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 09[CFG] selected peer config 'rw-eapmschapv2ios' unacceptable: non-matching authentication done
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 09[CFG] no alternative config found
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 09[IKE] peer supports MOBIKE
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 09[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Thu Feb 27 22:13:53 2025 daemon.info ipsec: 09[NET] sending packet: from homeIP[4500] to phoneIP[39416] (80 bytes)

I try RSA and MSCHAPv2. /etc/swanctl/common.conf config:

local_addrs  = 0.0.0.0/0,::/0
      remote_addrs = 0.0.0.0/0,::/0
      local {
         auth = pubkey
         certs = serverCert_homeIP.pem
         id = homeIP
      }
      children {
         ikev2clients {
            local_ts  = 0.0.0.0/0;::/0
            esp_proposals = default
         }
      }
      pools = strongswanippool
      unique = never
      version = 2
      proposals = aes256-aes128-sha256-modp3072-modp2048-modp1024

/etc/swanctl/swanctl.conf:

connections {
   rw-eapmschapv2 {
      include ./common.conf
      remote-eapmschapv2 {
         auth = eap-mschapv2
         eap_id = %any
      }
      send_certreq = no
      send_cert = always
   }
   rw-eapmschapv2ios {
      include ./common.conf
      remote-eapmschapv2ios {
         auth = eap-mschapv2
         eap_id = %any
      }
      send_certreq = no
      send_cert = always
   }
   rw-eaptls {
      include ./common.conf
      remote-eaptls {
         auth = eap-tls
         certs = clientCert_andrey.pem
      }
      send_certreq = no
   }
   rw-eaptlsios {
      include ./common.conf
      remote-eaptlsios {
         auth = eap-tls
         certs = clientCert_andrey.pem
         id = andrey
      }
      send_certreq = no
      send_cert = always
   }
   rw-pubkey {
      include ./common.conf
      remote-pubkey {
         auth = pubkey
 certs = clientCert_andrey.pem
      }
      send_certreq = no
   }
   rw-pubkeyios {
      include ./common.conf
      remote-pubkeyios {
         auth = pubkey
         certs = clientCert_andrey.pem
         id = myVpnClients
      }
      send_certreq = no
      send_cert = always
   }
}

secrets {
   rsa- {
      filename="serverKey_homeIP.pem"
   }
   eap-remoteuser {
      id = *****
      secret = *****
   }
}

pools {
    strongswanippool {
        addrs = 10.0.1.0/24
        # dns = 8.8.8.8
    }
}

initial part of sert generation script:

COUNTRYNAME="RU"
CANAME="homeIP"
ORGNAME="homelab"
SERVERDOMAINNAME="homeIP"
CLIENTNAMES="andrey"
SHAREDSAN="homeIP"

And I add in /etc/config/firewall lines according to wiki
At phone I import client_*.p12 and configure connection according to wiki.

_bernd · February 27, 2025, 10:00pm

See again the near end and end of the log. There is an issue which resulted in auth failure. I don't know the defaults on Apple device but I also do not spot something obvious in your config. Sorry

_bernd · February 27, 2025, 10:02pm

What are the defaults here? Compare with your clients settings if not done yet.

AndreyRz · March 1, 2025, 9:12am

I don't know and after reboot my router I have this when try to connect, but I don't change anything

Sat Mar  1 12:07:04 2025 daemon.info ipsec: 15[NET] received packet: from phoneIP[36838] to homeIP[500] (1072 bytes)
Sat Mar  1 12:07:04 2025 daemon.info ipsec: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Sat Mar  1 12:07:04 2025 daemon.info ipsec: 15[IKE] no IKE config found for homeIP...phoneIP, sending NO_PROPOSAL_CHOSEN
Sat Mar  1 12:07:04 2025 daemon.info ipsec: 15[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Sat Mar  1 12:07:04 2025 daemon.info ipsec: 15[NET] sending packet: from homeIP[500] to phoneIP[36838] (36 bytes)