[prev in list] [next in list] [prev in thread] [next in thread]
List: openbsd-bugs
Subject: iked fails to estable ikev2 tunnel with iOS after patchset 394 - Date: 2017/03/23 05:29:48
From: "Theodore Wynnychenko" <tmw () uchicago ! edu>
Date: 2017-06-10 2:09:32
Message-ID: 000301d2e18e$9a4674c0$ced35e40$ () edu
[Download RAW message or body]
Last week I updated to current. After the update, I was unable to establish an
ikev2 VPN with any iOS devices.
A OBSD6.1<->OBSD6.1 ikev2 VPN continued to work. All tunnels use certificates,
and nothing was changed in the configuration/certificates during the system
update.
Prior to this update, iked had been working with iOS for at least 6 months.
Thanks to some detailed direction, it appears that iked fails after CVS patchset
394, dated 2017/03/23.
Anyway, prior to the update, I had no issues. A connection from iOS to iked
worked fine.
To regress to prior version, I did:
cd /usr/src
TZ=UTC cvs up -D '2017/03/23 05:29:48' -P sbin/iked usr.sbin/ikectlcd sbin/iked
make obj && make && sudo make install
cd ../../usr.sbin/ikectl
make obj && make && sudo make install
Then started iked: (I have obfuscated the output a little)
iked -dvv
(...after loading configuration...)
/etc/iked.conf: loaded 7 configuration rules
ca_privkey_serialize: type RSA_KEY length 2349
ca_pubkey_serialize: type RSA_KEY length 526
config_getpolicy: received policy
ca_getkey: received private key type RSA_KEY length 2349
ca_getkey: received public key type RSA_KEY length 526
ca_dispatch_parent: config reset
config_getpolicy: received policy
config_getpolicy: received policy
config_getpolicy: received policy
config_getpolicy: received policy
config_getpolicy: received policy
config_getpolicy: received policy
config_getpfkey: received pfkey fd 3
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 6
config_getsocket: received socket fd 7
ca_reload: loaded ca file ca.crt
ca_reload: /C=US/ST=Illinois/...
ca_reload: loaded 1 ca certificate
ca_reload: loaded cert file ipsec1.myfqdn.com.crt
ca_reload: loaded cert file ikesync.myfqdn.com.crt
ca_validate_cert: /C=US/ST=Illinois/... ok
ca_validate_cert: /C=US/ST=Illinois/... ok
ca_reload: local cert type X509_CERT
config_getocsp: ocsp_url none
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_recv: IKE_SA_INIT request from initiator xxx.yyy.1.254:61856 to
xxx.yyy.1.20:500 policy 'ios1_vpn' id 0, 432 bytes
ikev2_recv: ispi 0x08167d0d9b45d2a1 rspi 0x0000000000000000
ikev2_policy2id: srcid FQDN/ikesync.myfqdn.com length 27
ikev2_pld_parse: header ispi 0x08167d0d9b45d2a1 rspi 0x0000000000000000
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 432
response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 20
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type REDIRECT_SUPPORTED
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0x08167d0d9b45d2a1 0x0000000000000000
xxx.yyy.1.254:61856
ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT, enabling UDP
encapsulation
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0x08167d0d9b45d2a1 0x0000000000000000
xxx.yyy.1.20:500
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type FRAGMENTATION_SUPPORTED
sa_state: INIT -> SA_INIT
ikev2_sa_negotiate: score 4
sa_stateok: SA_INIT flags 0x0000, require 0x0000
sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 )
ikev2_sa_keys: SKEYSEED with 32 bytes
ikev2_sa_keys: S with 64 bytes
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: T5 with 32 bytes
ikev2_prfplus: T6 with 32 bytes
ikev2_prfplus: T7 with 32 bytes
ikev2_prfplus: Tn with 224 bytes
ikev2_sa_keys: SK_d with 32 bytes
ikev2_sa_keys: SK_ai with 32 bytes
ikev2_sa_keys: SK_ar with 32 bytes
ikev2_sa_keys: SK_ei with 32 bytes
ikev2_sa_keys: SK_er with 32 bytes
ikev2_sa_keys: SK_pi with 32 bytes
ikev2_sa_keys: SK_pr with 32 bytes
ikev2_add_proposals: length 44
ikev2_next_payload: length 48 nextpayload KE
ikev2_next_payload: length 264 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0x08167d0d9b45d2a1 0x4c664ee08c8afe58
xxx.yyy.1.20:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0x08167d0d9b45d2a1 0x4c664ee08c8afe58
xxx.yyy.1.254:61856
ikev2_next_payload: length 28 nextpayload CERTREQ
ikev2_add_certreq: type X509_CERT length 21
ikev2_next_payload: length 25 nextpayload NONE
ikev2_pld_parse: header ispi 0x08167d0d9b45d2a1 rspi 0x4c664ee08c8afe58
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 457
response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 length 25
ikev2_pld_certreq: type X509_CERT length 20
ikev2_msg_send: IKE_SA_INIT response from xxx.yyy.1.20:500 to
xxx.yyy.1.254:61856 msgid 0, 457 bytes
config_free_proposals: free 0x1b1485a1c380
ikev2_recv: IKE_AUTH request from initiator xxx.yyy.1.254:62164 to
xxx.yyy.1.20:4500 policy 'ios1_vpn' id 1, 2928 bytes
