latest #iked -dvv log is below: ikev2_pld_payloads: decrypted payload CERTREQ nextpayload CP critical 0x00 length 5 ikev2_pld_certreq: type X509_CERT signatures length 0 ikev2_pld_payloads: decrypted payload CP nextpayload NOTIFY critical 0x00 length 36 ikev2_pld_cp: type REQUEST length 28 ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 0 ikev2_pld_cp: INTERNAL_IP4_NETMASK 0x0002 length 0 ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 0 ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 0 ikev2_pld_cp: INTERNAL_IP4_NBNS 0x0004 length 0 ikev2_pld_cp: INTERNAL_IP4_NBNS 0x0004 length 0 ikev2_pld_cp: APPLICATION_VERSION 0x0007 length 0 ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical 0x00 length 8 ikev2_pld_notify: protoid IKE spisize 0 type INITIAL_CONTACT ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical 0x00 length 8 ikev2_pld_notify: protoid IKE spisize 0 type ESP_TFC_PADDING_NOT_SUPPORTED ikev2_pld_payloads: decrypted payload NOTIFY nextpayload SA critical 0x00 length 8 ikev2_pld_notify: protoid IKE spisize 0 type NON_FIRST_FRAGMENTS_ALSO ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 92 ikev2_pld_sa: more 0 reserved 0 length 88 proposal #1 protoid ESP spisize 4 xforms 8 spi 0xf3268010 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id DES ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_MD5_96 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24 ikev2_pld_ts: count 1 length 16 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255 ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 24 ikev2_pld_ts: count 1 length 16 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255 sa_stateok: SA_INIT flags 0x00, require 0x00 ikev2_msg_auth: responder auth data length 357 ca_setauth: auth length 357 ikev2_sa_negotiate: score 7 config_free_proposals: free 0x203519780 sa_stateflags: 0x0c -> 0x0c auth,sa (required 0x0d cert,auth,sa) sa_stateok: EAP flags 0x0c, require 0x0d cert,auth,sa config_free_proposals: free 0x203519b80 ca_setauth: auth length 256 ikev2_getimsgdata: imsg 21 rspi 0xe580667dddd31820 ispi 0x417f3816fccfc162 initiator 0 sa valid type 1 data length 256 ikev2_dispatch_cert: AUTH type 1 len 256 sa_stateflags: 0x0c -> 0x0c auth,sa (required 0x0d cert,auth,sa) sa_stateok: EAP flags 0x0c, require 0x0d cert,auth,sa
On 10.08.2017 11:13, Denis wrote: > Hi, > > Have fully working setup OpenIKEd + Win7x64 using IKEv2 and MSCHAP-v2 but > BlackBerry device stop negotiating and fail while connecting. > Exact BlackBerry SW version is: 10.3.2.2836. > > Cert and 2048bit key in *.P12 form transferred to BlackBerry device. > > 10.0.20.0/24 is local network > 10.0.10.0/24 is IPsec network > DNS server is 10.0.20.1 > > /etc/iked.conf is: > > ikev2 "winauth" passive esp \ > from 10.0.20.0/24 to 10.0.10.0/24 \ > local IP_of_server peer any \ > srcid myserver.domain \ > eap "mschap-v2" \ > config address 10.0.10.10 \ > config netmask 255.255.255.0 \ > config name-server 10.0.20.1 \ > # ikesa auth hmac-sha1 enc 3des group modp2048 \ > # childsa auth hmac-sha1 enc aes-256 group modp2048 \ > tag "$name-$id" > > OBSD has working PF setup to allow IPSEC traffic {isakmp, ipsec-nat-t} and > both protos {ah, esp}. > > Trying to make the same setup with BlackBerry 10.3.2.2836 OS using the same > /etc/iked.conf. > > In BlackBerry phone tried various profiles (general profile is listed below): > --------------------------------------- > Server address: IP_of_server > Gateway type: Generic IKEv2 VPN Server (tried