Remote Access IKEv2 works with Windows 11 but not macOS

Gul · September 23, 2022, 4:38pm

Using vyos-1.4-rolling-202209200218-amd64 I can’t seem to get a remote access ipsec VPN to come up in macOS 10.15.7 but it works fine with Windows 11.

Using Windows 11, the log looks like:

Sep 23 13:30:53 charon[2086]: 11[NET] <20> received packet: from 81.201.101.111[500] to 10.212.12.5[500] (544 bytes)
Sep 23 13:30:53 charon[2086]: 11[ENC] <20> parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Sep 23 13:30:53 charon[2086]: 11[IKE] <20> received MS NT5 ISAKMPOAKLEY v9 vendor ID
Sep 23 13:30:53 charon[2086]: 11[IKE] <20> received MS-Negotiation Discovery Capable vendor ID
Sep 23 13:30:53 charon[2086]: 11[IKE] <20> received Vid-Initial-Contact vendor ID
Sep 23 13:30:53 charon[2086]: 11[ENC] <20> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Sep 23 13:30:53 charon[2086]: 11[IKE] <20> 81.201.101.111 is initiating an IKE_SA
Sep 23 13:30:53 charon[2086]: 11[CFG] <20> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Sep 23 13:30:53 charon[2086]: 11[IKE] <20> local host is behind NAT, sending keep alives
Sep 23 13:30:53 charon[2086]: 11[IKE] <20> remote host is behind NAT
Sep 23 13:30:53 charon[2086]: 11[ENC] <20> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Sep 23 13:30:53 charon[2086]: 11[NET] <20> sending packet: from 10.212.12.5[500] to 81.201.101.111[500] (456 bytes)
Sep 23 13:30:53 charon[2086]: 14[NET] <20> received packet: from 81.201.101.111[4500] to 10.212.12.5[4500] (580 bytes)
Sep 23 13:30:53 charon[2086]: 14[ENC] <20> parsed IKE_AUTH request 1 [ EF(1/2) ]
Sep 23 13:30:53 charon[2086]: 14[ENC] <20> received fragment #1 of 2, waiting for complete IKE message
Sep 23 13:30:53 charon[2086]: 14[NET] <20> received packet: from 81.201.101.111[4500] to 10.212.12.5[4500] (356 bytes)
Sep 23 13:30:53 charon[2086]: 14[ENC] <20> parsed IKE_AUTH request 1 [ EF(2/2) ]
Sep 23 13:30:53 charon[2086]: 14[ENC] <20> received fragment #2 of 2, reassembled fragmented IKE message (848 bytes)
Sep 23 13:30:53 charon[2086]: 14[ENC] <20> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Sep 23 13:30:53 charon[2086]: 14[IKE] <20> received 27 cert requests for an unknown ca
Sep 23 13:30:53 charon[2086]: 14[CFG] <20> looking for peer configs matching 10.212.12.5[%any]...81.201.101.111[192.168.1.213]
Sep 23 13:30:53 charon[2086]: 14[CFG] <ra-RW|20> selected peer config 'ra-RW'

Whilst the log when connecting via the mac looks like this:

Sep 23 14:25:49 charon[2086]: 16[NET] <34> received packet: from 81.201.101.111[279] to 10.212.12.5[500] (604 bytes)
Sep 23 14:25:49 charon[2086]: 16[ENC] <34> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Sep 23 14:25:49 charon[2086]: 16[IKE] <34> 81.201.101.111 is initiating an IKE_SA
Sep 23 14:25:49 charon[2086]: 16[CFG] <34> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Sep 23 14:25:49 charon[2086]: 16[IKE] <34> local host is behind NAT, sending keep alives
Sep 23 14:25:49 charon[2086]: 16[IKE] <34> remote host is behind NAT
Sep 23 14:25:49 charon[2086]: 16[ENC] <34> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Sep 23 14:25:49 charon[2086]: 16[NET] <34> sending packet: from 10.212.12.5[500] to 81.201.101.111[279] (456 bytes)
Sep 23 14:25:49 charon[2086]: 10[NET] <34> received packet: from 81.201.101.111[30735] to 10.212.12.5[4500] (512 bytes)
Sep 23 14:25:49 charon[2086]: 10[ENC] <34> unknown attribute type INTERNAL_DNS_DOMAIN
Sep 23 14:25:49 charon[2086]: 10[ENC] <34> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
Sep 23 14:25:49 charon[2086]: 10[CFG] <34> looking for peer configs matching 10.212.12.5[vpn.mydomain.net]...81.201.101.111[192.168.1.194]
Sep 23 14:25:49 charon[2086]: 10[CFG] <34> no matching peer config found
Sep 23 14:25:49 charon[2086]: 10[IKE] <34> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sep 23 14:25:49 charon[2086]: 10[IKE] <34> peer supports MOBIKE
Sep 23 14:25:49 charon[2086]: 10[ENC] <34> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Sep 23 14:25:49 charon[2086]: 10[NET] <34> sending packet: from 10.212.12.5[4500] to 81.201.101.111[30735] (80 bytes)

Any ideas where to start looking? I’m guessing it’s around this part:

Sep 23 14:25:49 charon[2086]: 10[CFG] <34> looking for peer configs matching 10.212.12.5[vpn.mydomain.net]...81.201.101.111[192.168.1.194]
Sep 23 14:25:49 charon[2086]: 10[CFG] <34> no matching peer config found

a.srividya · September 24, 2022, 1:00pm

It also says auth_failed,please check the provided authentication details.

Sep 23 14:25:49 charon[2086]: 10[ENC] <34> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

Also share the VyOS VPN configuration and VPN settings in MacOS.
What is the VyOS version

Gul · September 25, 2022, 9:00pm

This was on vyos-1.4-rolling-202209200218 however upgrading to the latest nightly seems to have resolved the issue.

I think ipsec: T4118: bugfix migration of IKEv2 road-warrior "id" CLI option · vyos/vyos-1x@2eb0ddc · GitHub was likely the fix.

system · September 27, 2022, 9:01pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.