search

lionheart / openradar-mirror

A mirror of radars pulled from http://openradar.me/.
246 stars 17 forks source link

31203776: macOS built in IKEv2 VPN is not passing Child SA DH group proposal #17124

Open openradar-mirror opened 7 years ago

openradar-mirror commented 7 years ago

Description

Summary: Using Apple Configurator 2 I have created IKEv2 cert based VPN connection.

On connecting to pfSense (Strongswan) VPN server it can be logged that macOS never proposes Phase 2 as it is set in mobileconfig.

The main point here is that for Phase 1 (IKE SA) DH group is set as DH20 (ECP_384) Phase 2 (Child SA) DH group is set as DH20 (ECP_384) Both on server and client.

Note that logs are "newest on top". IP addresses are in private range as the testing is sandboxed.

On connection the Strongswan/charon logs for phase 1 are

selected proposal: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384 configured proposals: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384 received proposals: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384

where one can see that macOS proposes ECP_384 and proposal matches.

On connection the Strongswan/charon logs for phase 2 are

configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_384/NO_EXT_SEQ
received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ

thus one can see that proposal by macOS lacks ECP_384 (DH group 20).

However one can connect as "The first IKEv2 "Phase 2" is derived from the initial IKE negotiation. The other values are not used until Rekey." https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey#IPsec

In result on first rekey the connection just fails miserably, because ECP_384 still lacks in proposal

received DELETE for IKE_SA con1[12]
parsed INFORMATIONAL request 11 [ D ]
received packet: from 192.168.10.146[4500] to 192.168.10.100[4500] (88 bytes)
sending packet: from 192.168.10.100[4500] to 192.168.10.146[4500] (88 bytes)
generating CREATE_CHILD_SA response 10 [ N(NO_PROP) ]
failed to establish CHILD_SA, keeping IKE_SA
no acceptable proposal found
configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_384/NO_EXT_SEQ
received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
no acceptable DIFFIE_HELLMAN_GROUP found
selecting proposal:

I tried also DH14 and DH2 for Phase 2, they are also not included in the proposal to the server.

The DH group exists in .mobileconfig file ChildSecurityAssociationParameters dict

ChildSecurityAssociationParameters DiffieHellmanGroup 20 EncryptionAlgorithm AES-256 IntegrityAlgorithm SHA2-256 LifeTimeInMinutes 60 IKESecurityAssociationParameters DiffieHellmanGroup 20 EncryptionAlgorithm AES-256 IntegrityAlgorithm SHA2-384 LifeTimeInMinutes 480

Current way to make macOS work with Strongswan is to disable DH group in Strongswan Phase 2, leave whatever DH group in Apple Configurator for Child SA as it will not be sent anyways. This results in phase 2 matching in rekeying

selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ

and connection is kept.

In year 2017 VPN is everyday reality. Firstly this is security issue compromising phase 2 security gateway. Secondly VPN is unusable as it drops connections.

I have to mention that this issue also affects iOS, the logs and everything is exactly the same after installing this profile on iPhone. I will be crossposting this in iOS bugreports, for which I apologize. /ranting Or maybe not as being mac poweruser and part-time-developer myself for veeery long time I have seen the trend of how fast you address longstanding macOS vs iOS bugs. Note that Apple in year 2016 added support for DH14 https://support.apple.com/en-us/HT206154 while it was minimum recommended group years ago.

Steps to Reproduce: Install Apple Configurator 2 Configure certificate based IKEv2 VPN profile with any(!) Phase 2 DH Group (20/14/2).

Expected Results: DH group configured in phase 2 should be sent to the server as proposal.

Actual Results: DH group configured in phase 2 is not sent to the server as proposal.

Version: macOS 10.12.4 Beta (16E191a) Apple Configurator 2.3 (3D68) iOS 10.2.1 on iPhone SE

Notes: My longer debugging findings related to this issue can be found here https://forum.pfsense.org/index.php?topic=127696.0

Configuration:

Attachments:

- Product Version: Created: 2017-03-22T21:06:16.084930 Originated: 2017-03-22T00:00:00 Open Radar Link: http://www.openradar.me/31203776

Janhouse commented 6 years ago

I tested this on macOS 10.13.6 and on iOS 11.4.1 with identical mobileconfig profiles. It is working correctly on iOS now but it still fails on first rekey on macOS.

Not sure which OS has more recent version but sadly this still has not been fixed on macOS.