search

trailofbits / algo

Set up a personal VPN in the cloud
https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/
GNU Affero General Public License v3.0
28.98k stars 2.32k forks source link

Password generated on Algo install does not work on iOS #1192

Closed watkinsmd closed 6 years ago

watkinsmd commented 6 years ago

Describe the bug

Mobileconfig does not install on iOS (iPhone X); error that password is invalid despite using what was generated during the Algo install. The password DOES work on macOS Mojave when double clicking the mobileconfig file to install the profile on a Mac.

To Reproduce

Steps to reproduce the behavior:

  1. Modify configs file to include desired users
  2. Install Algo
  3. Note password at end of install
  4. Double click on mobileconfig file for desired user on MacOS Mojave; install works and am able to connect to VPN on a Mac
  5. Send the same mobileconfig file to an iOS device via AirDrop
  6. Accept the profile
  7. Choose Install a. This is the point where I get an invalid password message despite using the same one I used on a Mac running macOS Mojave
  8. Receive error "The password for the certificate {my user id from configs file}.p12 is incorrect". "Required by the {IP address} IKEv2 profile."

fullsizeoutput_117b

Expected behavior

Expected behavior is the ability to successfully install the profile on an iOS device so VPN can be used using the password that was generated during the Algo install.

Additional context

  1. Running on DigitalOcean
  2. iOS device is running 12.0.1
  3. Have verified multiple times that the password is correct (e.g. not using a 0 in place of a O)
  4. I've destroyed a DO droplet and re-created a fresh install with the same result

Full log


PUT THE OUTPUT HERE **(User names, IP, addresses, and Algo-generated password redacted)** 

(env) Matts-MacBook-Pro:algo-master myuser$ ./algo

PLAY [Ask user for the input] **************************************************

TASK [Gathering Facts] *********************************************************
ok: [localhost]
[pause]
What provider would you like to use?
    1. DigitalOcean
    2. Amazon Lightsail
    3. Amazon EC2
    4. Vultruser1
    5. Microsoft Azure
    6. Google Compute Engine
    7. Scaleway
    8. OpenStack (DreamCompute optimised)
    9. Install to existing Ubuntu 18.04 server (Advanced)

Enter the number of your desired provider
:
1

TASK [pause] *******************************************************************
ok: [localhost]

TASK [Set facts based on the input] ********************************************
ok: [localhost]
[pause]
Name the vpn server
[algo]
:
algo-local

TASK [pause] *******************************************************************
ok: [localhost]
[pause]
Do you want macOS/iOS clients to enable "VPN On Demand" when connected to cellular networks?
[y/N]
:
n

TASK [pause] *******************************************************************
ok: [localhost]
[pause]
Do you want macOS/iOS clients to enable "VPN On Demand" when connected to Wi-Fi?
[y/N]
:
n

TASK [pause] *******************************************************************
ok: [localhost]
[pause]
Do you want to install a DNS resolver on this VPN server, to block ads while surfing?
[y/N]
:
n

TASK [pause] *******************************************************************
ok: [localhost]
[pause]
Do you want each user to have their own account for SSH tunneling?
[y/N]
:
n

TASK [pause] *******************************************************************
ok: [localhost]
[pause]
Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)
[y/N]
:
n

TASK [pause] *******************************************************************
ok: [localhost]
[pause]
Do you want to retain the CA key? (required to add users in the future, but less secure)
[y/N]
:
n

TASK [pause] *******************************************************************
ok: [localhost]

TASK [Set facts based on the input] ********************************************
ok: [localhost]

PLAY [Provision the server] ****************************************************

TASK [Gathering Facts] *********************************************************
ok: [localhost]

--> Please include the following block of text when reporting issues:

Algo running on: Mac OS X 10.14
ZIP file created: Nov  2 04:38:54 2018
Python 2.7.10
Runtime variables:
    algo_provider "digitalocean"
    algo_ondemand_cellular "False"
    algo_ondemand_wifi "False"
    algo_ondemand_wifi_exclude "_null"
    algo_local_dns "False"
    algo_ssh_tunneling "False"
    algo_windows "False"
    wireguard_enabled "True"
    dns_encryption "True"

