Issue #1308: OSX El Capitan and IKEv2 with RSA authentication - strongSwan

Issue #1308

OSX El Capitan and IKEv2 with RSA authentication

Added by Tom Wijnroks over 9 years ago. Updated over 9 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Tobias Brunner

Category:

interoperability

Affected version:

5.2.1

Resolution:

No change required

Description

I'm currently testing IKEv2 with RSA certificate authentication on OSX El Capitan 10.11.3. Running strongSwan 5.2.1 on Debian 8.

I used Apple Configurator to create a IKEv2 VPN profile, with the following settings:

- Connection type: IKEv2
- Server: <remote ip address>
- Remote Identifier: <remote ip address>
- Local Identifier: <e-mail address> (which is the CN and SAN of the user certificate)
- Machine Authentication: Certificate
- Identity Certificate: <certificate.p12>
- Certificate Type: RSA

IKE SA Params / Child SA Params:
- Encryption Algorithm: AES-256
- Integrity Algorithm: SHA-256
- Diffie Hellman Group: 2
- SA Lifetime: 1440

Below the ipsec.conf settings:

config setup
    uniqueids = yes

conn rsa
    fragmentation = yes
    keyexchange = ikev2
    reauth = yes
    forceencaps = no
    mobike = no
    rekey = yes
    installpolicy = yes
    type = tunnel
    dpdaction = clear
    dpddelay = 10s
    dpdtimeout = 60s
    auto = add
    left = 22.22.22.22
    right = %any
    leftid = 22.22.22.22
    ikelifetime = 28800s
    lifetime = 3600s
    rightsourceip = 10.10.10.0/24
    ike = aes256-sha256-modp1024!
    esp = aes256-sha256-modp1024!
    leftauth = pubkey
    rightauth = pubkey
    leftcert=/etc/ipsec.d/certs/vpn.crt
        rightca="/C=NL/O=VPN/CN=VPN Root/" 
    leftsubnet = 0.0.0.0/0

If i try to establish a connection, the OSX VPN client fails to create the interface. This is the output in the console:

13/02/16 16:25:15,000 kernel[0]: ipsec_ctl_connect: creating interface ipsec0
13/02/16 16:25:16,003 configd[58]: network changed
13/02/16 16:25:16,156 neagent[15710]: BUG in libdispatch client: kevent[EVFILT_READ] delete: "Bad file descriptor" - 0x9
13/02/16 16:25:16,000 kernel[0]: SIOCPROTODETACH_IN6: ipsec0 error=6
13/02/16 16:25:16,166 configd[58]: network changed
13/02/16 16:25:16,183 symptomsd[10903]: nw_interface_create_with_name netutil_ifname_to_ifindex(ipsec0) failed, dumping backtrace:
13/02/16 16:25:16,183 symptomsd[10903]: -[NWInterface initWithInterfaceName:] nw_interface_create_with_name(ipsec0) failed, dumping backtrace:

This is the log from strongSwan:

Feb 13 16:24:49 test charon: 16[NET] received packet: from 11.11.11.11[500] to 22.22.22.22[500] (304 bytes)
Feb 13 16:24:49 test charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Feb 13 16:24:49 test charon: 16[IKE] 11.11.11.11 is initiating an IKE_SA
Feb 13 16:24:49 test charon: 16[IKE] remote host is behind NAT
Feb 13 16:24:49 test charon: 16[IKE] sending cert request for "C=NL, O=VPN, CN=VPN Root" 
Feb 13 16:24:49 test charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Feb 13 16:24:49 test charon: 16[NET] sending packet: from 22.22.22.22[500] to 11.11.11.11[500] (345 bytes)
Feb 13 16:24:50 test charon: 14[NET] received packet: from 11.11.11.11[4500] to 22.22.22.22[4500] (564 bytes)
Feb 13 16:24:50 test charon: 14[ENC] parsed IKE_AUTH request 1 [ EF ]
Feb 13 16:24:50 test charon: 14[ENC] received fragment #1 of 4, waiting for complete IKE message
Feb 13 16:24:50 test charon: 14[NET] received packet: from 11.11.11.11[4500] to 22.22.22.22[4500] (564 bytes)
Feb 13 16:24:50 test charon: 14[ENC] parsed IKE_AUTH request 1 [ EF ]
Feb 13 16:24:50 test charon: 14[ENC] received fragment #2 of 4, waiting for complete IKE message
Feb 13 16:24:50 test charon: 05[NET] received packet: from 11.11.11.11[4500] to 22.22.22.22[4500] (564 bytes)
Feb 13 16:24:50 test charon: 05[ENC] parsed IKE_AUTH request 1 [ EF ]
Feb 13 16:24:50 test charon: 05[ENC] received fragment #3 of 4, waiting for complete IKE message
Feb 13 16:24:50 test charon: 07[NET] received packet: from 11.11.11.11[4500] to 22.22.22.22[4500] (276 bytes)
Feb 13 16:24:50 test charon: 07[ENC] parsed IKE_AUTH request 1 [ EF ]
Feb 13 16:24:50 test charon: 07[ENC] received fragment #4 of 4, reassembling fragmented IKE message
Feb 13 16:24:50 test charon: 07[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr AUTH CERT CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Feb 13 16:24:50 test charon: 07[IKE] received end entity cert "C=NL, O=VPN, CN=user@example.com" 
Feb 13 16:24:50 test charon: 07[CFG] looking for peer configs matching 22.22.22.22[22.22.22.22]...11.11.11.11[user@example.com]
Feb 13 16:24:50 test charon: 07[CFG] selected peer config 'rsa'
Feb 13 16:24:50 test charon: 07[CFG]   using certificate "C=NL, O=VPN, CN=user@example.com" 
Feb 13 16:24:50 test charon: 07[CFG]   using trusted ca certificate "C=NL, O=VPN, CN=VPN Root" 
Feb 13 16:24:50 test charon: 07[CFG] checking certificate status of "C=NL, O=VPN, CN=user@example.com" 
Feb 13 16:24:50 test charon: 07[CFG] certificate status is not available
Feb 13 16:24:50 test charon: 07[CFG]   reached self-signed root ca with a path length of 0
Feb 13 16:24:50 test charon: 07[IKE] authentication of 'user@example.com' with RSA signature successful
Feb 13 16:24:50 test charon: 07[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Feb 13 16:24:50 test charon: 07[IKE] peer supports MOBIKE, but disabled in config
Feb 13 16:24:50 test charon: 07[IKE] authentication of '22.22.22.22' (myself) with RSA signature successful
Feb 13 16:24:50 test charon: 07[IKE] IKE_SA rsa[1] established between 22.22.22.22[22.22.22.22]...11.11.11.11[user@example.com]
Feb 13 16:24:50 test charon: 07[IKE] scheduling reauthentication in 27725s
Feb 13 16:24:50 test charon: 07[IKE] maximum IKE_SA lifetime 28265s
Feb 13 16:24:50 test charon: 07[IKE] peer requested virtual IP %any
Feb 13 16:24:50 test charon: 07[CFG] assigning new lease to 'user@example.com'
Feb 13 16:24:50 test charon: 07[IKE] assigning virtual IP 10.10.10.1 to peer 'user@example.com'
Feb 13 16:24:50 test charon: 07[IKE] peer requested virtual IP %any6
Feb 13 16:24:50 test charon: 07[IKE] no virtual IP found for %any6 requested by 'user@example.com'
Feb 13 16:24:50 test charon: 07[IKE] CHILD_SA rsa{1} established with SPIs c862880f_i 08095214_o and TS 0.0.0.0/0 === 10.10.10.1/32
Feb 13 16:24:50 test charon: 07[ENC] generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR) SA TSi TSr N(AUTH_LFT) ]
Feb 13 16:24:50 test charon: 07[NET] sending packet: from 22.22.22.22[4500] to 11.11.11.11[4500] (464 bytes)
Feb 13 16:24:50 test charon: 08[NET] received packet: from 11.11.11.11[4500] to 22.22.22.22[4500] (80 bytes)
Feb 13 16:24:50 test charon: 08[ENC] parsed INFORMATIONAL request 2 [ D ]
Feb 13 16:24:50 test charon: 08[IKE] received DELETE for IKE_SA rsa[1]
Feb 13 16:24:50 test charon: 08[IKE] deleting IKE_SA rsa[1] between 22.22.22.22[22.22.22.22]...11.11.11.11[user@example.com]
Feb 13 16:24:50 test charon: 08[IKE] IKE_SA deleted
Feb 13 16:24:50 test charon: 08[ENC] generating INFORMATIONAL response 2 [ ]
Feb 13 16:24:50 test charon: 08[NET] sending packet: from 22.22.22.22[4500] to 11.11.11.11[4500] (80 bytes)
Feb 13 16:24:50 test charon: 08[CFG] lease 10.10.10.1 by 'user@example.com' went offline

I'm not sure if this caused by strongSwan or if this is a OSX client issue. It seems that the OSX client is unable to create the ipsec interface, according the console log.

Note: IP addresses have been masked.

History

#1 Updated by Tobias Brunner over 9 years ago

Status changed from New to Feedback

I'm not sure if this caused by strongSwan or if this is a OSX client issue. It seems that the OSX client is unable to create the ipsec interface, according the console log.

Not sure if the messages from the client you posted are the reason for it but the client immediately terminates the IKE_SA:

Feb 13 16:24:50 test charon: 08[ENC] parsed INFORMATIONAL request 2 [ D ]
Feb 13 16:24:50 test charon: 08[IKE] received DELETE for IKE_SA rsa[1]

Check the client log for other reasons why the SA is deleted. Otherwise, contact Apple regarding the ipsec0 interface issue.

#2 Updated by Tom Wijnroks over 9 years ago

Windows and Linux clients are connecting fine. I created a bug report at Apple for this ipsec0 interface issue.

#3 Updated by ValdikSS ValdikSS over 9 years ago

- Machine Authentication: Certificate

This is EAP-TLS. Select "None" to disable EAP.

Also I'm not sure if Apple's implementation support IP addresses at all. It always sends FQDN type for local and remote IDs.

#4 Updated by Tom Wijnroks over 9 years ago

ValdikSS ValdikSS wrote:

- Machine Authentication: Certificate

This is EAP-TLS. Select "None" to disable EAP.

No, it's RSA certificate authentication (Mutual RSA). In the Apple Configurator 2, there is another checkbox to enable EAP Authentication. There you can select a Certificate as well, which is EAP-TLS.

Also I'm not sure if Apple's implementation support IP addresses at all. It always sends FQDN type for local and remote IDs.

True. But it works as long you provide a SAN with the FQDN and/or IP in the certificate.

Anyway, i finally found the solution:

leftsendcert = always

After adding that setting in ipsec.conf, OSX was able to connect.

#5 Updated by Tobias Brunner over 9 years ago

Category set to interoperability
Status changed from Feedback to Closed
Assignee set to Tobias Brunner
Resolution set to No change required

Project

General

Profile

strongSwan

Issues