[strongSwan] Having Trouble with Macbook VPN Configuration

Ian McLauchlan ianmac at miton.co.uk
Wed May 15 11:35:59 CEST 2019 

Hi,

I have setup StrongSwan successfully to allow IKEv2 access from a 
Windows10 client.

I also need to allow Macbook users native IKEv2 access, but I have run 
into a problem. The Macbook attempts a connection and fails and displays 
a 'VPN Connection - An unexpected error occurred'. It is a bit cryptic, 
there are no errors reported in the Macbook logs.

I am using IKEv2-EAP-MSCHAPv2 authentication. This works fine on the 
Windows 10 client. So, it seems there is a discrepancy between the 
Windows 10 and Mac configuration. I am having trouble pin-pointing it.

The VPN connects to a limited IP address range on my private LAN.

I have tried various ike/esp variations from advice pages. I have now 
for the purposes of testing the connection, allowed all - the link still 
fails.

Here is my configuration:

Strongswan-miton:

CentOS release 6.10 (Final)

strongSwan swanctl 5.4.0

Macbook:

macOS Mojave Ver 10.14.4

*iptables*

Macbook is behind a NAT with a fixed ip address. Rule allows all from 
the Macbook NAT.

*strongswan.conf*
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
         load_modular = yes
         plugins {
                 include strongswan.d/charon/*.conf
         }
}
libstrongswan {
         plugins {
                 openssl {
                         fips_mode = 0
                 }
         }
}
include strongswan.d/*.conf

*ipsec.conf*
config setup
         # strictcrlpolicy=yes
         # uniqueids = no
         charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
conn %default
         keyexchange=ikev2

# Test Config 1
#       ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
#       esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!

# Test Config 2
#       ike=aes256-aes192-aes128-3des-sha384-sha256-sha1-modp3072-modp2048-modp1536-modp1024!
#       esp=aes256-aes192-aes128-3des-sha384-sha256-sha1!

# Test Config 3
#       ike=aes256-sha1-modp1024,aes128-sha1-modp1024! # Win7 is aes256, 
sha-1, modp1024; iOS is aes256, sha-256, modp1024; OS X is 3DES, sha-1, 
modp1024
#       esp=aes256-sha256,aes256-sha1,aes128-sha1! # Win 7 is 
aes256-sha1, iOS is aes256-sha256, OS X is 3des-shal1

# Test Config 4 - No restriction - Still failing

         dpdaction=clear
         dpddelay=300s
         rekey=no
         left=87.238.75.114
         leftid=@miton-strongswan
         leftsubnet=0.0.0.0/0
         leftcert=mitondcVPNServerCert.der
         right=%any
         rightdns=192.168.100.3,192.168.100.4
         rightsourceip=192.168.100.24/29

conn IPSec-IKEv2-EAP
         rightauth=eap-mschapv2
         rightsendcert=never
         eap_identity=%any
         auto=add

*ipsec.secrets*
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA mitondcVPNServerKey.der
abcdef : EAP "pppppppppppppppp"

Test traces:

*StrongSwan Server Tcpdump*
*
*
[root at miton-strongswan ~]# tcpdump -s 0 -n -i eth0 'esp or udp and (port 
500 or port 4500)'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
08:50:05.910826 IP 92.27.xxx.xxx.isakmp > 87.238.yyy.yyy.isakmp: isakmp: 
parent_sa ikev2_init[I]
08:50:05.982896 IP 87.238.yyy.yyy.isakmp > 92.27.xxx.xxxx.isakmp: 
isakmp: parent_sa ikev2_init[R]
08:50:06.016609 IP 92.27.xxx.xxx.ipsec-nat-t > 
87.238.yyy.yyy.ipsec-nat-t: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
08:50:06.028581 IP 87.238.yyy.yyy.ipsec-nat-t > 
92.27.xxx.xxx.ipsec-nat-t: NONESP-encap: isakmp: child_sa  ikev2_auth[R]
*
*
*StrongSwan Server Swanctl*

[root at miton-strongswan ~]# swanctl -T
04[NET] received packet: from 92.27.xxx.xxx[500] to 87.238.yyy.yyy[500] 
(604 bytes)
04[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) 
N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
04[IKE] 92.27.xxx.xxx is initiating an IKE_SA
04[IKE] remote host is behind NAT
04[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) 
N(NATD_D_IP) N(MULT_AUTH) ]
04[NET] sending packet: from 87.238.yyy.yyy[500] to 92.27.xxx.xxx[500] 
(440 bytes)
05[NET] received packet: from 92.27.xxx.xxx[4500] to 
87.238.yyy.yyy[4500] (512 bytes)
05[ENC] unknown attribute type (25)
05[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) 
IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) 
N(NON_FIRST_FRAG) SA TSi TSr ]
05[CFG] looking for peer configs matching 
87.238.yyy.yyy[miton2.miton.co.uk]...92.27.xxx.xxx[192.168.0.10]
05[CFG] selected peer config 'IPSec-IKEv2-EAP'
05[IKE] initiating EAP_IDENTITY method (id 0x00)
05[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
05[IKE] peer supports MOBIKE
05[IKE] authentication of 'miton2.miton.co.uk' (myself) with RSA 
signature successful
05[ENC] generating IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]
05[NET] sending packet: from 87.238.yyy.yyy[4500] to 92.27.xxx.xxx[4500] 
(368 bytes)
04[JOB] deleting half open IKE_SA after timeout

*Tcpdump Macbook-Pro*

Ians-MacBook-Pro:~ ianmac$ sudo tcpdump -s 0 -n -i en0 'esp or udp and 
(port 500 or port 4500)'
Password:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type EN10MB (Ethernet), capture size 262144 bytes
08:50:05.904121 IP 192.168.0.10.500 > 87.238.yyy.yyy.500: isakmp: 
parent_sa ikev2_init[I]
08:50:05.990893 IP 87.238.yyy.yyy.500 > 192.168.0.10.500: isakmp: 
parent_sa ikev2_init[R]
08:50:06.009888 IP 192.168.0.10.4500 > 87.238.yyy.yyy.4500: 
NONESP-encap: isakmp: child_sa  ikev2_auth[I]
08:50:06.036478 IP 87.238.yyy.yyy.4500 > 192.168.0.10.4500: 
NONESP-encap: isakmp: child_sa  ikev2_auth[R]

I think it looks like the Macbook is unhappy with the ikev2_auth[R] 
response from the miton-strongswan server?

Can anyone give me any pointers?

Best regards,

Ian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190515/1df12d92/attachment.html>

More information about the Users mailing list