ikev2_recv: ispi 0x08167d0d9b45d2a1 rspi 0x4c664ee08c8afe58
ikev2_recv: updated SA to peer xxx.yyy.1.254:62164 local xxx.yyy.1.20:4500
ikev2_pld_parse: header ispi 0x08167d0d9b45d2a1 rspi 0x4c664ee08c8afe58
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 2928
response 0
ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 2900
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 2864
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 2864/2864 padding 14
ikev2_pld_payloads: decrypted payload IDi nextpayload NOTIFY critical 0x00
length 40
ikev2_pld_id: id FQDN/ios2.ikev2.myfqdn.com length 36
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload IDr critical 0x00
length 8
ikev2_pld_notify: protoid NONE spisize 0 type INITIAL_CONTACT
ikev2_pld_payloads: decrypted payload IDr nextpayload AUTH critical 0x00 length
31
ikev2_pld_id: id FQDN/ikesync.myfqdn.com length 27
ikev2_pld_id: unexpected id payload
ikev2_pld_payloads: decrypted payload AUTH nextpayload CERT critical 0x00 length
520
ikev2_pld_auth: method RSA_SIG length 512
sa_state: SA_INIT -> AUTH_REQUEST
ikev2_pld_payloads: decrypted payload CERT nextpayload CP critical 0x00 length
1997
ikev2_pld_cert: type X509_CERT length 1992
ikev2_pld_payloads: decrypted payload CP nextpayload NOTIFY critical 0x00 length
65
ikev2_pld_cp: type REQUEST length 57
ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 0
ikev2_pld_cp: INTERNAL_IP4_SUBNET 0x000d length 0
ikev2_pld_cp: INTERNAL_IP4_DHCP 0x0006 length 0
ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 0
ikev2_pld_cp: INTERNAL_IP4_NETMASK 0x0002 length 0
ikev2_pld_cp: INTERNAL_IP6_ADDRESS 0x0008 length 0
ikev2_pld_cp: INTERNAL_IP6_SUBNET 0x000f length 17
ikev2_pld_cp: INTERNAL_IP6_DHCP 0x000c length 0
ikev2_pld_cp: INTERNAL_IP6_DNS 0x000a length 0
ikev2_pld_cp: <UNKNOWN:25> 0x0019 length 0
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical 0x00
length 8
ikev2_pld_notify: protoid NONE spisize 0 type ESP_TFC_PADDING_NOT_SUPPORTED
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload SA critical 0x00 length
8
ikev2_pld_notify: protoid NONE spisize 0 type NON_FIRST_FRAGMENTS_ALSO
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP spisize 4
xforms 3 spi 0x08faa176
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length
64
ikev2_pld_ts: count 2 length 56
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
ikev2_pld_ts: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0 endport 65535
ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length
64
ikev2_pld_ts: count 2 length 56
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
ikev2_pld_ts: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0 endport 65535
ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
ikev2_resp_recv: NAT-T message received, updated SA
sa_stateok: SA_INIT flags 0x0000, require 0x0000
policy_lookup: peerid 'ios2.ikev2.myfqdn.com'
ikev2_msg_auth: responder auth data length 505
ca_setauth: auth length 505
ikev2_msg_auth: initiator auth data length 496
ikev2_msg_authverify: method RSA_SIG keylen 1992 type X509_CERT
ikev2_msg_authverify: authentication successful
sa_state: AUTH_REQUEST -> AUTH_SUCCESS
sa_stateflags: 0x0020 -> 0x0030 authvalid,sa (required 0x003b
cert,certvalid,auth,authvalid,sa)
ikev2_sa_negotiate: score 4
sa_stateflags: 0x0030 -> 0x0030 authvalid,sa (required 0x003b
cert,certvalid,auth,authvalid,sa)
sa_stateok: VALID flags 0x0030, require 0x003b cert,certvalid,auth,authvalid,sa
sa_state: cannot switch: AUTH_SUCCESS -> VALID
ikev2_ike_auth: no CERTREQ, using default
ikev2_policy2id: srcid FQDN/ikesync.myfqdn.com length 27
sa_stateflags: 0x0030 -> 0x0034 certreq,authvalid,sa (required 0x003b
cert,certvalid,auth,authvalid,sa)
config_free_proposals: free 0x1b1485a1ca80
ca_setauth: auth length 512
ca_x509_subjectaltname: FQDN/ios2.ikev2.myfqdn.com
ca_validate_cert: /C=US/ST=Illinois/... ok
ca_getreq: found CA /C=US/ST=Illinois/...
ikev2_getimsgdata: imsg 23 rspi 0x4c664ee08c8afe58 ispi 0x08167d0d9b45d2a1
initiator 0 sa valid type 1 data length 512
ikev2_dispatch_cert: AUTH type 1 len 512
sa_stateflags: 0x0034 -> 0x003c certreq,auth,authvalid,sa (required 0x003b
cert,certvalid,auth,authvalid,sa)
sa_stateok: VALID flags 0x0038, require 0x003b cert,certvalid,auth,authvalid,sa
ca_x509_subjectaltname: FQDN/ipsec1.myfqdn.com
sa_state: cannot switch: AUTH_SUCCESS -> VALID
ca_x509_subjectaltname_cmp: FQDN/ipsec1.myfqdn.com mismatched
ikev2_dispatch_cert: peer certificate is valid
sa_stateflags: 0x003c -> 0x003e certvalid,certreq,auth,authvalid,sa (required
0x003b cert,certvalid,auth,authvalid,sa)
ca_x509_subjectaltname: FQDN/ikesync.myfqdn.com
sa_stateok: VALID flags 0x003a, require 0x003b cert,certvalid,auth,authvalid,sa
sa_state: cannot switch: AUTH_SUCCESS -> VALID
ca_getreq: found local certificate /C=US/ST=Illinois/...
