Ikev2 remote client issue with mac

senthilnaidu · September 4, 2024, 7:29pm

our vpn config on vyos is as below

yos@vyos# show vpn
ipsec {
esp-group ESP-RW {
lifetime 3600
pfs disable
proposal 10 {
encryption aes128gcm128
hash sha256
}
}
ike-group IKE-RW {
key-exchange ikev2
lifetime 7200
proposal 10 {
dh-group 14
encryption aes128gcm128
hash sha256
}
}
remote-access {
connection rw {
authentication {
client-mode eap-mschapv2
local-id 103.x.x.x
local-users {
username testvpn {
password test123
}
}
server-mode x509
x509 {
ca-certificate ca_root_neysa
certificate vpn_server_cert
}
}
esp-group ESP-RW
ike-group IKE-RW
local-address 103.x.x.x
pool ra-rw-ipv4
}
pool ra-rw-ipv4 {
name-server 8.8.8.8
prefix 192.0.2.0/24
}
}
}

we generated the client config for windows and macos as below

vyos@vyos:~$generate ipsec profile windows-remote-access rw remote vpn.vyos.net
vyos@vyos:~$ generate ipsec profile ios-remote-access rw remote vpn.vyos.net

windows vpn is working properly but the vpn on mac is giving issues the error on vyos log is ep 4 17:48:24 vyos charon: 08[NET] <80> received packet: from 183.87.169.175[500] to 103.x.x.x[500] (370 bytes)
Sep 4 17:48:24 vyos charon: 08[ENC] <80> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Sep 4 17:48:24 vyos charon-systemd[18054]: received packet: from 183.87.169.175[500] to 103.x.x.x[500] (370 bytes)
Sep 4 17:48:24 vyos charon: 08[IKE] <80> 183.87.169.175 is initiating an IKE_SA
Sep 4 17:48:24 vyos charon-systemd[18054]: parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Sep 4 17:48:24 vyos charon: 08[CFG] <80> received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Sep 4 17:48:24 vyos charon-systemd[18054]: 183.87.169.175 is initiating an IKE_SA
Sep 4 17:48:24 vyos charon: 08[CFG] <80> configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_2048
Sep 4 17:48:24 vyos charon-systemd[18054]: received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Sep 4 17:48:24 vyos charon: 08[IKE] <80> remote host is behind NAT
Sep 4 17:48:24 vyos charon-systemd[18054]: configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_2048
Sep 4 17:48:24 vyos charon: 08[IKE] <80> received proposals unacceptable
Sep 4 17:48:24 vyos charon-systemd[18054]: remote host is behind NAT
Sep 4 17:48:24 vyos charon: 08[ENC] <80> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Sep 4 17:48:24 vyos charon-systemd[18054]: received proposals unacceptable
Sep 4 17:48:24 vyos charon: 08[NET] <80> sending packet: from 103.x.x.x[500] to 183.87.169.175[500] (36 bytes)
Sep 4 17:48:24 vyos charon-systemd[18054]: generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Sep 4 17:48:24 vyos charon-systemd[18054]: sending packet: from 103.x.x.x[500] to 183.87.169.175[500] (36 bytes)

our MacOS version is sonoma 14.6.1

also we need help with setting ubuntu as remotewarrior client it would be helpful if any link can be shared for the same.

n.fort · September 4, 2024, 10:01pm

From the logs you can see what proposals were received:

Sep 4 17:48:24 vyos charon-systemd[18054]: received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048

And your proposal:

Sep 4 17:48:24 vyos charon-systemd[18054]: configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_2048

You need to change configuration on vyos side, or in client side, in order to match ike parameters.

senthilnaidu · September 5, 2024, 12:26am

Hi,

at the client end the .mobileconfig contains the below parameters, but still the proposal is not matching

