Getting IPSec Working with 2.2.6 & iOS 9



  • I have followed a bunch of different howto docs found online and still cannot locate where the error is.

    Negotiation mode is set as Main in VPN: IPsec: Edit Phase 1: Mobile Client.  I have tried setting it as Aggressive with no change.

    Of note is it seems that my iPhone (79.196.XXX.XXX) is requesting Main mode.  Is there a setting in VPN in iOS to change?

    Any help would be greatly appreciated.  This is driving me nuts.

    May 10 11:01:48 charon: 12[NET] <1> sending packet: from 192.168.XX.XXX [4500] to 70.196.XXX.XXX [2545] (108 bytes)
    May 10 11:01:48  charon: 12[ENC] <1> generating INFORMATIONAL_V1 request 165331397 [ HASH N(AUTH_FAILED) ]
    May 10 11:01:48 charon: 12[IKE] <1> found 1 matching config, but none allows XAuthInitPSK authentication using Main Mode
    May 10 11:01:48 charon: 12[CFG] <1> looking for XAuthInitPSK peer configs matching 192.168.XX.XXX70.196.XXX.XXX
    May 10 11:01:48 charon: 12[ENC] <1> parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
    May 10 11:01:48 charon: 12[NET] <1> received packet: from 70.196.XXX.XXX[2545] to 192.168.XX.XXX[4500] (108 bytes)
    May 10 11:01:48 charon: 12[NET] <1> sending packet: from 192.168.XX.XXX[500] to 70.196.XXX.XXX[2542] (396 bytes)
    May 10 11:01:48 charon: 12[ENC] <1> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
    May 10 11:01:48 charon: 12[IKE] <1> remote host is behind NAT
    May 10 11:01:48 charon: 12[IKE] <1> local host is behind NAT, sending keep alives
    May 10 11:01:48 charon: 12[ENC] <1> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
    May 10 11:01:48 charon: 12[NET] <1> received packet: from 70.196.XXX.XXX[2542] to 192.168.XX.XXX[500] (380 bytes)
    May 10 11:01:48 charon: 12[NET] <1> sending packet: from 192.168.XX.XXX [500] to 70.196.XXX.XXX[2542] (156 bytes)
    May 10 11:01:48 charon: 12[ENC] <1> generating ID_PROT response 0 [ SA V V V V ]
    May 10 11:01:48 charon: 12[IKE] <1> 70.196.XXX.XXX is initiating a Main Mode IKE_SA



  • OK, so if I specify a Group Name in iOS, the request becomes aggressive.  It still fails at:

    May 10 12:06:15 charon: 06[IKE] <15> found 1 matching config, but none allows XAuthInitPSK authentication using Aggressive Mode
    May 10 12:06:15 charon: 06[CFG] <15> looking for XAuthInitPSK peer configs matching 192.168.XX.XXX70.196.XXX.XXX[VPN]

    From VPN: IPsec: Edit Phase 1: Mobile Client - Phase 1 Proposal:

    Authentication method - Mutual PSK & Xauth
    Negotiation mode - Aggressive
    My Identifier - My IP Address
    Peer Identifier - Distinguished Name - VPN
    Pre-Shared Key - XXX

    What am I missing?


Log in to reply