ikev2_getimsgdata: imsg 18 rspi 0x4c664ee08c8afe58 ispi 0x08167d0d9b45d2a1
initiator 0 sa valid type 4 data length 1976
ikev2_dispatch_cert: cert type X509_CERT length 1976, ok
sa_stateflags: 0x003e -> 0x003f cert,certvalid,certreq,auth,authvalid,sa
(required 0x003b cert,certvalid,auth,authvalid,sa)
sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa
sa_state: AUTH_SUCCESS -> VALID
sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa
sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa
ikev2_sa_tag: (0)
ikev2_childsa_negotiate: proposal 1
ikev2_childsa_negotiate: key material length 128
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: Tn with 128 bytes
pfkey_sa_getspi: spi 0x7d9d47d1
pfkey_sa_init: new spi 0x7d9d47d1
ikev2_next_payload: length 31 nextpayload CERT
ikev2_next_payload: length 1981 nextpayload AUTH
ikev2_next_payload: length 520 nextpayload CP
ikev2_next_payload: length 48 nextpayload SA
ikev2_add_proposals: length 40
ikev2_next_payload: length 44 nextpayload TSi
ikev2_next_payload: length 24 nextpayload TSr
ikev2_next_payload: length 24 nextpayload NONE
ikev2_msg_encrypt: decrypted length 2672
ikev2_msg_encrypt: padded length 2688
ikev2_msg_encrypt: length 2673, padding 15, output length 2720
ikev2_next_payload: length 2724 nextpayload IDr
ikev2_msg_integr: message length 2752
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0x08167d0d9b45d2a1 rspi 0x4c664ee08c8afe58
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 2752
response 1
ikev2_pld_payloads: payload SK nextpayload IDr critical 0x00 length 2724
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 2688
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 2688/2688 padding 15
ikev2_pld_payloads: decrypted payload IDr nextpayload CERT critical 0x00 length
31
ikev2_pld_id: id FQDN/ikesync.myfqdn.com length 27
ikev2_pld_payloads: decrypted payload CERT nextpayload AUTH critical 0x00 length
1981
ikev2_pld_cert: type X509_CERT length 1976
ikev2_pld_payloads: decrypted payload AUTH nextpayload CP critical 0x00 length
520
ikev2_pld_auth: method RSA_SIG length 512
ikev2_pld_payloads: decrypted payload CP nextpayload SA critical 0x00 length 48
ikev2_pld_cp: type REPLY length 40
ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 4
ikev2_pld_cp: INTERNAL_IP4_NETMASK 0x0002 length 4
ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 4
ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 4
ikev2_pld_cp: INTERNAL_IP4_NBNS 0x0004 length 4
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP spisize 4
xforms 3 spi 0x7d9d47d1
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start xxx.yyy.15.0 end xxx.yyy.15.255
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
ikev2_msg_send: IKE_AUTH response from xxx.yyy.1.20:4500 to xxx.yyy.1.254:62164
msgid 1, 2752 bytes, NAT-T
pfkey_sa_add: update spi 0x7d9d47d1
pfkey_sa: udpencap port 62164
ikev2_childsa_enable: loaded CHILD SA spi 0x7d9d47d1
pfkey_sa_add: add spi 0x08faa176
pfkey_sa: udpencap port 62164
ikev2_childsa_enable: loaded CHILD SA spi 0x08faa176
ikev2_childsa_enable: loaded flow 0x1b143bce6c00
ikev2_childsa_enable: loaded flow 0x1b142e8f8c00
sa_state: VALID -> ESTABLISHED from xxx.yyy.1.254:62164 to xxx.yyy.1.20:4500
policy 'ios2_vpn'
^Cikev2 exiting, pid 68371
ca exiting, pid 65397
control exiting, pid 51297
parent terminating
But, when I compile from the next patchset - same procedure as above except:
TZ=UTC cvs up -D '2017/03/27 11:06:41' -P sbin/iked usr.sbin/ikectl
Now, when I try to connect with iOS, the VPN fails.
iked -dvv
(...after loading configuration...)
/etc/iked.conf: loaded 7 configuration rules
ca_privkey_serialize: type RSA_KEY length 2349
ca_pubkey_serialize: type RSA_KEY length 526
config_getpolicy: received policy
ca_privkey_to_method: type RSA_KEY method RSA_SIG
ca_getkey: received private key type RSA_KEY length 2349
ca_getkey: received public key type RSA_KEY length 526
ca_dispatch_parent: config reset
config_getpolicy: received policy
config_getpolicy: received policy
config_getpolicy: received policy
config_getpolicy: received policy
config_getpolicy: received policy
config_getpolicy: received policy
config_getpfkey: received pfkey fd 3
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 6
config_getsocket: received socket fd 7
ca_reload: loaded ca file ca.crt
ca_reload: /C=US/ST=Illinois/...
