Do not work with iOS

[lbenicio]

Hi everyone,

What is the problem: It does not connect with any ios device. Tested on iPhone X (iOS 11.3.1), 8+(iOS 11.4.1), iPad mini 2(iOS 11.3.1)

I managed to set up the server and successfully connect to it within my mac (macOS Mojave), but when i try the same configs on iOS it tells could get response from server

[hwdsl2]

@lbenicio Hello! The VPN works fine in my iOS tests. Please check the Libreswan and xl2tpd logs on the VPN server, after trying to connect using your iOS device:

grep pluto /var/log/auth.log /var/log/secure
grep xl2tpd /var/log/syslog /var/log/messages

Also, try switching your iPhone to a different network, e.g. from Wi-Fi to 4G, or from 4G to Wi-Fi, then retry the connection.

Finally, delete and re-create the VPN on your iOS device by following the instructions in [1] and [2]. Double check your VPN credentials for typos.

[1] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-xauth.md#ios [2] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#ios

[lbenicio]

already tried switch networks, switch to 4G/3G/LTE, switch devices

Here is log for the first command: https://pastebin.com/dLYk8f0r here is the log for the second command: https://pastebin.com/vbgrtQKQ

seeing the logns it appears to be something to psk key length, this line got me: /var/log/auth.log:Sep 21 12:01:27 raspberrypi pluto[1350]: "l2tp-psk"[1] 143.107.45.1 #1: WARNING: connection l2tp-psk PSK length of 9 bytes is too short for sha2_256 PRF in FIPS mode (16 bytes required)

[hwdsl2]

@lbenicio From your logs the only error I saw is the one you mentioned above. The connection gets established but then gets deleted after a few seconds. It could be a network issue or PSK key length issue - try re-running the script with a strong PSK and password.

Did you try the IPsec/XAuth (Cisco IPsec) mode? See [1].

[1] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-xauth.md#ios

[lbenicio]

Tried Cisco as well but got an error (a different one from L2TP), trying a strong PSA-Key

[lbenicio]

Now with a better key:

pluto: https://pastebin.com/5aVTFP70 xl2tpd: https://pastebin.com/1K8gaRdw

i see no error in the logs, but whe i try Cisco i got the msg: "An unrecoverable error occurred" when i try L2TP: "The L@TP-VPN server did not respond. Try reconnecting. if the problem continues, verify your settings and contact your administrator."

[hwdsl2]

@lbenicio The logs do not show your new connection attempts after changing the PSK. Maybe they did not reach the server, or you did not include the latest logs?

[hwdsl2]

@lbenicio To watch the logs in real time, try:

tail -F /var/log/auth.log /var/log/syslog | grep -e pluto -e xl2tpd

[letoams]

On Fri, 21 Sep 2018, Leonardo Benicio wrote:

pluto: https://pastebin.com/5aVTFP70 xl2tpd: https://pastebin.com/1K8gaRdw

I'm a little confused. it is using IPsec with XAUTH, which does not use L2TP but your other log shows L2TP logs?

I think you might be mixing up two different kinds of deployment ?

Paul

[lbenicio]

I think it's supposed to support both, IPSec and L2TP.

I Successfully manage to connect using my iPad mini 2 on iOS 11.3.1 with Cisco IPSec, but my iPhone X, on iOS 11.3.1 as well, keep getting "An unrecoverable error occurred"

[hwdsl2]

@lbenicio Restart your iPhone X and try again:

https://support.apple.com/en-us/HT201559 https://support.apple.com/en-us/HT201412

[lbenicio]

Just reset the networking settings and going to give another try.

i used tail -F /var/log/auth.log /var/log/syslog | grep -e pluto -e xl2tpd to follow the logs but it didn't even recognize the phone trying to conect neither L2TP nor IPSec.

[letoams]

On Fri, 21 Sep 2018, Leonardo Benicio wrote:

Just reset the networking settings and going to give another try.

i used tail -F /var/log/auth.log /var/log/syslog | grep -e pluto -e xl2tpd to follow the logs but it didn't even recognize the phone trying to conect neither L2TP nor IPSec.

I am confused about you seeming to do XAUTH and L2TP? It should be either XAUTH, or L2TP ?

(or even better, IKEv2 with MOBIKE enabled)

[hwdsl2]

@letoams The VPN setup script supports connecting using either IPsec/L2TP or IPsec/XAuth mode.

@lbenicio If the logs does not show up then the VPN client is not able to reach the VPN server. This is not an issue with the VPN server itself. It could be your router's port forwarding settings (I see that you're using a Raspberry Pi). You'll need to do further troubleshooting yourself.