            <key>AuthenticationMethod</key>
            <string>Certificate</string>
            <!-- The client uses EAP to authenticate -->
            <key>ExtendedAuthEnabled</key>
            <integer>1</integer>
            <!-- The next two dictionaries are optional (as are the keys in them), but it is recommended to specify them as the default is to use 3DES.
                 IMPORTANT: Because only one proposal is sent (even if nothing is configured here) it must match the server configuration -->
            <key>IKESecurityAssociationParameters</key>
            <dict>
                <!-- @see https://developer.apple.com/documentation/networkextension/nevpnikev2encryptionalgorithm -->
                <key>EncryptionAlgorithm</key>
                <string>AES-128-GCM</string>
                <!-- @see https://developer.apple.com/documentation/networkextension/nevpnikev2integrityalgorithm -->
                <key>IntegrityAlgorithm</key>
                <string>SHA2-256</string>
                <!-- @see https://developer.apple.com/documentation/networkextension/nevpnikev2diffiehellmangroup -->
                <key>DiffieHellmanGroup</key>
                <integer>14</integer>
            </dict>
            <key>ChildSecurityAssociationParameters</key>
            <dict>
                <key>EncryptionAlgorithm</key>
                <string>AES-128-GCM</string>
                <key>IntegrityAlgorithm</key>
                <string>SHA2-256</string>
                <key>DiffieHellmanGroup</key>
                <integer>14</integer>
            </dict>
        </dict>
    </dict>

apart from this i also tried with proposal as below in vyos

esp-group ESPv2-RW {
lifetime 3600
pfs disable
proposal 10 {
encryption aes256gcm128
hash sha256
}
}

ike-group IKEv2-RW {
key-exchange ikev2
lifetime 7200
proposal 10 {
dh-group 14
encryption aes256gcm128
hash sha256
}
}

and make changes to the client on mac as below

AuthenticationMethod
Certificate

ExtendedAuthEnabled
1

IKESecurityAssociationParameters

EncryptionAlgorithm
AES-256-GCM

IntegrityAlgorithm
SHA2-256

DiffieHellmanGroup
14
lifetimeMinutes
120

ChildSecurityAssociationParameters

EncryptionAlgorithm
AES-256-GCM
IntegrityAlgorithm
SHA2-256
DiffieHellmanGroup
14
lifetimeMinutes
60

after doing this the proposal error is gone but still i’m not able to connect the vyos logs show below