ca_reload: loaded 1 ca certificate
ca_reload: loaded cert file ipsec1.myfqdn.com.crt
ca_reload: loaded cert file ikesync.myfqdn.com.crt
ca_validate_cert: /C=US/ST=Illinois/... ok
ca_validate_cert: /C=US/ST=Illinois/... ok
ca_reload: local cert type X509_CERT
config_getocsp: ocsp_url none
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_recv: IKE_SA_INIT request from initiator xxx.yyy.1.254:57991 to
xxx.yyy.1.20:500 policy 'ios1_vpn' id 0, 432 bytes
ikev2_recv: ispi 0x36d074d6d42e05d3 rspi 0x0000000000000000
ikev2_policy2id: srcid FQDN/ikesync.myfqdn.com length 27
ikev2_pld_parse: header ispi 0x36d074d6d42e05d3 rspi 0x0000000000000000
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 432
response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 20
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type REDIRECT_SUPPORTED
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0x36d074d6d42e05d3 0x0000000000000000
xxx.yyy.1.254:57991
ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT, enabling UDP
encapsulation
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0x36d074d6d42e05d3 0x0000000000000000
xxx.yyy.1.20:500
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type FRAGMENTATION_SUPPORTED
sa_state: INIT -> SA_INIT
ikev2_sa_negotiate: score 4
sa_stateok: SA_INIT flags 0x0000, require 0x0000
sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 )
ikev2_sa_keys: SKEYSEED with 32 bytes
ikev2_sa_keys: S with 64 bytes
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: T5 with 32 bytes
ikev2_prfplus: T6 with 32 bytes
ikev2_prfplus: T7 with 32 bytes
ikev2_prfplus: Tn with 224 bytes
ikev2_sa_keys: SK_d with 32 bytes
ikev2_sa_keys: SK_ai with 32 bytes
ikev2_sa_keys: SK_ar with 32 bytes
ikev2_sa_keys: SK_ei with 32 bytes
ikev2_sa_keys: SK_er with 32 bytes
ikev2_sa_keys: SK_pi with 32 bytes
ikev2_sa_keys: SK_pr with 32 bytes
ikev2_add_proposals: length 44
ikev2_next_payload: length 48 nextpayload KE
ikev2_next_payload: length 264 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0x36d074d6d42e05d3 0x1b014b76b97d2731
xxx.yyy.1.20:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0x36d074d6d42e05d3 0x1b014b76b97d2731
xxx.yyy.1.254:57991
ikev2_next_payload: length 28 nextpayload CERTREQ
ikev2_add_certreq: type X509_CERT length 21
ikev2_next_payload: length 25 nextpayload NONE
ikev2_pld_parse: header ispi 0x36d074d6d42e05d3 rspi 0x1b014b76b97d2731
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 457
response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 length 25
ikev2_pld_certreq: type X509_CERT length 20
ikev2_msg_send: IKE_SA_INIT response from xxx.yyy.1.20:500 to
xxx.yyy.1.254:57991 msgid 0, 457 bytes
config_free_proposals: free 0xc5bdb73c680
ikev2_recv: IKE_AUTH request from initiator xxx.yyy.1.254:62164 to
xxx.yyy.1.20:4500 policy 'ios1_vpn' id 1, 2928 bytes
ikev2_recv: ispi 0x36d074d6d42e05d3 rspi 0x1b014b76b97d2731
ikev2_recv: updated SA to peer xxx.yyy.1.254:62164 local xxx.yyy.1.20:4500
ikev2_pld_parse: header ispi 0x36d074d6d42e05d3 rspi 0x1b014b76b97d2731
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 2928
response 0
ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 2900
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 2864
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 2864/2864 padding 14
ikev2_pld_payloads: decrypted payload IDi nextpayload NOTIFY critical 0x00
length 40
ikev2_pld_id: id FQDN/ios2.ikev2.myfqdn.com length 36
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload IDr critical 0x00
length 8
ikev2_pld_notify: protoid NONE spisize 0 type INITIAL_CONTACT
ikev2_pld_payloads: decrypted payload IDr nextpayload AUTH critical 0x00 length
31
ikev2_pld_id: id FQDN/ikesync.myfqdn.com length 27
ikev2_pld_id: unexpected id payload
ikev2_pld_payloads: decrypted payload AUTH nextpayload CERT critical 0x00 length
520
ikev2_pld_auth: method RSA_SIG length 512
sa_state: SA_INIT -> AUTH_REQUEST
ikev2_pld_payloads: decrypted payload CERT nextpayload CP critical 0x00 length
1997
ikev2_pld_cert: type X509_CERT length 1992
ikev2_pld_payloads: decrypted payload CP nextpayload NOTIFY critical 0x00 length
65
ikev2_pld_cp: type REQUEST length 57
ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 0
ikev2_pld_cp: INTERNAL_IP4_SUBNET 0x000d length 0
ikev2_pld_cp: INTERNAL_IP4_DHCP 0x0006 length 0
ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 0
ikev2_pld_cp: INTERNAL_IP4_NETMASK 0x0002 length 0
ikev2_pld_cp: INTERNAL_IP6_ADDRESS 0x0008 length 0
ikev2_pld_cp: INTERNAL_IP6_SUBNET 0x000f length 17
ikev2_pld_cp: INTERNAL_IP6_DHCP 0x000c length 0
ikev2_pld_cp: INTERNAL_IP6_DNS 0x000a length 0
