search

hwdsl2 / setup-ipsec-vpn

Scripts to build your own IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2
Other
25.29k stars 6.32k forks source link

IKEv2 iOS 12 not working #461

Closed NerdOfLinux closed 6 years ago

NerdOfLinux commented 6 years ago

When I follow the instructions to setup IKEv2, I always get a timeout error on the client(iOS). The output of service ipsec status is:

42 nerdoflinux.com pluto[16210]: "l2tp-psk"[1] x.x.x.x #1: sending unencrypted notification v2N_INVALID_SYNTAX to x.x.x.x:500
Oct 08 16:58:45 nerdoflinux.com pluto[16210]: "l2tp-psk"[1] x.x.x.x #1: missing payload(s) (ISAKMP_NEXT_v2AUTH). Message dropped.
Oct 08 16:58:45 nerdoflinux.com pluto[16210]: | ikev2_parent_inI2outR2_tail returned STF_FAIL with v2N_INVALID_SYNTAX
Oct 08 16:58:45 nerdoflinux.com pluto[16210]: "l2tp-psk"[1] x.x.x.x #1: sending unencrypted notification v2N_INVALID_SYNTAX to x.x.x.x:500
Oct 08 16:58:48 nerdoflinux.com pluto[16210]: "l2tp-psk"[1] x.x.x.x #1: missing payload(s) (ISAKMP_NEXT_v2AUTH). Message dropped.
Oct 08 16:58:48 nerdoflinux.com pluto[16210]: | ikev2_parent_inI2outR2_tail returned STF_FAIL with v2N_INVALID_SYNTAX
Oct 08 16:58:48 nerdoflinux.com pluto[16210]: "l2tp-psk"[1] x.x.x.x #1: sending unencrypted notification v2N_INVALID_SYNTAX to x.x.x.x:500

and ipsec verify:

Verifying installed system and configuration files

Version check and ipsec on-path                         [OK]
Libreswan 3.23 (netkey) on 4.15.0-36-generic
Checking for IPsec support in kernel                    [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                    [OK]
         ICMP default/accept_redirects                  [OK]
         XFRM larval drop                               [OK]
Pluto ipsec.conf syntax                                 [OK]
Two or more interfaces found, checking IP forwarding    [OK]
Checking rp_filter                                      [OK]
Checking that pluto is running                          [OK]
 Pluto listening for IKE on udp 500                     [OK]
 Pluto listening for IKE/NAT-T on udp 4500              [OK]
 Pluto ipsec.secret syntax                              [OK]
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options                [OK]

ipsec.conf:

 version 2.0

config setup
  virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24,%v4:!192.168.43.0/24
  protostack=netkey
  interfaces=%defaultroute
  uniqueids=no

conn shared
  left=%defaultroute
  leftid=x.x.x.x
  right=%any
  encapsulation=yes
  authby=secret
  pfs=no
  rekey=no
  keyingtries=5
  dpddelay=30
  dpdtimeout=120
  dpdaction=clear
  ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp2048,aes-sha2,aes-sha2;modp2048
  phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512,aes_gcm-null
  sha2-truncbug=yes
conn l2tp-psk
  auto=add
  leftprotoport=17/1701
  rightprotoport=17/%any
  type=transport
  phase2=esp
  also=shared

conn xauth-psk
  auto=add
  leftsubnet=0.0.0.0/0
  rightaddresspool=192.168.43.10-192.168.43.250
  modecfgdns="1.1.1.1, 1.0.0.1"
  leftxauthserver=yes
  rightxauthclient=yes
  leftmodecfgserver=yes
  rightmodecfgclient=yes
  modecfgpull=yes
  xauthby=file
  ike-frag=yes
  ikev2=never
  cisco-unity=yes
  also=shared

conn ikev2-cp
  left=%defaultroute
  leftcert=x.x.x.x
  leftid=@x.x.x.x
  leftsendcert=always
  leftsubnet=0.0.0.0/0
  leftrsasigkey=%cert
  right=%any
  rightid=%fromcert
  rightaddresspool=192.168.43.10-192.168.43.250
  rightca=%same
  rightrsasigkey=%cert
  narrowing=yes
  dpddelay=30
  dpdtimeout=120
  dpdaction=clear
  auto=add
  ikev2=insist
  rekey=no
  fragmentation=yes
  ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
  phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2
  modecfgdns="1.1.1.1, 1.0.0.1"
  encapsulation=yes

The only thing changed from the tutorial is the DNS servers.

My client and server IP addresses have been replaced with x.x.x.x for privacy reasons.

The client is iOS 12 with the server and remote ID set to my server's IP address, and the User Authentication set to certificate with the imported p12 file generated from the IKEv2 tutorial..

letoams commented 6 years ago

On Mon, 8 Oct 2018, NerdOfLinux wrote:

When I follow the instructions to setup IKEv2, I always get a timeout error on the client(iOS). The output of service ipsec status is:

42 nerdoflinux.com pluto[16210]: "l2tp-psk"[1] x.x.x.x #1: sending unencrypted notification v2N_INVALID_SYNTAX to x.x.x.x:500

So it tells you here it is going to send an error. Before that in logs you did not share, will it say what problem it encountered for which it is giving this error.

Oct 08 16:58:45 nerdoflinux.com pluto[16210]: "l2tp-psk"[1] x.x.x.x #1: missing payload(s) (ISAKMP_NEXT_v2AUTH). Message dropped. Oct 08 16:58:45 nerdoflinux.com pluto[16210]: | ikev2_parent_inI2outR2_tail returned STF_FAIL with v2N_INVALID_SYNTAX Oct 08 16:58:45 nerdoflinux.com pluto[16210]: "l2tp-psk"[1] x.x.x.x #1: sending unencrypted notification v2N_INVALID_SYNTAX to x.x.x.x:500 Oct 08 16:58:48 nerdoflinux.com pluto[16210]: "l2tp-psk"[1] x.x.x.x #1: missing payload(s) (ISAKMP_NEXT_v2AUTH). Message dropped. Oct 08 16:58:48 nerdoflinux.com pluto[16210]: | ikev2_parent_inI2outR2_tail returned STF_FAIL with v2N_INVALID_SYNTAX Oct 08 16:58:48 nerdoflinux.com pluto[16210]: "l2tp-psk"[1] x.x.x.x #1: sending unencrypted notification v2N_INVALID_SYNTAX to x.x.x.x:500

This is noise that we fixed in later releases. It usually happens when an error message was received that is missing "required" payloads based on the non-error version of the expected answer packet.

Paul

The client is iOS 12 with the server and remote ID set to my server's IP address, and the User Authentication set to certificate with the imported p12 file generated from the IKEv2 tutorial..

Make sure your certificate for the server has a SubjectAltName entry for the IP address if that is the ID you are using. It is a lot more common to use a FQDN as the ID, with the FQDN listed as SAN on the certificate.

Paul

NerdOfLinux commented 6 years ago

Running service ipsec status earlier on reveals:

Oct 08 17:23:25 nerdoflinux.com pluto[19581]: packet from x.x.x.x:500: l2tp-psk IKE proposals for initial responder: 1:IKE:ENCR=3DES;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP2048 2:IKE:ENCR=3DES;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1536 3:IKE:ENCR=3DES;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 4:IKE:ENCR=3DES;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP1536 5:IKE:ENCR=AES_CBC_256,AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP2048 6:IKE:ENCR=AES_CBC_256,AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1536 7:IKE:ENCR=AES_CBC_256,AES_CBC_128;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 8:IKE:ENCR=AES_CBC_256,AES_CBC_128;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP1536
Oct 08 17:23:25 nerdoflinux.com pluto[19581]: packet from x.x.x.x:500: proposal 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 chosen from: 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048[first-match] 2:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=ECP_256 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP1536 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 5:IKE:ENCR=3DES;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024
Oct 08 17:23:25 nerdoflinux.com pluto[19581]: "l2tp-psk"[1] x.x.x.x #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_256 integ=sha256_128 prf=sha2_256 group=MODP2048}
Oct 08 17:23:25 nerdoflinux.com pluto[19581]: "l2tp-psk"[1] x.x.x.x #1: missing payload(s) (ISAKMP_NEXT_v2AUTH). Message dropped.
zzuzjl commented 6 years ago

看我的帖子 https://github.com/hwdsl2/setup-ipsec-vpn/issues/453