Sep 5 07:00:12 vyos charon: 14[NET] <138> received packet: from 206.84.225.141[500] to 103.x.x.x[500] (370 bytes)
Sep 5 07:00:12 vyos charon: 14[ENC] <138> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Sep 5 07:00:12 vyos charon-systemd[18054]: received packet: from 206.84.225.141[500] to 103.x.x.x[500] (370 bytes)
Sep 5 07:00:12 vyos charon: 14[IKE] <138> 206.84.225.141 is initiating an IKE_SA
Sep 5 07:00:12 vyos charon-systemd[18054]: parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Sep 5 07:00:12 vyos charon: 14[CFG] <138> selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048
Sep 5 07:00:12 vyos charon-systemd[18054]: 206.84.225.141 is initiating an IKE_SA
Sep 5 07:00:12 vyos charon: 14[IKE] <138> remote host is behind NAT
Sep 5 07:00:12 vyos charon-systemd[18054]: selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048
Sep 5 07:00:12 vyos charon: 14[IKE] <138> DH group ECP_256 unacceptable, requesting MODP_2048
Sep 5 07:00:12 vyos charon-systemd[18054]: remote host is behind NAT
Sep 5 07:00:12 vyos charon: 14[ENC] <138> generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Sep 5 07:00:12 vyos charon-systemd[18054]: DH group ECP_256 unacceptable, requesting MODP_2048
Sep 5 07:00:12 vyos charon: 14[NET] <138> sending packet: from 103.x.x.x[500] to 206.84.225.141[500] (38 bytes)
Sep 5 07:00:12 vyos charon-systemd[18054]: generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Sep 5 07:00:12 vyos charon-systemd[18054]: sending packet: from 103.x.x.x[500] to 206.84.225.141[500] (38 bytes)
Sep 5 07:00:12 vyos charon: 10[NET] <139> received packet: from 206.84.225.141[500] to 103.x.x.x[500] (562 bytes)
Sep 5 07:00:12 vyos charon-systemd[18054]: received packet: from 206.84.225.141[500] to 103.x.x.x[500] (562 bytes)
Sep 5 07:00:12 vyos charon: 10[ENC] <139> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Sep 5 07:00:12 vyos charon-systemd[18054]: parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Sep 5 07:00:12 vyos charon: 10[IKE] <139> 206.84.225.141 is initiating an IKE_SA
Sep 5 07:00:12 vyos charon-systemd[18054]: 206.84.225.141 is initiating an IKE_SA
Sep 5 07:00:12 vyos charon: 10[CFG] <139> selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048
Sep 5 07:00:12 vyos charon-systemd[18054]: selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048
Sep 5 07:00:12 vyos charon: 10[IKE] <139> remote host is behind NAT
Sep 5 07:00:12 vyos charon-systemd[18054]: remote host is behind NAT
Sep 5 07:00:12 vyos charon: 10[ENC] <139> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Sep 5 07:00:12 vyos charon-systemd[18054]: generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Sep 5 07:00:12 vyos charon: 10[NET] <139> sending packet: from 103.x.x.x[500] to 206.84.225.141[500] (464 bytes)
Sep 5 07:00:12 vyos charon-systemd[18054]: sending packet: from 103.x.x.x[500] to 206.84.225.141[500] (464 bytes)
Sep 5 07:00:12 vyos charon: 09[NET] <139> received packet: from 206.84.225.141[4501] to 103.x.x.x[4500] (382 bytes)
Sep 5 07:00:12 vyos charon-systemd[18054]: received packet: from 206.84.225.141[4501] to 103.x.x.x[4500] (382 bytes)
Sep 5 07:00:12 vyos charon: 09[ENC] <139> unknown attribute type INTERNAL_DNS_DOMAIN
Sep 5 07:00:12 vyos charon-systemd[18054]: unknown attribute type INTERNAL_DNS_DOMAIN
Sep 5 07:00:12 vyos charon: 09[ENC] <139> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
Sep 5 07:00:12 vyos charon-systemd[18054]: parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
Sep 5 07:00:12 vyos charon-systemd[18054]: received cert request for “C=IN, ST=Maharashtra, L=Mumbai, O=Neysa, CN=neysa.ai”
Sep 5 07:00:12 vyos charon: 09[IKE] <139> received cert request for “C=IN, ST=Maharashtra, L=Mumbai, O=Neysa, CN=neysa.ai”
Sep 5 07:00:12 vyos charon-systemd[18054]: looking for peer configs matching 103.x.x.x[103.x.x.x]…206.84.225.141[192.168.1.2]
Sep 5 07:00:12 vyos charon: 09[CFG] <139> looking for peer configs matching 103.x.x.x[103.x.x.x]…206.84.225.141[192.168.1.2]