[lbenicio]

On Fri, 21 Sep 2018, Leonardo Benicio wrote: Just reset the networking settings and going to give another try. i used tail -F /var/log/auth.log /var/log/syslog | grep -e pluto -e xl2tpd to follow the logs but it didn't even recognize the phone trying to conect neither L2TP nor IPSec. I am confused about you seeming to do XAUTH and L2TP? It should be either XAUTH, or L2TP ? (or even better, IKEv2 with MOBIKE enabled)

I'm trying booth option in iOS default solution for VPN, the Cisco IPSec and L2TP

[lbenicio]

@letoams The VPN setup script supports connecting using either IPsec/L2TP or IPsec/XAuth mode.

@lbenicio If the logs does not show up then the VPN client is not able to reach the VPN server. This is not an issue with the VPN server itself. It could be your router's port forwarding settings (I see that you're using a Raspberry Pi). You'll need to do further troubleshooting yourself.

Yeah, figure it out too, sorry for the wrong issue but very thanks for the helping find logs and everything!

[hwdsl2]

@lbenicio You're welcome. Hope you'll be able to figure it out.

[letoams]

On Fri, 21 Sep 2018, Lin Song wrote:

@letoams The VPN setup script supports connecting using either IPsec/L2TP or IPsec/XAuth mode.

What can I do to help you to support IKEv2 with MOBIKE ?

https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2

The advantage is that when you switch between 4G/LTE and wifi, that the VPN stays up without delay.

I'm happy to give you access to vpn.nohats.ca that runs this configuration for testing and can also tell you what to configure in the .mobileconfig for iOS/OSX.

Paul

[hwdsl2]

@letoams Thank you Paul! I've written manual instructions for enabling IKEv2 for Windows clients [1]. So far I have not yet been able to figure out the .mobileconfig for iOS/OSX.

One of the use cases for the VPN setup script is the "User Data" for a new Amazon EC2 instance. Unfortunately it has a limit of 16384 bytes and the script is approaching that size, so I've not yet been able to add IKEv2 configurations into the script itself.

If you have other suggestions regarding the scripts, feel free to reach out.

[1] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md

[Knol010]

I'm curious if mobike is already working? The VPN server I have is running in Ubuntu (IKEv2 not docker) and I don't see any mobike option. When I'm running it in docker it says mobike not available.

Joost

[letoams]

Yes mobike=yes to enable it

Sent using a virtual keyboard on a phone

On Jul 6, 2022, at 04:59, Knol010 @.***> wrote:

 I'm curious if mobike is already working? The VPN server I have is running in Ubuntu (IKEv2 not docker) and I don't see any mobike option.

Joost

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.

[hwdsl2]

@Knol010 Ubuntu kernels generally do not support MOBIKE, the IKEv2 script tries to detect this and show the "MOBIKE not available" message. If you enable it on Ubuntu, the IKEv2 connection may fail to load.

[letoams]

On Wed, 6 Jul 2022, Lin Song wrote:

@Knol010 Ubuntu kernels generally do not support MOBIKE, the IKEv2 script tries to detect this and show the "MOBIKE not available" message. If you enable it on Ubuntu, the IKEv2 connection may fail to load.

They still haven't enabled XFRM_MIGRATE ? I thought we had filed a bug on that a long time ago.

[Knol010]

@Knol010 Ubuntu kernels generally do not support MOBIKE, the IKEv2 script tries to detect this and show the "MOBIKE not available" message. If you enable it on Ubuntu, the IKEv2 connection may fail to load.

Does it work on Debian or any other software? I use Proxmox so i can make another VM!

[hwdsl2]

@letoams On Ubuntu 22.04 it appears to be not set:

root@ubuntu:~# grep "CONFIG_XFRM_MIGRATE" "/boot/config-$(uname -r)"
# CONFIG_XFRM_MIGRATE is not set
root@ubuntu:~# uname -a
Linux ubuntu 5.15.0-40-generic #43-Ubuntu SMP Wed Jun 15 12:54:21 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

@Knol010 Yes, you can try Debian which generally has MOBIKE support.

[letoams]

On Wed, 6 Jul 2022, Knol010 wrote:

  @Knol010 Ubuntu kernels generally do not support MOBIKE, the IKEv2 script tries to detect this and show the
  "MOBIKE not available" message. If you enable it on Ubuntu, the IKEv2 connection may fail to load.

Does it work on Debian or any other software? I use Proxmox so i can make another VM!

Check the kernel config file if your distro ships this in /boot/ Eg on fedora or RHEL, this option is enabled as can be seen using:

@.***:~$ grep XFRM_MIGRATE /boot/config-5.17.12-200.fc35.x86_64 CONFIG_XFRM_MIGRATE=y

Paul