TASK [Display the invocation environment] **************************************
changed: [localhost -> localhost]

TASK [Generate the SSH private key] ********************************************
changed: [localhost]

TASK [Generate the SSH public key] *********************************************
changed: [localhost]
[cloud-digitalocean : pause]
Enter your API token. The token must have read and write permissions (https://cloud.digitalocean.com/settings/api/tokens):
 (output is hidden):

TASK [cloud-digitalocean : pause] **********************************************
ok: [localhost]

TASK [cloud-digitalocean : Set the token as a fact] ****************************
ok: [localhost]

TASK [cloud-digitalocean : Get regions] ****************************************
ok: [localhost]

TASK [cloud-digitalocean : Set facts about thre regions] ***********************
ok: [localhost]

TASK [cloud-digitalocean : Set default region] *********************************
ok: [localhost]
[cloud-digitalocean : pause]
What region should the server be located in?
    1. ams3     Amsterdam 3
    2. blr1     Bangalore 1
    3. fra1     Frankfurt 1
    4. lon1     London 1
    5. nyc1     New York 1
    6. nyc3     New York 3
    7. sfo2     San Francisco 2
    8. sgp1     Singapore 1
    9. tor1     Toronto 1

Enter the number of your desired region
[6]
:
7

TASK [cloud-digitalocean : pause] **********************************************
ok: [localhost]

TASK [cloud-digitalocean : Set additional facts] *******************************
ok: [localhost]

TASK [cloud-digitalocean : Delete the existing Algo SSH keys] ******************
ok: [localhost]

TASK [cloud-digitalocean : Upload the SSH key] *********************************
changed: [localhost]

TASK [cloud-digitalocean : Creating a droplet...] ******************************
changed: [localhost]

TASK [cloud-digitalocean : set_fact] *******************************************
ok: [localhost]

TASK [cloud-digitalocean : Tag the droplet] ************************************
changed: [localhost]
FAILED - RETRYING: Delete the new Algo SSH key (10 retries left).

TASK [cloud-digitalocean : Delete the new Algo SSH key] ************************
ok: [localhost]

TASK [Set subjectAltName as afact] *********************************************
ok: [localhost]

TASK [Add the server to an inventory group] ************************************
changed: [localhost]

TASK [Additional variables for the server] *************************************
changed: [localhost]

TASK [Wait until SSH becomes ready...] *****************************************
ok: [localhost]

TASK [debug] *******************************************************************
ok: [localhost] => {
    "IP_subject_alt_name": "123.45.678.12"
}
Pausing for 20 seconds
(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort)

TASK [A short pause, in order to be sure the instance is ready] ****************
ok: [localhost]

PLAY [Configure the server and install required software] **********************

TASK [common : Check the system] ***********************************************
changed: [123.45.678.12]

TASK [common : include_tasks] **************************************************
included: /Applications/Algo/algo-master/roles/common/tasks/ubuntu.yml for 123.45.678.12
changed: [123.45.678.12] => (item=[u'python2.7', u'sudo'])

TASK [common : Ubuntu | Install prerequisites] *********************************

TASK [common : Ubuntu | Configure defaults] ************************************
changed: [123.45.678.12]

TASK [common : Gather facts] ***************************************************
ok: [123.45.678.12]

TASK [common : Install software updates] ***************************************
changed: [123.45.678.12]

TASK [common : Check if reboot is required] ************************************
changed: [123.45.678.12]

TASK [common : Reboot] *********************************************************
changed: [123.45.678.12]

TASK [common : Wait until SSH becomes ready...] ********************************
ok: [123.45.678.12 -> localhost]

TASK [common : Install unattended-upgrades] ************************************
ok: [123.45.678.12]

TASK [common : Configure unattended-upgrades] **********************************
changed: [123.45.678.12]

TASK [common : Periodic upgrades configured] ***********************************
changed: [123.45.678.12]

