Hello
I have updated to the last several snapshots as they have come out, but continue
to be unable to establish a VPN between iOS and OpenBSD. As the iOS device has
not been updated recently, the "problem" appears to relate to something that
changed on the OpenBSD side.
I don't know, and don't even have an idea of how I could find out, if this is a
problem with iOS not following some standard, or if it is an issue with
OpenBSD's iked.
I am not trying to be demanding, and I am not suggesting that I am entitled to
any help whatsoever. But, I will admit that I have come to rely on iked, and
the loss of a VPN to iOS is a problem for me.
I got logs off the an iphone (a snip is below), but other than seeing that the
iphone tries to create a VPN, and then fails and disconnects (despite the fact
that openBSD states the connection is ESTABLISHED), I have no clue what is
happening.
---
Jun 6 14:54:14 iPhone nesessionmanager(NetworkExtension)[124] : Not
hashing value with class __NSDate
Jun 6 14:54:14 iPhone nesessionmanager(NetworkExtension)[124] :
NESMIKEv2VPNSession[Wynnychenko VPN:D636E9EF-3B66-4537-93E8-0E3DEC18D7AB]:
Received a start command from Preferences[200]
Jun 6 14:54:14 iPhone nesessionmanager(NetworkExtension)[124] :
NESMIKEv2VPNSession[Wynnychenko VPN:D636E9EF-3B66-4537-93E8-0E3DEC18D7AB]:
status changed to connecting
Jun 6 14:54:14 iPhone nesessionmanager(NetworkExtension)[124] : Plugin
com.apple.neplugin.IKEv2 does not have a bundle URL
Jun 6 14:54:14 iPhone kernel(Sandbox)[0] : SandboxViolation:
nesessionmanager(124) deny(1) file-issue-extension target:
/System/Library/Frameworks/NetworkExtension.framework/PluginIKEv2.vpnplugin
class: com.apple.vpn-plugin
Jun 6 14:54:14 iPhone nesessionmanager(NetworkExtension)[124] :
sendInitCommand: failed to create a com.apple.vpn-plugin sandbox extension for
/System/Library/Frameworks/NetworkExtension.framework/PluginIKEv2.vpnplugin
Jun 6 14:54:14 iPhone neagent(NetworkExtension)[824] : Certificate at
index 0 could not be created
Jun 6 14:54:14 iPhone neagent(NetworkExtension)[824] : Certificate
authentication data could not be verified
Jun 6 14:54:14 iPhone neagent(NetworkExtension)[824] : Failed to process
IKE Auth packet
Jun 6 14:54:14 iPhone nesessionmanager(NetworkExtension)[124] :
NESMIKEv2VPNSession[Wynnychenko VPN:D636E9EF-3B66-4537-93E8-0E3DEC18D7AB]:
status changed to disconnecting
Jun 6 14:54:14 iPhone configd[32] : network changed
Jun 6 14:54:14 iPhone kernel[0] : SIOCPROTODETACH_IN6: ipsec3 error=6
Jun 6 14:54:14 iPhone configd(IPConfiguration)[32] :
siocprotodetach(pdp_ip0) failed, Resource busy (16)
Jun 6 14:54:14 iPhone nesessionmanager(NetworkExtension)[124] :
NESMIKEv2VPNSession[Wynnychenko VPN:D636E9EF-3B66-4537-93E8-0E3DEC18D7AB]:
status changed to disconnected, last stop reason Plugin initiated
---
If anyone can offer anything to help fix this issue, even just letting me know
that this a problem that I am experiencing locally and not a problem with the
current iked, I would really appreciate it.
Thank you
Ted
-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
Theodore Wynnychenko
Sent: Monday, June 05, 2017 7:16 PM
To: misc@openbsd.org
Subject: Re: Unable to establish ikev2 vpn with ios after update to current -
OpenBSD 6.1 GENERIC.MP#103 amd64
I updated to the most recent snapshot (OpenBSD 6.1 GENERIC.MP#103 amd64).
Unfortunately, while an OpenBSD to OpenBSD ikev2 tunnel works as expected,
attempts to establish a tunnel from ios to OpenBSD fail.
However, the OpenBSD machine appears to believe that the tunnel is up and fine
("sa_state: VALID -> ESTABLISHED"), while the iOS device indicates that no VPN
is up.
There appears to be no change from the snapshot from a couple of days ago, and
this had been working flawlessly through several snapshots over the last year.
Does anyone have any advice on this, and what might have changed?
I see nothing obvious that I need to change in the iked.conf based on the my
reading of the current manpage.
Thank you
Ted
-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
Theodore Wynnychenko
Sent: Sunday, June 04, 2017 8:14 PM
To: misc@openbsd.org
Subject: Unable to estable ikev2 vpn with ios after update to current
Hello
I have been a bit remiss, and have not updated my system in a couple of months.
I have been following current for a year or two, in general, without incident.
Anyway, after updating last night, I am unable to establish a ikev2 vpn with an
ios 10.3.2 device. A OBSD6.1<->OBSD6.1 ikev2 vpn is working fine.
I am hoping that someone could shove me in a direction.
I have been using iked with iOS for about a year without a problem.
However, after the update, I noticed that all iOS vpn attempts were failing.
Running # iked -dvvv and trying to connect showed:
...
ca_setauth: auth length 510
ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG
i