ikev2_pld_cp: <UNKNOWN:25> 0x0019 length 0
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical 0x00
length 8
ikev2_pld_notify: protoid NONE spisize 0 type ESP_TFC_PADDING_NOT_SUPPORTED
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload SA critical 0x00 length
8
ikev2_pld_notify: protoid NONE spisize 0 type NON_FIRST_FRAGMENTS_ALSO
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP spisize 4
xforms 3 spi 0x0a7c828c
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length
64
ikev2_pld_ts: count 2 length 56
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
ikev2_pld_ts: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0 endport 65535
ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length
64
ikev2_pld_ts: count 2 length 56
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
ikev2_pld_ts: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0 endport 65535
ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
ikev2_resp_recv: NAT-T message received, updated SA
sa_stateok: SA_INIT flags 0x0000, require 0x0000
policy_lookup: peerid 'ios2.ikev2.myfqdn.com'
ikev2_msg_auth: responder auth data length 505
ca_setauth: using SIG (RFC7427)
ca_setauth: auth length 505
ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG
ikev2_resp_recv: failed to send auth response
sa_state: AUTH_REQUEST -> CLOSED from xxx.yyy.1.254:62164 to xxx.yyy.1.20:4500
policy 'ios2_vpn'
ikev2_recv: closing SA
sa_free: ispi 0x36d074d6d42e05d3 rspi 0x1b014b76b97d2731
config_free_proposals: free 0xc5bdb73c380
config_free_proposals: free 0xc5bdb73c000
ca_setauth: auth length 528
ca_x509_subjectaltname: FQDN/ios2.ikev2.myfqdn.com
ca_validate_cert: /C=US/ST=Illinois/... ok
ikev2_getimsgdata: imsg 24 rspi 0x1b014b76b97d2731 ispi 0x36d074d6d42e05d3
initiator 0 sa invalid type 14 data length 528
ikev2_dispatch_cert: invalid auth reply
ikev2_recv: IKE_AUTH request from initiator xxx.yyy.1.254:62164 to
xxx.yyy.1.20:4500 policy 'ios1_vpn' id 1, 2928 bytes
ikev2_recv: ispi 0x36d074d6d42e05d3 rspi 0x1b014b76b97d2731
ikev2_recv: IKE_AUTH request from initiator xxx.yyy.1.254:62164 to
xxx.yyy.1.20:4500 policy 'ios1_vpn' id 1, 2928 bytes
ikev2_recv: ispi 0x36d074d6d42e05d3 rspi 0x1b014b76b97d2731
ikev2_recv: IKE_AUTH request from initiator xxx.yyy.1.254:62164 to
xxx.yyy.1.20:4500 policy 'ios1_vpn' id 1, 2928 bytes
ikev2_recv: ispi 0x36d074d6d42e05d3 rspi 0x1b014b76b97d2731
^Cikev2 exiting, pid 1899
ca exiting, pid 95316
control exiting, pid 71888
parent terminating
In this case, there is an error, and the tunnel is CLOSED.
ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG
ikev2_resp_recv: failed to send auth response
sa_state: AUTH_REQUEST -> CLOSED from xxx.yyy.1.254:62164 to xxx.yyy.1.20:4500
policy 'ios2_vpn'
Before learning how to go back in time, I found a suggestion that placing an RSA
public certificate on the local OBSD machine could help.
So, I used:
# openssl rsa -in private.key -pubout >
/etc/iked/pubkeys/fqdn/ios.ikev2.myfqdn.com
When this is done with the newer updates (the ones that fail to create a VPN
with iOS), then the OBSD machine indicates that a tunnel has been formed, but
the iOS device fails to create the tunnel, and indicates that no VPN has been
established.
set_policy_auth_method: using rsa for peer
/etc/iked/pubkeys/fqdn/ios.ikev2.myfqdn.com
set_policy: found pubkey for /etc/iked/pubkeys/fqdn/ios.ikev2.myfqdn.com
ikev2 "ios_vpn" passive esp inet from 0.0.0.0/0 to xxx.yyy.15.0/24 local
xxx.yyy.1.20 peer any ikesa enc aes-256,aes-192,aes-128,3des prf
hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group
modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth
hmac-sha2-256,hmac-sha1 srcid ikesync.myfqdn.com dstid
ios.ikev2.myfqdn.com
ikelifetime 1800 lifetime 1800 bytes 536870912 rsa config address
xxx.yyy.15.131
config netmask 255.255.255.0 config name-server xxx.yyy.1.128 config
name-server
xxx.yyy.1.129 config netbios-server xxx.yyy.2.99
ca_privkey_serialize: type RSA_KEY length 2349
ca_pubkey_serialize: type RSA_KEY length 526
ca_privkey_to_method: type RSA_KEY method RSA_SIG
config_getpolicy: received policy
ca_getkey: received private key type RSA_KEY length 2349
ca_getkey: received public key type RSA_KEY length 526
ca_dispatch_parent: config reset
config_getpolicy: received policy
config_getpolicy: received policy
config_getpolicy: received policy
config_getpolicy: received policy
config_getpolicy: received policy
config_getpolicy: received policy
config_getpfkey: received pfkey fd 3
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 6
config_getsocket: received socket fd 7
ca_reload: loaded ca file ca.crt
ca_reload: /C=US/ST=Illinois...
