IKEv2 SharedSecret mode does not interoperate with strongSwan

Number:rdar://18179329 Date Originated:29-Aug-2014 12:08 PM
Status:Open Resolved:
Product:iOS Product Version:iOS 8.0 (12A4345d)
Classification:Other Bug Reproducible:Always
An IKEv2 configuration on iOS 8 using SharedSecret device authentication will generate a MAC that is not accepted by a strongSwan server configured with the same PSK.

Steps to Reproduce:
1. Set up strongSwan 5.1.2. I recommend Ubuntu 14.04. Sample config files are attached, although you'll have to bring your own PKI.
2. Add an IKEv2 configuration using the PSK configured in step 1. Trivial XAUth can be provided, although it won't get that far.
3. Try to connect.

Expected Results:
The server should accept the PSK provided.

Actual Results:
The MAC generated by iOS will not match the configured PSK.

iOS 8.0 (12A4345d)

Strictly speaking, this symptom doesn't indicate which side is at fault. However, since iOS appears to be the newer implementation and only Apple has the ability to debug both sides, I think it will have to be on your plate.

iPod Touch (MD723LL/A)

'ipsec.conf' and 'ipsec.secrets' were successfully uploaded.


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!