[strongSwan] iOS 9 client is lost after server `generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]` then sending packet
Zorceta Moshak
zorceta at gmail.com
Sat Dec 26 19:43:29 CET 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi all,
I ran into this problem on all iOS 9 devices I managed to test on.
`ipsec --nofork` log is as follows.
```
Starting strongSwan 5.3.5 IPsec [starter]...
00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux
4.1.5-x86_64-linode61, x86_64)
00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
00[CFG] loaded ca certificate "C=CN, O=blahblah, CN=VPN CA" from
'/usr/local/etc/ipsec.d/cacerts/ca_cert.pem'
00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from
'/usr/local/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG] loaded RSA private key from
'/usr/local/etc/ipsec.d/private/server_key.pem'
00[CFG] loaded RSA private key from
'/usr/local/etc/ipsec.d/private/client_key.pem'
00[CFG] loaded EAP secret for zorceta
00[CFG] loaded EAP secret for zorceta
00[CFG] loaded EAP secret for test
00[CFG] loaded 0 RADIUS server configurations
00[CFG] coupling file path unspecified
00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce
x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
sshkey pem openssl fips-prf xcbc cmac hmac attr kernel-netlink resolve
socket-default stroke updown eap-identity eap-md5 eap-mschapv2
eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
xauth-eap xauth-pam tnc-tnccs dhcp lookip certexpire radattr addrblock unity
00[JOB] spawning 16 worker threads
charon (31563) started after 40 ms
11[CFG] received stroke: add connection 'iOS'
11[CFG] adding virtual IP address pool 10.0.0.0/24
11[CFG] loaded certificate "C=CN, O=blahblah, CN=vpn.blahblah.org"
from 'server_cert.pem'
11[CFG] added configuration 'iOS'
02[NET] received packet: from iOSDeviceAddress[500] to
ServerAddress[500] (388 bytes)
02[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP)
N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
02[IKE] iOSDeviceAddress is initiating an IKE_SA
02[IKE] remote host is behind NAT
02[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(MULT_AUTH) ]
02[NET] sending packet: from ServerAddress[500] to iOSDeviceAddress[500]
(308 bytes)
01[NET] received packet: from iOSDeviceAddress[4500] to
ServerAddress[4500] (412 bytes)
01[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP)
IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N)
N(NON_FIRST_FRAG) SA TSi TSr ]
01[CFG] looking for peer configs matching
ServerAddress[vpn.blahblah.org]...iOSDeviceAddress[192.168.1.100]
01[CFG] selected peer config 'iOS'
01[IKE] initiating EAP_IDENTITY method (id 0x00)
01[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
01[IKE] peer supports MOBIKE
01[IKE] authentication of 'vpn.blahblah.org' (myself) with RSA signature
successful
01[IKE] sending end entity cert "C=CN, O=blahblah, CN=vpn.blahblah.org"
01[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
01[NET] sending packet: from ServerAddress[4500] to
iOSDeviceAddress[4500] (1204 bytes)
12[JOB] deleting half open IKE_SA after timeout
```
On my iOS device the 'connect to VPN' switch was then off, and the
server suddenly lost the whole connection, or, in another way, lost the
client.
ipsec.conf is as follows
```
config setup
# strictcrlpolicy=yes
uniqueids = never
conn iOS
keyexchange=ikev2
ike=aes256-sha256-modp1024,3des-sha1-modp1024,aes256-sha1-modp1024!
esp=aes256-sha256,3des-sha1,aes256-sha1!
leftsendcert=always
left=%defaultroute
leftsubnet=0.0.0.0/0
leftid=@vpn.blahblah.org
leftauth=pubkey
leftcert=server_cert.pem
leftsubnet=0.0.0.0/0
rightsendcert=never
right=%any
rightauth=eap-mschapv2
rightsourceip=10.0.0.0/24
eap_identity=%any
dpdaction=clear
auto=add
```
ipsec.secret is as follows
```
: RSA server_key.pem
: RSA client_key.pem
zorceta : EAP "blahblah"
zorceta : XAUTH "blahblah"
test : EAP "testblahblah"
```
I'm in China, but after asking a friend in Canada to test it out and
getting the same result, we confirmed that great firewall had nothing to
do with this.
`ipsec --nofork` output seems to be the most detailed log level, so
logging might not be much help.
Is there a clue I can investigate in?
Thanks.
Kind regards,
Zorceta Moshak
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJWft/OAAoJEFqbq2KczKCh6s4QAKaNwQTkxGIE7zyWbbFa2PWF
4lM9orI4sMwxRcrEvH13l6X2vN6YvfsW+5Lj1Vldw2EsPNL+l9o5P3KcMAL3S/oW
70LmlyWS6G1nvirE3cBmYckhS1cZ/yqe0tP2DA3PkPc6MW23gc01vRnTBCT99zX2
ISznpVm1JtUBpcAi1UPcMsYzHMd9VIlXZsLgpmPEsTpTTb1OgCL33fN3NmmfmUP5
kfSQebQmRY3uGXG4K+ktKFOAIF/sZrfjF0r8CRv20jgzndlUtyOKtezxM4uoPY//
9Xub6XOm9+jXmuKjVPNeD0k2Ty4WVfEbBVFN/7jv0B9Rx0hJKJvRyTkIcE5QIYnR
4lJ+GZFFxx0ynmgN5loS355WrtimS5nkLoM631ErPuqyUxl7az0jYxjUzoCVKSqO
6LgZMrWzPq5VhN1bGPD97TPPH26wgBqtBU4jbGhI9AFOa8mw7T4unqkL1o6nNR/a
MQg4g56CQ1oQ+typPsVUAxTwKWSoIll9cQSkmwa8dT5gWJIqaoYIbH1Z7HKEmzFh
Q09/HwL2nwvvhIhrTjBwbrK/h/bEd93JE4RCTkvrgc0zk6G40JDqh3UDKqJouFgX
DXybL7YO+THZyB4p+V5CYJyDt7i+H5RC9U0+3sKicczvjsmnioML0PTAxDXntDSW
Xi0wHQkibilOrwQoF8Ak
=ESwD
-----END PGP SIGNATURE-----
More information about the Users
mailing list