<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi,</p>
<p>I have setup StrongSwan successfully to allow IKEv2 access from a
Windows10 client. <br>
</p>
<p>I also need to allow Macbook users native IKEv2 access, but I
have run into a problem. The Macbook attempts a connection and
fails and displays a 'VPN Connection - An unexpected error
occurred'. It is a bit cryptic, there are no errors reported in
the Macbook logs. <br>
</p>
<p>I am using IKEv2-EAP-MSCHAPv2 authentication. This works fine on
the Windows 10 client. So, it seems there is a discrepancy between
the Windows 10 and Mac configuration. I am having trouble
pin-pointing it.</p>
<p>The VPN connects to a limited IP address range on my private LAN.</p>
<p>I have tried various ike/esp variations from advice pages. I have
now for the purposes of testing the connection, allowed all - the
link still fails.<br>
</p>
<p>Here is my configuration:</p>
<p>Strongswan-miton:</p>
<p>CentOS release 6.10 (Final)</p>
<p>strongSwan swanctl 5.4.0</p>
<p>Macbook:</p>
<p>macOS Mojave Ver 10.14.4</p>
<p><b>iptables</b></p>
<p>Macbook is behind a NAT with a fixed ip address. Rule allows all
from the Macbook NAT.<br>
</p>
<p>
<span>
<div style="-en-clipboard:true;"><b>strongswan.conf</b></div>
<div style="box-sizing: border-box; padding: 8px; font-family:
Monaco, Menlo, Consolas, "Courier New", monospace;
font-size: 12px; color: rgb(51, 51, 51); border-radius: 4px;
background-color: rgb(251, 250, 248); border: 1px solid
rgba(0, 0, 0, 0.15);-en-codeblock:true;">
<div># strongswan.conf - strongSwan configuration file<br>
</div>
<div>#</div>
<div># Refer to the strongswan.conf(5) manpage for details</div>
<div>#</div>
<div># Configuration changes should be made in the included
files</div>
<div>charon {</div>
<div> load_modular = yes</div>
<div> plugins {</div>
<div> include strongswan.d/charon/*.conf</div>
<div> }</div>
<div>}</div>
<div>libstrongswan {</div>
<div> plugins {</div>
<div> openssl {</div>
<div> fips_mode = 0</div>
<div> }</div>
<div> }</div>
<div>}</div>
<div>include strongswan.d/*.conf</div>
</div>
<div><br>
</div>
<div><b>ipsec.conf</b></div>
<div style="box-sizing: border-box; padding: 8px; font-family:
Monaco, Menlo, Consolas, "Courier New", monospace;
font-size: 12px; color: rgb(51, 51, 51); border-radius: 4px;
background-color: rgb(251, 250, 248); border: 1px solid
rgba(0, 0, 0, 0.15);-en-codeblock:true;">
<div>config setup</div>
<div> # strictcrlpolicy=yes</div>
<div> # uniqueids = no</div>
<div> charondebug="ike 2, knl 2, cfg 2, net 2, esp 2,
dmn 2, mgr 2"</div>
<div>conn %default</div>
<div> keyexchange=ikev2</div>
<div><br>
</div>
<div># Test Config 1</div>
<div># ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!</div>
<div># esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!</div>
<div><br>
</div>
<div># Test Config 2</div>
<div># ike=aes256-aes192-aes128-3des-sha384-sha256-sha1-modp3072-modp2048-modp1536-modp1024!</div>
<div># esp=aes256-aes192-aes128-3des-sha384-sha256-sha1!</div>
<div><br>
</div>
<div># Test Config 3</div>
<div># ike=aes256-sha1-modp1024,aes128-sha1-modp1024! #
Win7 is aes256, sha-1, modp1024; iOS is aes256, sha-256,
modp1024; OS X is 3DES, sha-1, modp1024</div>
<div># esp=aes256-sha256,aes256-sha1,aes128-sha1! # Win
7 is aes256-sha1, iOS is aes256-sha256, OS X is 3des-shal1</div>
<div><br>
</div>
<div># Test Config 4 - No restriction - Still failing</div>
<div><br>
</div>
<div> dpdaction=clear</div>
<div> dpddelay=300s</div>
<div> rekey=no</div>
<div> left=87.238.75.114</div>
<div> leftid=@miton-strongswan</div>
<div> leftsubnet=0.0.0.0/0</div>
<div> leftcert=mitondcVPNServerCert.der</div>
<div> right=%any</div>
<div> rightdns=192.168.100.3,192.168.100.4</div>
<div> rightsourceip=192.168.100.24/29</div>
<div><br>
</div>
<div>conn IPSec-IKEv2-EAP</div>
<div> rightauth=eap-mschapv2</div>
<div> rightsendcert=never</div>
<div> eap_identity=%any</div>
<div> auto=add</div>
</div>
<div><span><br>
</span></div>
<div><span>
<div><b>ipsec.secrets</b></div>
<div style="box-sizing: border-box; padding: 8px;
font-family: Monaco, Menlo, Consolas, "Courier
New", monospace; font-size: 12px; color: rgb(51, 51,
51); border-radius: 4px; background-color: rgb(251, 250,
248); border: 1px solid rgba(0, 0, 0,
0.15);-en-codeblock:true;">
<div># /etc/ipsec.secrets - strongSwan IPsec secrets file</div>
<div>: RSA mitondcVPNServerKey.der</div>
<div>abcdef : EAP "pppppppppppppppp"</div>
</div>
</span>
</div>
<br>
</span></p>
<p>Test traces:</p>
<p>
<span>
<div style="-en-clipboard:true;"><b>StrongSwan Server Tcpdump</b></div>
<div><b><br>
</b></div>
<div style="box-sizing: border-box; padding: 8px; font-family:
Monaco, Menlo, Consolas, "Courier New", monospace;
font-size: 12px; color: rgb(51, 51, 51); border-radius: 4px;
background-color: rgb(251, 250, 248); border: 1px solid
rgba(0, 0, 0, 0.15);-en-codeblock:true;">
<div>[root@miton-strongswan ~]# tcpdump -s 0 -n -i eth0 'esp
or udp and (port 500 or port 4500)'</div>
<div>tcpdump: verbose output suppressed, use -v or -vv for
full protocol decode</div>
<div>listening on eth0, link-type EN10MB (Ethernet), capture
size 65535 bytes</div>
<div>08:50:05.910826 IP 92.27.xxx.xxx.isakmp >
87.238.yyy.yyy.isakmp: isakmp: parent_sa ikev2_init[I]</div>
<div>08:50:05.982896 IP 87.238.yyy.yyy.isakmp >
92.27.xxx.xxxx.isakmp: isakmp: parent_sa ikev2_init[R]</div>
<div>08:50:06.016609 IP 92.27.xxx.xxx.ipsec-nat-t >
87.238.yyy.yyy.ipsec-nat-t: NONESP-encap: isakmp:
child_sa ikev2_auth[I]</div>
<div>08:50:06.028581 IP 87.238.yyy.yyy.ipsec-nat-t >
92.27.xxx.xxx.ipsec-nat-t: NONESP-encap: isakmp:
child_sa ikev2_auth[R]</div>
</div>
<div><b><br>
</b></div>
<div><b>StrongSwan Server Swanctl</b></div>
<div><br>
</div>
<div style="box-sizing: border-box; padding: 8px; font-family:
Monaco, Menlo, Consolas, "Courier New", monospace;
font-size: 12px; color: rgb(51, 51, 51); border-radius: 4px;
background-color: rgb(251, 250, 248); border: 1px solid
rgba(0, 0, 0, 0.15);-en-codeblock:true;">
<div>[root@miton-strongswan ~]# swanctl -T</div>
<div>04[NET] received packet: from 92.27.xxx.xxx[500] to
87.238.yyy.yyy[500] (604 bytes)</div>
<div>04[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]</div>
<div>04[IKE] 92.27.xxx.xxx is initiating an IKE_SA</div>
<div>04[IKE] remote host is behind NAT</div>
<div>04[ENC] generating IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]</div>
<div>04[NET] sending packet: from 87.238.yyy.yyy[500] to
92.27.xxx.xxx[500] (440 bytes)</div>
<div>05[NET] received packet: from 92.27.xxx.xxx[4500] to
87.238.yyy.yyy[4500] (512 bytes)</div>
<div>05[ENC] unknown attribute type (25)</div>
<div>05[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT)
N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6
(25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]</div>
<div>05[CFG] looking for peer configs matching
87.238.yyy.yyy[miton2.miton.co.uk]...92.27.xxx.xxx[192.168.0.10]</div>
<div>05[CFG] selected peer config 'IPSec-IKEv2-EAP'</div>
<div>05[IKE] initiating EAP_IDENTITY method (id 0x00)</div>
<div>05[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using
ESPv3 TFC padding</div>
<div>05[IKE] peer supports MOBIKE</div>
<div>05[IKE] authentication of 'miton2.miton.co.uk' (myself)
with RSA signature successful</div>
<div>05[ENC] generating IKE_AUTH response 1 [ IDr AUTH
EAP/REQ/ID ]</div>
<div>05[NET] sending packet: from 87.238.yyy.yyy[4500] to
92.27.xxx.xxx[4500] (368 bytes)</div>
<div>04[JOB] deleting half open IKE_SA after timeout</div>
</div>
<div><br>
</div>
<div><b>Tcpdump Macbook-Pro</b></div>
<div><br>
</div>
<div style="margin: 0px;">
<div style="box-sizing: border-box; padding: 8px; font-family:
Monaco, Menlo, Consolas, "Courier New", monospace;
font-size: 12px; color: rgb(51, 51, 51); border-radius: 4px;
background-color: rgb(251, 250, 248); border: 1px solid
rgba(0, 0, 0, 0.15);-en-codeblock:true;">
<div>Ians-MacBook-Pro:~ ianmac$ sudo tcpdump -s 0 -n -i en0
'esp or udp and (port 500 or port 4500)'</div>
<div>Password:</div>
<div>tcpdump: verbose output suppressed, use -v or -vv for
full protocol decode</div>
<div>listening on en0, link-type EN10MB (Ethernet), capture
size 262144 bytes</div>
<div>08:50:05.904121 IP 192.168.0.10.500 >
87.238.yyy.yyy.500: isakmp: parent_sa ikev2_init[I]</div>
<div>08:50:05.990893 IP 87.238.yyy.yyy.500 >
192.168.0.10.500: isakmp: parent_sa ikev2_init[R]</div>
<div>08:50:06.009888 IP 192.168.0.10.4500 >
87.238.yyy.yyy.4500: NONESP-encap: isakmp:
child_sa ikev2_auth[I]</div>
<div>08:50:06.036478 IP 87.238.yyy.yyy.4500 >
192.168.0.10.4500: NONESP-encap: isakmp:
child_sa ikev2_auth[R]</div>
</div>
</div>
</span>
</p>
<p>I think it looks like the Macbook is unhappy with the <span>ikev2_auth[R]
response from the miton-strongswan server?<br>
</span></p>
<p>Can anyone give me any pointers?<br>
</p>
<p>Best regards,<br>
</p>
<p>Ian<br>
<span></span></p>
</body>
</html>