Microsoft IKEv2 VPN > Server, but unsuccessful too) > Auth Type: EAP-MSCHAPv2 > Authentication ID Type: FQDN > Auth ID: myserver.domain > MSCHAPv2 EAP Identity: username > MSCHAPv2 EAP Identity: username > MSCHAPv2 Password: userpass > Gateway Auth Type: PKI > Gateway Auth ID Type: FQDN > Gateway Auth ID: myserver.domain > Allow Untrusted Cert: Prompt > Gateway CA Cert: CAmyserver.domain.name > Perfect Forward Secrecy: set_to_YES > Auto IP: set_to_YES > Auto DNS: set_to_YES > Auto Determine Algorithm: set_to_YES > > IKE lifetime in Sec.: 86400 > IPSec Lifetime: 10800 > NAT Keep Alive: 30 > DPD Frequency: 240 > > Use Proxy: set_to_NO > ----------------------------- > > #iked -dvv negotiating with BlackBerry phone: > > ... > ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 272 > ikev2_msg_decrypt: IV length 16 > ikev2_msg_decrypt: encrypted payload length 240 > ikev2_msg_decrypt: integrity checksum length 12 > ikev2_msg_decrypt: integrity check succeeded > ikev2_msg_decrypt: decrypted payload length 240/240 padding 15 > ikev2_pld_payloads: decrypted payload IDi nextpayload CERTREQ critical > 0x00 length 19 > ikev2_pld_id: id FQDN/myserver.domain length 15 > ikev2_pld_payloads: decrypted payload CERTREQ nextpayload CP critical > 0x00 length 5 > ikev2_pld_certreq: type X509_CERT signatures length 0 > ikev2_pld_certreq: invalid certificate request > ikev2_resp_recv: failed to parse message > > The same connection works fine between Win7 and iked. Log of iked is below: > ... > ikev2_msg_decrypt: encrypted payload length 160 > ikev2_msg_decrypt: integrity checksum length 12 > ikev2_msg_decrypt: integrity check succeeded > ikev2_msg_decrypt: decrypted payload length 160/160 padding 7 > ikev2_pld_payloads: decrypted payload AUTH nextpayload CP critical 0x00 > length 28 > ikev2_pld_auth: method SHARED_KEY_MIC length 20 > ikev2_pld_payloads: decrypted payload CP nextpayload SA critical 0x00 > length 32 > ikev2_pld_cp: type REPLY length 24 > ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 4 > ikev2_pld_cp: INTERNAL_IP4_NETMASK 0x0002 length 4 > ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 4 > ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 > length 44 > ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP > spisize 4 xforms 3 spi 0x84ea51d8 > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 > ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE > ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 > length 24 > ikev2_pld_ts: count 1 length 16 > ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 > endport 65535 > ikev2_pld_ts: start 10.0.10.0 end 10.0.10.255 > ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 > length 24 > ikev2_pld_ts: count 1 length 16 > ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 > endport 65535 > ikev2_pld_ts: start 10.0.20.0 end 10.0.20.255 > ikev2_msg_send: IKE_AUTH from IP_of_server:4500 to IP_of_client:4500, > 212 bytes, NAT-T > pfkey_sa_add: update spi 0x84ea51d8 > pfkey_sa: udpencap port 4500 > ikev2_childsa_enable: loaded CHILD SA spi 0x84ea51d8 > pfkey_sa_add: add spi 0xcfea0559 > pfkey_sa: udpencap port 4500 > ikev2_childsa_enable: loaded CHILD SA spi 0xcfea0559 > ikev2_childsa_enable: loaded flow 0x20527e400 > ikev2_childsa_enable: loaded flow 0x204a56800 > sa_state: EAP_VALID -> ESTABLISHED from IP_of_client:4500 to > IP_of_server:4500 policy 'winauth' > > Or what phone model (Brand) I can use to have IPSEC working on the road? > > Thanks. > > -- mailto: den...@mindall.org