TASK [common : Unattended reboots configured] **********************************
changed: [123.45.678.12]
changed: [123.45.678.12] => (item={u'regexp': u'^session.*optional.*pam_motd.so.*', u'line': u'# MOTD DISABLED', u'file': u'/etc/pam.d/login'})
changed: [123.45.678.12] => (item={u'regexp': u'^session.*optional.*pam_motd.so.*', u'line': u'# MOTD DISABLED', u'file': u'/etc/pam.d/sshd'})

TASK [common : Disable MOTD on login and SSHD] *********************************

TASK [common : Loopback for services configured] *******************************
changed: [123.45.678.12]
ok: [123.45.678.12] => (item=systemd-networkd)
ok: [123.45.678.12] => (item=systemd-resolved)

TASK [common : systemd services enabled and started] ***************************

RUNNING HANDLER [common : restart systemd-networkd] ****************************
changed: [123.45.678.12]

TASK [common : Check apparmor support] *****************************************
changed: [123.45.678.12]

TASK [common : set_fact] *******************************************************
ok: [123.45.678.12]

TASK [common : set_fact] *******************************************************
ok: [123.45.678.12]
ok: [123.45.678.12] => (item=git)
ok: [123.45.678.12] => (item=screen)
changed: [123.45.678.12] => (item=apparmor-utils)
ok: [123.45.678.12] => (item=uuid-runtime)
ok: [123.45.678.12] => (item=coreutils)
changed: [123.45.678.12] => (item=iptables-persistent)
changed: [123.45.678.12] => (item=cgroup-tools)
ok: [123.45.678.12] => (item=openssl)

TASK [common : Install tools] **************************************************
ok: [123.45.678.12] => (item=[u'linux-headers-generic', u'linux-headers-4.15.0-36-generic'])

TASK [common : Install headers] ************************************************

TASK [common : Generate password for the CA key] *******************************
changed: [123.45.678.12 -> localhost]

TASK [common : Generate p12 export password] ***********************************
changed: [123.45.678.12 -> localhost]

TASK [common : Define facts] ***************************************************
ok: [123.45.678.12]

TASK [common : set_fact] *******************************************************
ok: [123.45.678.12]

TASK [common : Set IPv6 support as a fact] *************************************
ok: [123.45.678.12]
changed: [123.45.678.12] => (item={u'item': u'net.ipv4.ip_forward', u'value': 1})
changed: [123.45.678.12] => (item={u'item': u'net.ipv4.conf.all.forwarding', u'value': 1})
changed: [123.45.678.12] => (item={u'item': u'net.ipv6.conf.all.forwarding', u'value': 1})

TASK [common : Sysctl tuning] **************************************************

TASK [dns_encryption : Include tasks for Ubuntu] *******************************
included: /Applications/Algo/algo-master/roles/dns_encryption/tasks/ubuntu.yml for 123.45.678.12

TASK [dns_encryption : Add the repository] *************************************
changed: [123.45.678.12]

TASK [dns_encryption : Install dnscrypt-proxy] *********************************
changed: [123.45.678.12]

TASK [dns_encryption : Configure unattended-upgrades] **************************
changed: [123.45.678.12]

TASK [dns_encryption : Ubuntu | Unbound profile for apparmor configured] *******
changed: [123.45.678.12]

TASK [dns_encryption : Ubuntu | Enforce the dnscrypt-proxy AppArmor policy] ****
ok: [123.45.678.12]

TASK [dns_encryption : Ubuntu | Ensure that the dnscrypt-proxy service directory exist] ***
changed: [123.45.678.12]

TASK [dns_encryption : Ubuntu | Add capabilities to bind ports] ****************
changed: [123.45.678.12]

TASK [dns_encryption : dnscrypt-proxy ip-blacklist configured] *****************
changed: [123.45.678.12]

TASK [dns_encryption : dnscrypt-proxy configured] ******************************
changed: [123.45.678.12]

TASK [dns_encryption : dnscrypt-proxy enabled and started] *********************
ok: [123.45.678.12]

RUNNING HANDLER [dns_encryption : restart dnscrypt-proxy] **********************
changed: [123.45.678.12]
changed: [123.45.678.12 -> localhost] => (item=private)
changed: [123.45.678.12 -> localhost] => (item=public)
changed: [123.45.678.12 -> localhost] => (item=ip)

TASK [wireguard : Ensure the required directories exist] ***********************

TASK [wireguard : Include tasks for Ubuntu] ************************************
included: /Applications/Algo/algo-master/roles/wireguard/tasks/ubuntu.yml for 123.45.678.12

TASK [wireguard : WireGuard repository configured] *****************************
changed: [123.45.678.12]

TASK [wireguard : WireGuard installed] *****************************************
changed: [123.45.678.12]

TASK [wireguard : WireGuard reload-module-on-update] ***************************
changed: [123.45.678.12]

TASK [wireguard : Configure unattended-upgrades] *******************************
changed: [123.45.678.12]

TASK [wireguard : set_fact] ****************************************************
ok: [123.45.678.12]
changed: [123.45.678.12] => (item=user1)
changed: [123.45.678.12] => (item=user2)
changed: [123.45.678.12] => (item=123.45.678.12)

TASK [wireguard : Generate private keys] ***************************************
changed: [123.45.678.12] => (item=None)
changed: [123.45.678.12] => (item=None)
changed: [123.45.678.12] => (item=None)

TASK [wireguard : Save private keys] *******************************************
changed: [123.45.678.12] => (item=user1)
changed: [123.45.678.12] => (item=user2)
changed: [123.45.678.12] => (item=123.45.678.12)

TASK [wireguard : Touch the lock file] *****************************************
ok: [123.45.678.12] => (item=user1)
ok: [123.45.678.12] => (item=user2)
ok: [123.45.678.12] => (item=123.45.678.12)

TASK [wireguard : Generate public keys] ****************************************
changed: [123.45.678.12] => (item=None)
changed: [123.45.678.12] => (item=None)
changed: [123.45.678.12] => (item=None)

TASK [wireguard : Save public keys] ********************************************
changed: [123.45.678.12 -> localhost] => (item=(0, u'user1'))
changed: [123.45.678.12 -> localhost] => (item=(1, u'user2'))

TASK [wireguard : Dump IP addresses] *******************************************

TASK [wireguard : WireGuard configured] ****************************************
changed: [123.45.678.12]
changed: [123.45.678.12 -> localhost] => (item=(0, u'user1'))
changed: [123.45.678.12 -> localhost] => (item=(1, u'user2'))

TASK [wireguard : WireGuard users config generated] ****************************
ok: [123.45.678.12 -> localhost] => (item=(0, u'user1'))
ok: [123.45.678.12 -> localhost] => (item=(1, u'user2'))

TASK [wireguard : Generate QR codes] *******************************************

TASK [wireguard : WireGuard enabled and started] *******************************
changed: [123.45.678.12]

RUNNING HANDLER [wireguard : restart wireguard] ********************************
changed: [123.45.678.12]

TASK [vpn : Include WireGuard role] ********************************************
ok: [123.45.678.12 -> localhost] => (item=private)
ok: [123.45.678.12 -> localhost] => (item=public)
ok: [123.45.678.12 -> localhost] => (item=ip)

TASK [wireguard : Ensure the required directories exist] ***********************

TASK [wireguard : Include tasks for Ubuntu] ************************************
included: /Applications/Algo/algo-master/roles/wireguard/tasks/ubuntu.yml for 123.45.678.12

TASK [wireguard : WireGuard repository configured] *****************************
ok: [123.45.678.12]

TASK [wireguard : WireGuard installed] *****************************************
ok: [123.45.678.12]

TASK [wireguard : WireGuard reload-module-on-update] ***************************
changed: [123.45.678.12]

TASK [wireguard : Configure unattended-upgrades] *******************************
ok: [123.45.678.12]

TASK [wireguard : set_fact] ****************************************************
ok: [123.45.678.12]
ok: [123.45.678.12] => (item=user1)
ok: [123.45.678.12] => (item=user2)
ok: [123.45.678.12] => (item=123.45.678.12)