Sep 5 07:00:12 vyos charon-systemd[18054]: selected peer config ‘ra-rw’
Sep 5 07:00:12 vyos charon: 09[CFG] <ra-rw|139> selected peer config ‘ra-rw’
Sep 5 07:00:12 vyos charon-systemd[18054]: initiating EAP_IDENTITY method (id 0x00)
Sep 5 07:00:12 vyos charon: 09[IKE] <ra-rw|139> initiating EAP_IDENTITY method (id 0x00)
Sep 5 07:00:12 vyos charon-systemd[18054]: peer supports MOBIKE
Sep 5 07:00:12 vyos charon: 09[IKE] <ra-rw|139> peer supports MOBIKE
Sep 5 07:00:12 vyos charon-systemd[18054]: received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sep 5 07:00:12 vyos charon: 09[IKE] <ra-rw|139> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sep 5 07:00:12 vyos charon: 09[IKE] <ra-rw|139> authentication of ‘103.x.x.x’ (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Sep 5 07:00:12 vyos charon-systemd[18054]: authentication of ‘103.x.x.x’ (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Sep 5 07:00:12 vyos charon: 09[IKE] <ra-rw|139> sending end entity cert “C=IN, ST=Maharashtra, L=Mumbai, O=Neysa, CN=vpn.vyos.in”
Sep 5 07:00:12 vyos charon-systemd[18054]: sending end entity cert “C=IN, ST=Maharashtra, L=Mumbai, O=Neysa, CN=vpn.vyos.in”
Sep 5 07:00:12 vyos charon: 09[ENC] <ra-rw|139> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Sep 5 07:00:12 vyos charon-systemd[18054]: generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Sep 5 07:00:12 vyos charon: 09[ENC] <ra-rw|139> splitting IKE message (1321 bytes) into 2 fragments
Sep 5 07:00:12 vyos charon-systemd[18054]: splitting IKE message (1321 bytes) into 2 fragments
Sep 5 07:00:12 vyos charon: 09[ENC] <ra-rw|139> generating IKE_AUTH response 1 [ EF(1/2) ]
Sep 5 07:00:12 vyos charon-systemd[18054]: generating IKE_AUTH response 1 [ EF(1/2) ]
Sep 5 07:00:12 vyos charon: 09[ENC] <ra-rw|139> generating IKE_AUTH response 1 [ EF(2/2) ]
Sep 5 07:00:12 vyos charon-systemd[18054]: generating IKE_AUTH response 1 [ EF(2/2) ]
Sep 5 07:00:12 vyos charon: 09[NET] <ra-rw|139> sending packet: from 103.x.x.x[4500] to 206.84.225.141[4501] (1248 bytes)
Sep 5 07:00:12 vyos charon-systemd[18054]: sending packet: from 103.x.x.x[4500] to 206.84.225.141[4501] (1248 bytes)
Sep 5 07:00:12 vyos charon: 09[NET] <ra-rw|139> sending packet: from 103.x.x.x[4500] to 206.84.225.141[4501] (138 bytes)
Sep 5 07:00:12 vyos charon-systemd[18054]: sending packet: from 103.x.x.x[4500] to 206.84.225.141[4501] (138 bytes)
Sep 5 07:00:42 vyos charon: 14[JOB] <ra-rw|139> deleting half open IKE_SA with 206.84.225.141 after timeout
Sep 5 07:00:42 vyos charon-systemd[18054]: deleting half open IKE_SA with 206.84.225.141 after timeout

Viacheslav · September 5, 2024, 3:48am

Use wireguard and forget all proposals

senthilnaidu · September 5, 2024, 4:53pm

thanks for the suggestion, with respect to the ikev2 issue with mac the above issue looks to be with the CA certificate , though the .mobleconfig has the certificate embaded its not working, i have also tried to add it to the keychain manually and trusting it.

while at the same time it is working perfectly on windows 11.

any help with the same is appreciated

senthilnaidu · September 10, 2024, 6:34pm

At last i was able to figure out what was causing the issue of ikev2 vpn in macos, the issue is incase of macos apart from using stronger proposal the server name used for remote server also needs to be part of subject alternative name (SAN)

i was following the below link for the creation of vpn

https://docs.vyos.io/en/latest/configuration/vpn/remoteaccess_ipsec.html

in the procedure for generating the server certificate we need to say ‘y’ when asked Do you want to configure Subject Alternative Names? [y/N]

on the macos client we also need to trust the ca certificate if the ca used is local as mentioned in the document for windows clients.

after generating server certificate by providing the same name for CN and SAN , the issue got resolved.

system · September 12, 2024, 6:35pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.