Open totoventi opened 3 years ago
paulwouters
commented
3 years ago are you using certificates?
It looks like the ios device does not authenticate the vpn server. Usually that is because it is missing something on the certifiate of the vpn server, like a SAN entry for the FQDN.
If you think the certificate is properly generated, then you can try libreswan to see if if is just old behaviour of openswan versus the much more modern libreswan
totoventi
commented
3 years ago No certificate, I use L2TP with secret.
Everything works smoothly on Windows and Apple systems <iOS 14, the problem only occurs on iOS> 14
letoams
commented
3 years ago On Wed, 2 Jun 2021, totoventi wrote:
No certificate, I use L2TP with secret.
Everything works smoothly on Windows and Apple systems <iOS 14, the problem only occurs on iOS> 14
well, the logs show that iOS>14 device sends a delete. So they are unhappy. Check their logs to see why.
totoventi
commented
3 years ago I cannot find any solution to that effect. The problem has been documented for months and it should be this:
https://support.apple.com/en-us/HT211840
the problem is that in Openswan I can't change the configuration so that it doesn't happen... I have tried several strings but evidently on Openswan they do not go, because at the reboot of the service I always get syntax errors with any of them.
letoams
commented
3 years ago On Wed, 2 Jun 2021, totoventi wrote:
I cannot find any solution to that effect. The problem has been documented for months and it should be this:
That relates to sha2-truncbug=yes|no
I don't remember if this was added to openswan or libreswan. If you need to support a mix of android and iphone, then you have a problem because old android's require sha2-truncbug=yes and your ios14 now requires sha2-truncbug=no.
The only way out is to not use sha2_256 for esp= but use sha2_512 or sha1, where this issue does not exist.
the problem is that in Openswan I can't change the configuration so that it doesn't happen... I have tried several strings but evidently on Openswan they do not go, because at the reboot of the service I always get syntax errors with any of them.
It's been 9 years since the forced rename to libreswan due to legal reasons. Openswan has been in a vegetative state since then. You should upgrade to libreswan, every modern distro has done that almost a decade ago. For more background:
https://nohats.ca/wordpress/blog/2021/04/23/please-stop-using-openswan/ https://nohats.ca/wordpress/openswan/
totoventi
commented
3 years ago Yes, I have tried several times with sha2=truncbug=no but it is one of the strings that gives me a syntax error.
At the moment I can't migrate to Libreswan, I don't need to use Android but only Windows / MacOS and iOS ... how can I correct my configuration (which I attach) to change in SHA512?
letoams
commented
3 years ago Try using an underscore, sha2_truncbug=no
Sent using a virtual keyboard on a phone
On Jun 2, 2021, at 09:36, totoventi @.***> wrote:
Yes, I have tried several times with sha2=truncbug=no but it is one of the strings that gives me a syntax error. At the moment I can't migrate to Libreswan, I don't need to use Android but only Windows / MacOS and iOS ... how can I correct my configuration (which I attach) to change in SHA512?
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.
letoams
commented
3 years ago You need: esp=aes256-sha2_512
Sent using a virtual keyboard on a phone
On Jun 2, 2021, at 09:36, totoventi @.***> wrote:
Yes, I have tried several times with sha2=truncbug=no but it is one of the strings that gives me a syntax error. At the moment I can't migrate to Libreswan, I don't need to use Android but only Windows / MacOS and iOS ... how can I correct my configuration (which I attach) to change in SHA512?
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.
totoventi
commented
3 years ago Try using an underscore, sha2_truncbug=no Sent using a virtual keyboard on a phone …
unexpected string...
totoventi
commented
3 years ago You need: esp=aes256-sha2_512 Sent using a virtual keyboard on a phone …
nothing, i have this:
Jun 02 16:54:25 raspberrypi pluto[1729]: "L2TP-PSK-NAT"[2] 151.37.217.182 #2: Dead Peer Detection (RFC 3706): enabled Jun 02 16:54:25 raspberrypi pluto[1729]: "L2TP-PSK-NAT"[2] 151.37.217.182 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 Jun 02 16:54:25 raspberrypi pluto[1729]: "L2TP-PSK-NAT"[2] 151.37.217.182 #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x03beb9b2 <0xece4216d xfrm=AES_256-HMAC_SHA2_256 NATOA=none NATD=151.37.217.182:36047 DPD=enable Jun 02 16:54:45 raspberrypi pluto[1729]: "L2TP-PSK-NAT"[2] 151.37.217.182 #1: received Delete SA(0x03beb9b2) payload: deleting IPSEC State #2 Jun 02 16:54:45 raspberrypi pluto[1729]: "L2TP-PSK-NAT"[2] 151.37.217.182 #1: received and ignored informational message Jun 02 16:54:45 raspberrypi pluto[1729]: "L2TP-PSK-NAT"[2] 151.37.217.182 #1: received Delete SA payload: deleting ISAKMP State #1 Jun 02 16:54:45 raspberrypi pluto[1729]: "L2TP-PSK-NAT"[2] 151.37.217.182: deleting connection "L2TP-PSK-NAT" instance with peer 151.37.217.182 {isakmp=#0/ipsec=#0} Jun 02 16:54:45 raspberrypi pluto[1729]: packet from 151.37.217.182:36047: received and ignored informational message Jun 02 16:54:45 raspberrypi pluto[1729]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to 151.37.217.182 port 36047, complainant 151.37.217.182: Connection refused [errno 111, origin ICMP type 3 code 3 (not au Jun 02 16:54:45 raspberrypi pluto[1729]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to 151.37.217.182 port 36047, complainant 151.37.217.182: Connection refused [errno 111, origin ICMP type 3 code 3 (not au lines 1-28/28 (END)
letoams
commented
3 years ago Please try libreswan, shoukd be a drop in replacement.
I don’t know why openswan is ignoring your config. Maybe you didn’t restart ? But obviously I haven’t looked at openswan code in 10 years.
Sent using a virtual keyboard on a phone
On Jun 2, 2021, at 11:56, totoventi @.***> wrote:
Try using an underscore, sha2_truncbug=no Sent using a virtual keyboard on a phone …
unexpected string...
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.
Since the arrival of ios 14 I have no longer been able to use the vpn with devices that use this system. I don't know how to intervene in the configurations to make Openswan compatible even with Apple devices using BigSur or iOS> 14.
I use Openswan 2.6.37 on Raspberry (obligatory, because with the higher versions there are other problems).
On Windows it worked.
How can I intervene?
Follow an example of what i get with an iOS device and a MacOS device.