TASK [wireguard : Generate private keys] ***************************************
ok: [123.45.678.12] => (item=user1)
ok: [123.45.678.12] => (item=user2)
ok: [123.45.678.12] => (item=123.45.678.12)

TASK [wireguard : Generate public keys] ****************************************
ok: [123.45.678.12] => (item=None)
ok: [123.45.678.12] => (item=None)
ok: [123.45.678.12] => (item=None)

TASK [wireguard : Save public keys] ********************************************
ok: [123.45.678.12 -> localhost] => (item=(0, u'user1'))
ok: [123.45.678.12 -> localhost] => (item=(1, u'user2'))

TASK [wireguard : Dump IP addresses] *******************************************

TASK [wireguard : WireGuard configured] ****************************************
ok: [123.45.678.12]
ok: [123.45.678.12 -> localhost] => (item=(0, u'user1'))
ok: [123.45.678.12 -> localhost] => (item=(1, u'user2'))

TASK [wireguard : WireGuard users config generated] ****************************
ok: [123.45.678.12 -> localhost] => (item=(0, u'user1'))
ok: [123.45.678.12 -> localhost] => (item=(1, u'user2'))

TASK [wireguard : Generate QR codes] *******************************************

TASK [wireguard : WireGuard enabled and started] *******************************
ok: [123.45.678.12]

TASK [vpn : include_tasks] *****************************************************
included: /Applications/Algo/algo-master/roles/vpn/tasks/ubuntu.yml for 123.45.678.12

TASK [vpn : set_fact] **********************************************************
ok: [123.45.678.12]

TASK [vpn : Ubuntu | Install strongSwan] ***************************************
changed: [123.45.678.12]
changed: [123.45.678.12] => (item=/usr/lib/ipsec/charon)
changed: [123.45.678.12] => (item=/usr/lib/ipsec/lookip)
changed: [123.45.678.12] => (item=/usr/lib/ipsec/stroke)

TASK [vpn : Ubuntu | Enforcing ipsec with apparmor] ****************************
ok: [123.45.678.12] => (item=apparmor)
ok: [123.45.678.12] => (item=strongswan)
ok: [123.45.678.12] => (item=netfilter-persistent)

TASK [vpn : Ubuntu | Enable services] ******************************************

TASK [vpn : Ubuntu | Ensure that the strongswan service directory exist] *******
changed: [123.45.678.12]

TASK [vpn : Ubuntu | Setup the cgroup limitations for the ipsec daemon] ********
changed: [123.45.678.12]

TASK [vpn : include_tasks] *****************************************************
included: /Applications/Algo/algo-master/roles/vpn/tasks/iptables.yml for 123.45.678.12
changed: [123.45.678.12] => (item={u'dest': u'/etc/iptables/rules.v4', u'src': u'rules.v4.j2'})

TASK [vpn : Iptables configured] ***********************************************
changed: [123.45.678.12] => (item={u'dest': u'/etc/iptables/rules.v6', u'src': u'rules.v6.j2'})

TASK [vpn : Iptables configured] ***********************************************

TASK [vpn : Install strongSwan] ************************************************
ok: [123.45.678.12]
changed: [123.45.678.12] => (item={u'dest': u'/etc/strongswan.conf', u'src': u'strongswan.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'})
changed: [123.45.678.12] => (item={u'dest': u'/etc/ipsec.conf', u'src': u'ipsec.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'})
changed: [123.45.678.12] => (item={u'dest': u'/etc/ipsec.secrets', u'src': u'ipsec.secrets.j2', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})

TASK [vpn : Setup the config files from our templates] *************************

TASK [vpn : Get loaded plugins] ************************************************
changed: [123.45.678.12]
changed: [123.45.678.12] => (item=xcbc)
changed: [123.45.678.12] => (item=sshkey)
changed: [123.45.678.12] => (item=updown)
changed: [123.45.678.12] => (item=mgf1)
changed: [123.45.678.12] => (item=connmark)
changed: [123.45.678.12] => (item=attr)
changed: [123.45.678.12] => (item=constraints)
changed: [123.45.678.12] => (item=sha1)
changed: [123.45.678.12] => (item=md5)
changed: [123.45.678.12] => (item=md4)
changed: [123.45.678.12] => (item=aesni)
changed: [123.45.678.12] => (item=agent)
changed: [123.45.678.12] => (item=pkcs1)
changed: [123.45.678.12] => (item=counters)
changed: [123.45.678.12] => (item=eap-mschapv2)
changed: [123.45.678.12] => (item=fips-prf)
changed: [123.45.678.12] => (item=gmp)
changed: [123.45.678.12] => (item=xauth-generic)
changed: [123.45.678.12] => (item=dnskey)
changed: [123.45.678.12] => (item=resolve)
changed: [123.45.678.12] => (item=rc2)
changed: [123.45.678.12] => (item=bypass-lan)
changed: [123.45.678.12] => (item=sha2)
changed: [123.45.678.12] => (item=pkcs8)
changed: [123.45.678.12] => (item=kernel-netlink)
changed: [123.45.678.12] => (item=pubkey)
changed: [123.45.678.12] => (item=random)
changed: [123.45.678.12] => (item=aes)
changed: [123.45.678.12] => (item=nonce)
changed: [123.45.678.12] => (item=pkcs7)
changed: [123.45.678.12] => (item=revocation)
changed: [123.45.678.12] => (item=stroke)
changed: [123.45.678.12] => (item=pgp)
changed: [123.45.678.12] => (item=x509)
changed: [123.45.678.12] => (item=pem)
changed: [123.45.678.12] => (item=gcm)
changed: [123.45.678.12] => (item=pkcs12)
changed: [123.45.678.12] => (item=openssl)
changed: [123.45.678.12] => (item=socket-default)
changed: [123.45.678.12] => (item=hmac)

TASK [vpn : Set subjectAltName as a fact] **************************************
ok: [123.45.678.12 -> localhost]
changed: [123.45.678.12 -> localhost] => (item=ecparams)
changed: [123.45.678.12 -> localhost] => (item=certs)
changed: [123.45.678.12 -> localhost] => (item=crl)
changed: [123.45.678.12 -> localhost] => (item=newcerts)
changed: [123.45.678.12 -> localhost] => (item=private)
changed: [123.45.678.12 -> localhost] => (item=public)
changed: [123.45.678.12 -> localhost] => (item=reqs)

TASK [vpn : Ensure the pki directories exist] **********************************
changed: [123.45.678.12 -> localhost] => (item=.rnd)
changed: [123.45.678.12 -> localhost] => (item=private/.rnd)
changed: [123.45.678.12 -> localhost] => (item=index.txt)
changed: [123.45.678.12 -> localhost] => (item=index.txt.attr)
changed: [123.45.678.12 -> localhost] => (item=serial)

TASK [vpn : Ensure the files exist] ********************************************

TASK [vpn : Generate the openssl server configs] *******************************
changed: [123.45.678.12 -> localhost]

TASK [vpn : Build the CA pair] *************************************************
changed: [123.45.678.12 -> localhost]

TASK [vpn : Copy the CA certificate] *******************************************
changed: [123.45.678.12 -> localhost]

TASK [vpn : Generate the serial number] ****************************************
changed: [123.45.678.12 -> localhost]

TASK [vpn : Build the server pair] *********************************************
changed: [123.45.678.12 -> localhost]
changed: [123.45.678.12 -> localhost] => (item=user1)
changed: [123.45.678.12 -> localhost] => (item=user2)

TASK [vpn : Build the client's pair] *******************************************
changed: [123.45.678.12 -> localhost] => (item=user1)
changed: [123.45.678.12 -> localhost] => (item=user2)

TASK [vpn : Create links for the private keys] *********************************
changed: [123.45.678.12 -> localhost] => (item=user1)
changed: [123.45.678.12 -> localhost] => (item=user2)

TASK [vpn : Build openssh public keys] *****************************************
changed: [123.45.678.12 -> localhost] => (item=user1)
changed: [123.45.678.12 -> localhost] => (item=user2)

TASK [vpn : Build the client's p12] ********************************************
changed: [123.45.678.12 -> localhost] => (item=user1)
changed: [123.45.678.12 -> localhost] => (item=user2)

TASK [vpn : Copy the p12 certificates] *****************************************

TASK [vpn : Get active users] **************************************************
changed: [123.45.678.12 -> localhost]
changed: [123.45.678.12] => (item={u'dest': u'/etc/ipsec.d/cacerts/ca.crt', u'src': u'configs/123.45.678.12/pki/cacert.pem', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})
changed: [123.45.678.12] => (item={u'dest': u'/etc/ipsec.d/certs/123.45.678.12.crt', u'src': u'configs/123.45.678.12/pki/certs/123.45.678.12.crt', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})
changed: [123.45.678.12] => (item={u'dest': u'/etc/ipsec.d/private/123.45.678.12.key', u'src': u'configs/123.45.678.12/pki/private/123.45.678.12.key', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})

TASK [vpn : Copy the keys to the strongswan directory] *************************
changed: [123.45.678.12 -> localhost] => (item=user1)
changed: [123.45.678.12 -> localhost] => (item=user2)

TASK [vpn : Register p12 PayloadContent] ***************************************

TASK [vpn : Set facts for mobileconfigs] ***************************************
ok: [123.45.678.12 -> localhost]
changed: [123.45.678.12] => (item=None)
changed: [123.45.678.12] => (item=None)

TASK [vpn : Build the mobileconfigs] *******************************************
changed: [123.45.678.12 -> localhost] => (item=user1)
changed: [123.45.678.12 -> localhost] => (item=user2)

TASK [vpn : Build the client ipsec config file] ********************************
changed: [123.45.678.12 -> localhost] => (item=user1)
changed: [123.45.678.12 -> localhost] => (item=user2)

TASK [vpn : Build the client ipsec secret file] ********************************
changed: [123.45.678.12 -> localhost] => (item=configs/123.45.678.12)

TASK [vpn : Restrict permissions for the local private directories] ************

TASK [vpn : strongSwan started] ************************************************
ok: [123.45.678.12]

RUNNING HANDLER [dns_adblocking : restart apparmor] ****************************

RUNNING HANDLER [vpn : restart strongswan] *************************************
changed: [123.45.678.12]

RUNNING HANDLER [vpn : daemon-reload] ******************************************
changed: [123.45.678.12]

RUNNING HANDLER [vpn : restart iptables] ***************************************
changed: [123.45.678.12]

TASK [Delete the CA key] *******************************************************
changed: [123.45.678.12 -> localhost]

TASK [Dump the configuration] **************************************************
changed: [123.45.678.12 -> localhost]

TASK [debug] *******************************************************************
ok: [123.45.678.12] => {
    "msg": [
        [
            "\"#                          Congratulations!                            #\"", 
            "\"#                     Your Algo server is running.                     #\"", 
            "\"#    Config files and certificates are in the ./configs/ directory.    #\"", 
            "\"#              Go to https://whoer.net/ after connecting               #\"", 
            "\"#        and ensure that all your traffic passes through the VPN.      #\"", 
            "\"#                     Local DNS resolver 111.22.0.1                   #\"", 
            ""
        ], 
        "    \"#        The p12 and SSH keys password for new users is XXXXXXXX       #\"\n", 
        "    ", 
        "    \"#      Shell access: ssh -i configs/algo.pem root@123.45.678.12        #\"\n"
    ]
}

PLAY RECAP *********************************************************************
123.45.678.12              : ok=116  changed=75   unreachable=0    failed=0   
localhost                  : ok=34   changed=8    unreachable=0    failed=0
watkinsmd commented 6 years ago

This no longer seems to be an issue. I worked around it by creating a separate user for each device; e.g. Mac, iPad, and iPhone. I also re-downloaded Algo on November 8 so perhaps it was an issue that was addressed since my initial download of Algo.