ca_reload: loaded 1 ca certificate
ca_reload: loaded cert file local.myfqdn.com.crt
ca_reload: loaded cert file ikesync.myfqdn.com.crt
ca_validate_cert: /C=US/ST=Illinois... ok
ca_validate_cert: /C=US/ST=Illinois... ok
ca_reload: local cert type X509_CERT
config_getocsp: ocsp_url none
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_recv: IKE_SA_INIT request from initiator xxx.yyy.1.254:55008 to
xxx.yyy.1.20:500 policy 'jacqueline_iphone_vpn' id 0, 432 bytes
ikev2_recv: ispi 0xd14315b81593285a rspi 0x0000000000000000
ikev2_policy2id: srcid FQDN/ikesync.myfqdn.com length 27
ikev2_pld_parse: header ispi 0xd14315b81593285a rspi 0x0000000000000000
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length
432
response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize
0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length
20
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
8
ikev2_pld_notify: protoid NONE spisize 0 type REDIRECT_SUPPORTED
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0xd14315b81593285a 0x0000000000000000
xxx.yyy.1.254:55008
ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT, enabling UDP
encapsulation
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0xd14315b81593285a
0x0000000000000000
xxx.yyy.1.20:500
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type FRAGMENTATION_SUPPORTED
sa_state: INIT -> SA_INIT
ikev2_sa_negotiate: score 4
sa_stateok: SA_INIT flags 0x0000, require 0x0000
sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 )
ikev2_sa_keys: SKEYSEED with 32 bytes
ikev2_sa_keys: S with 64 bytes
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: T5 with 32 bytes
ikev2_prfplus: T6 with 32 bytes
ikev2_prfplus: T7 with 32 bytes
ikev2_prfplus: Tn with 224 bytes
ikev2_sa_keys: SK_d with 32 bytes
ikev2_sa_keys: SK_ai with 32 bytes
ikev2_sa_keys: SK_ar with 32 bytes
ikev2_sa_keys: SK_ei with 32 bytes
ikev2_sa_keys: SK_er with 32 bytes
ikev2_sa_keys: SK_pi with 32 bytes
ikev2_sa_keys: SK_pr with 32 bytes
ikev2_add_proposals: length 44
ikev2_next_payload: length 48 nextpayload KE
ikev2_next_payload: length 264 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0xd14315b81593285a 0x9f30f9d2ed8dfd11
xxx.yyy.1.20:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0xd14315b81593285a
0x9f30f9d2ed8dfd11
xxx.yyy.1.254:55008
ikev2_next_payload: length 28 nextpayload CERTREQ
ikev2_add_certreq: type X509_CERT length 21
ikev2_next_payload: length 25 nextpayload CERTREQ
ikev2_add_certreq: type RSA_KEY length 1
ikev2_next_payload: length 5 nextpayload NONE
ikev2_pld_parse: header ispi 0xd14315b81593285a rspi 0x9f30f9d2ed8dfd11
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length
462
response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize
0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length
36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00
length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_pld_payloads: payload CERTREQ nextpayload CERTREQ critical 0x00
length 25
ikev2_pld_certreq: type X509_CERT length 20
ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 length
5
ikev2_pld_certreq: type RSA_KEY length 0
ikev2_msg_send: IKE_SA_INIT response from xxx.yyy.1.20:500 to
xxx.yyy.1.254:55008 msgid 0, 462 bytes
config_free_proposals: free 0x1529d4096700
ikev2_recv: IKE_AUTH request from initiator xxx.yyy.1.254:52833 to
xxx.yyy.1.20:4500 policy 'jacqueline_iphone_vpn' id 1, 2928 bytes
ikev2_recv: ispi 0xd14315b81593285a rspi 0x9f30f9d2ed8dfd11
ikev2_recv: updated SA to peer xxx.yyy.1.254:52833 local xxx.yyy.1.20:4500
ikev2_pld_parse: header ispi 0xd14315b81593285a rspi 0x9f30f9d2ed8dfd11
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length
2928
response 0
ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 2900
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 2864
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 2864/2864 padding 14
ikev2_pld_payloads: decrypted payload IDi nextpayload NOTIFY critical 0x00
length 40
ikev2_pld_id: id FQDN/ios.ikev2.myfqdn.com length 36
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload IDr critical 0x00
length 8
ikev2_pld_notify: protoid NONE spisize 0 type INITIAL_CONTACT
ikev2_pld_payloads: decrypted payload IDr nextpayload AUTH critical 0x00
length
31
ikev2_pld_id: id FQDN/ikesync.myfqdn.com length 27
ikev2_pld_id: unexpected id payload
ikev2_pld_payloads: decrypted payload AUTH nextpayload CERT critical 0x00
length
520
ikev2_pld_auth: method RSA_SIG length 512
sa_state: SA_INIT -> AUTH_REQUEST
ikev2_pld_payloads: decrypted payload CERT nextpayload CP critical 0x00
length
1997
ikev2_pld_cert: type X509_CERT length 1992
ikev2_pld_payloads: decrypted payload CP nextpayload NOTIFY critical 0x00
length
65
ikev2_pld_cp: type REQUEST length 57
ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 0
ikev2_pld_cp: INTERNAL_IP4_SUBNET 0x000d length 0
ikev2_pld_cp: INTERNAL_IP4_DHCP 0x0006 length 0
ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 0
ikev2_pld_cp: INTERNAL_IP4_NETMASK 0x0002 length 0
ikev2_pld_cp: INTERNAL_IP6_ADDRESS 0x0008 length 0
ikev2_pld_cp: INTERNAL_IP6_SUBNET 0x000f length 17
ikev2_pld_cp: INTERNAL_IP6_DHCP 0x000c length 0
ikev2_pld_cp: INTERNAL_IP6_DNS 0x000a length 0
ikev2_pld_cp: <UNKNOWN:25> 0x0019 length 0
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical
0x00
length 8
ikev2_pld_notify: protoid NONE spisize 0 type
ESP_TFC_PADDING_NOT_SUPPORTED
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload SA critical 0x00
length
8
ikev2_pld_notify: protoid NONE spisize 0 type NON_FIRST_FRAGMENTS_ALSO
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00
length 44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP spisize
4
xforms 3 spi 0x0f9dc45e
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00
length
64
ikev2_pld_ts: count 2 length 56
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
ikev2_pld_ts: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0 endport
65535
ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00
length
64
ikev2_pld_ts: count 2 length 56
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
ikev2_pld_ts: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0 endport
65535
ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
ikev2_resp_recv: NAT-T message received, updated SA
sa_stateok: SA_INIT flags 0x0000, require 0x0000
policy_lookup: peerid 'ios.ikev2.myfqdn.com'
ikev2_msg_auth: responder auth data length 510
ca_setauth: auth length 510
ikev2_msg_auth: initiator auth data length 496
ikev2_msg_authverify: method RSA_SIG keylen 1992 type X509_CERT
ikev2_msg_authverify: authentication successful
sa_state: AUTH_REQUEST -> AUTH_SUCCESS
sa_stateflags: 0x0020 -> 0x0030 authvalid,sa (required 0x003b
cert,certvalid,auth,authvalid,sa)
ikev2_sa_negotiate: score 4
sa_stateflags: 0x0030 -> 0x0030 authvalid,sa (required 0x003b
cert,certvalid,auth,authvalid,sa)
sa_stateok: VALID flags 0x0030, require 0x003b
cert,certvalid,auth,authvalid,sa
sa_state: cannot switch: AUTH_SUCCESS -> VALID
ikev2_ike_auth: no CERTREQ, using default
ikev2_policy2id: srcid FQDN/ikesync.myfqdn.com length 27
sa_stateflags: 0x0030 -> 0x0034 certreq,authvalid,sa (required 0x003b
cert,certvalid,auth,authvalid,sa)
config_free_proposals: free 0x152981361380
ca_setauth: auth length 512
ca_validate_pubkey: valid public key in file
pubkeys/fqdn/ios.ikev2.myfqdn.com
ca_validate_cert: /C=US/ST=Illinois... in public key file, ok
ca_getreq: using local public key of type RSA_KEY
ikev2_getimsgdata: imsg 24 rspi 0x9f30f9d2ed8dfd11 ispi 0xd14315b81593285a
initiator 0 sa valid type 1 data length 512
ikev2_dispatch_cert: AUTH type 1 len 512
sa_stateflags: 0x0034 -> 0x003c certreq,auth,authvalid,sa (required 0x003b
cert,certvalid,auth,authvalid,sa)
sa_stateok: VALID flags 0x0038, require 0x003b
cert,certvalid,auth,authvalid,sa
sa_state: cannot switch: AUTH_SUCCESS -> VALID
ikev2_dispatch_cert: peer certificate is valid
sa_stateflags: 0x003c -> 0x003e certvalid,certreq,auth,authvalid,sa
(required
0x003b cert,certvalid,auth,authvalid,sa)
sa_stateok: VALID flags 0x003a, require 0x003b
cert,certvalid,auth,authvalid,sa
sa_state: cannot switch: AUTH_SUCCESS -> VALID
ikev2_getimsgdata: imsg 19 rspi 0x9f30f9d2ed8dfd11 ispi 0xd14315b81593285a
initiator 0 sa valid type 11 data length 526
ikev2_dispatch_cert: cert type RSA_KEY length 526, ok
sa_stateflags: 0x003e -> 0x003f cert,certvalid,certreq,auth,authvalid,sa
(required 0x003b cert,certvalid,auth,authvalid,sa)
sa_stateok: VALID flags 0x003b, require 0x003b
cert,certvalid,auth,authvalid,sa
sa_state: AUTH_SUCCESS -> VALID
sa_stateok: VALID flags 0x003b, require 0x003b
cert,certvalid,auth,authvalid,sa
sa_stateok: VALID flags 0x003b, require 0x003b
cert,certvalid,auth,authvalid,sa
ikev2_sa_tag: (0)
ikev2_childsa_negotiate: proposal 1
ikev2_childsa_negotiate: key material length 128
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: Tn with 128 bytes
pfkey_sa_getspi: spi 0x5fb0e721
pfkey_sa_init: new spi 0x5fb0e721
ikev2_next_payload: length 31 nextpayload CERT
ikev2_next_payload: length 531 nextpayload AUTH
ikev2_next_payload: length 520 nextpayload CP
ikev2_next_payload: length 48 nextpayload SA
ikev2_add_proposals: length 40
ikev2_next_payload: length 44 nextpayload TSi
ikev2_next_payload: length 24 nextpayload TSr
ikev2_next_payload: length 24 nextpayload NONE
ikev2_msg_encrypt: decrypted length 1222
ikev2_msg_encrypt: padded length 1232
ikev2_msg_encrypt: length 1223, padding 9, output length 1264
ikev2_next_payload: length 1268 nextpayload IDr
ikev2_msg_integr: message length 1296
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0xd14315b81593285a rspi 0x9f30f9d2ed8dfd11
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length
1296
response 1
ikev2_pld_payloads: payload SK nextpayload IDr critical 0x00 length 1268
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 1232
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 1232/1232 padding 9
ikev2_pld_payloads: decrypted payload IDr nextpayload CERT critical 0x00
length
31
ikev2_pld_id: id FQDN/ikesync.myfqdn.com length 27
ikev2_pld_payloads: decrypted payload CERT nextpayload AUTH critical 0x00
length
531
ikev2_pld_cert: type RSA_KEY length 526
ikev2_pld_payloads: decrypted payload AUTH nextpayload CP critical 0x00
length
520
ikev2_pld_auth: method RSA_SIG length 512
ikev2_pld_payloads: decrypted payload CP nextpayload SA critical 0x00
length 48
ikev2_pld_cp: type REPLY length 40
ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 4
ikev2_pld_cp: INTERNAL_IP4_NETMASK 0x0002 length 4
ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 4
ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 4
ikev2_pld_cp: INTERNAL_IP4_NBNS 0x0004 length 4
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00
length 44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP spisize
4
xforms 3 spi 0x5fb0e721
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00
length
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start xxx.yyy.15.0 end xxx.yyy.15.255
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00
length
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
ikev2_msg_send: IKE_AUTH response from xxx.yyy.1.20:4500 to
xxx.yyy.1.254:52833
msgid 1, 1296 bytes, NAT-T
pfkey_sa_add: update spi 0x5fb0e721
pfkey_sa: udpencap port 52833
ikev2_childsa_enable: loaded CHILD SA spi 0x5fb0e721
pfkey_sa_add: add spi 0x0f9dc45e
pfkey_sa: udpencap port 52833
ikev2_childsa_enable: loaded CHILD SA spi 0x0f9dc45e
ikev2_childsa_enable: loaded flow 0x1529ef902400
ikev2_childsa_enable: loaded flow 0x1529ef902800
sa_state: VALID -> ESTABLISHED from xxx.yyy.1.254:52833 to
xxx.yyy.1.20:4500
policy 'ios_vpn'
And, if I run as a daemon, I can see:
# ipsecctl -s all
FLOWS:
flow esp in from xxx.yyy.15.0/24 to 0.0.0.0/0 peer xxx.yyy.1.254 srcid
FQDN/ikesync.myfqdn.com dstid FQDN/ios.ikev2.myfqdn.com type use
flow esp out from 0.0.0.0/0 to xxx.yyy.15.0/24 peer xxx.yyy.1.254 srcid
FQDN/ikesync.myfqdn.com dstid FQDN/ios.ikev2.myfqdn.com type require
SAD:
esp tunnel from xxx.yyy.1.20 to xxx.yyy.1.254 spi 0x05b906be auth
hmac-sha2-256
enc aes-256
esp tunnel from xxx.yyy.1.254 to xxx.yyy.1.20 spi 0xebe5b208 auth
hmac-sha2-256
enc aes-256
At the same time, the iphone logs:
Jun 6 14:54:14 iPhone nesessionmanager(NetworkExtension)[124] <Error>:
Not hashing value with class __NSDate
Jun 6 14:54:14 iPhone nesessionmanager(NetworkExtension)[124] <Notice>:
NESMIKEv2VPNSession[Wynnychenko VPN:D636E9EF-3B66-4537-93E8-0E3DEC18D7AB]:
Received a start command from Preferences[200]
Jun 6 14:54:14 iPhone nesessionmanager(NetworkExtension)[124] <Notice>:
NESMIKEv2VPNSession[Wynnychenko VPN:D636E9EF-3B66-4537-93E8-0E3DEC18D7AB]:
status changed to connecting
Jun 6 14:54:14 iPhone nesessionmanager(NetworkExtension)[124] <Error>:
Plugin com.apple.neplugin.IKEv2 does not have a bundle URL
Jun 6 14:54:14 iPhone kernel(Sandbox)[0] <Notice>: SandboxViolation:
nesessionmanager(124) deny(1) file-issue-extension target:
/System/Library/Frameworks/NetworkExtension.framework/PluginIKEv2.vpnplugi
n class: com.apple.vpn-plugin
Jun 6 14:54:14 iPhone nesessionmanager(NetworkExtension)[124] <Error>:
sendInitCommand: failed to create a com.apple.vpn-plugin sandbox extension
for
/System/Library/Frameworks/NetworkExtension.framework/PluginIKEv2.vpnplugi
n
Jun 6 14:54:14 iPhone neagent(NetworkExtension)[824] <Error>: Certificate
at index 0 could not be created
Jun 6 14:54:14 iPhone neagent(NetworkExtension)[824] <Error>: Certificate
authentication data could not be verified
Jun 6 14:54:14 iPhone neagent(NetworkExtension)[824] <Error>: Failed to
process IKE Auth packet
Jun 6 14:54:14 iPhone nesessionmanager(NetworkExtension)[124] <Notice>:
NESMIKEv2VPNSession[Wynnychenko VPN:D636E9EF-3B66-4537-93E8-0E3DEC18D7AB]:
status changed to disconnecting
Jun 6 14:54:14 iPhone configd[32] <Notice>: network changed
Jun 6 14:54:14 iPhone kernel[0] <Notice>: SIOCPROTODETACH_IN6: ipsec3
error=6
Jun 6 14:54:14 iPhone configd(IPConfiguration)[32] <Notice>:
siocprotodetach(pdp_ip0) failed, Resource busy (16)
Jun 6 14:54:14 iPhone nesessionmanager(NetworkExtension)[124] <Notice>:
NESMIKEv2VPNSession[Wynnychenko VPN:D636E9EF-3B66-4537-93E8-0E3DEC18D7AB]:
status changed to disconnected, last stop reason Plugin initiated
I also note the same behavior (OBSD stating VPN is up, and iOS stating no VPN is
present) if I leave the RSA encoded keys in /etc/iked/pubkeys/fqdn/ with the
earlier versions of iked (the ones that work with iOS). But when the RSA
encoded keys are not present, the iOS<>OBSD VPN works.
I hope this report is understandable and complete. If I can help in any way,
please let me know.
Thank you
Ted
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic