Re: [strongSwan] Sudden issues with Windows 10 clients

[Jafar Al-Gharaibeh]

Hi Houman,

 Similar to the Windows problem you had earlier, you don't have the 
correct combination of configured algorithms. look at the logs:

    May 10 20:26:48 vpn-server charon: 12[IKE] DH group MODP_2048 
inacceptable, requesting MODP_1024

   The iphone expect modp2048, but your configuration  says modp1024.  
Look  back at the suggestion we made for Windows and just use the same 
configuration.

Regards,
Jafar

On 5/10/2018 2:34 PM, Houman wrote:
Hi guys,

Unfortunately, this isn't just limited to Windows, I have the same 
issue with iPhone.  I strongly believe this is because IKEV2 traffic 
could have been blocked in my user's country. My user has been 
utilising this server without any issues until last week and suddenly 
it has stopped working.

Please see the logs, this is when he is trying to connect from an iPhone:

May 10 20:26:45 vpn-server charon: 01[NET] received packet: from 
91.99.xxx.xx[500] to 172.31.xxx.xxx[500] (604 bytes)

May 10 20:26:45 vpn-server charon: 01[ENC] parsed IKE_SA_INIT request 
0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]

May 10 20:26:45 vpn-server charon: 01[IKE] 91.99.xxx.xx is initiating 
an IKE_SA

May 10 20:26:45 vpn-server charon: 01[IKE] local host is behind NAT, 
sending keep alives

May 10 20:26:45 vpn-server charon: 01[IKE] remote host is behind NAT

May 10 20:26:45 vpn-server charon: 01[IKE] DH group MODP_2048 
inacceptable, requesting MODP_1024

May 10 20:26:45 vpn-server charon: 01[ENC] generating IKE_SA_INIT 
response 0 [ N(INVAL_KE) ]

May 10 20:26:45 vpn-server charon: 01[NET] sending packet: from 
172.31.xxx.xxx[500] to 91.99.xxx.xx[500] (38 bytes)

May 10 20:26:48 vpn-server charon: 12[NET] received packet: from 
91.99.xxx.xx[500] to 172.31.xxx.xxx[500] (604 bytes)

May 10 20:26:48 vpn-server charon: 12[ENC] parsed IKE_SA_INIT request 
0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]

May 10 20:26:48 vpn-server charon: 12[IKE] 91.99.xxx.xx is initiating 
an IKE_SA

May 10 20:26:48 vpn-server charon: 12[IKE] local host is behind NAT, 
sending keep alives

May 10 20:26:48 vpn-server charon: 12[IKE] remote host is behind NAT

May 10 20:26:48 vpn-server charon: 12[IKE] DH group MODP_2048 
inacceptable, requesting MODP_1024

May 10 20:26:48 vpn-server charon: 12[ENC] generating IKE_SA_INIT 
response 0 [ N(INVAL_KE) ]

May 10 20:26:48 vpn-server charon: 12[NET] sending packet: from 
172.31.xxx.xxx[500] to 91.99.xxx.xx[500] (38 bytes)


And this when I try to connect from my iphone:


May 10 20:10:25 vpn-server systemd[1]: Starting Cleanup of Temporary 
Directories...

May 10 20:10:25 vpn-server systemd-tmpfiles[2631]: 
[/usr/lib/tmpfiles.d/var.conf:14] Duplicate line for path "/var/log", 
ignoring.

May 10 20:10:25 vpn-server systemd[1]: Started Cleanup of Temporary 
Directories.

May 10 20:10:57 vpn-server charon: 06[NET] received packet: from 
88.98.xxx.xxx[39064] to 172.31.xxx.xxx[500] (604 bytes)

May 10 20:10:57 vpn-server charon: 06[ENC] parsed IKE_SA_INIT request 
0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]

May 10 20:10:57 vpn-server charon: 06[IKE] 88.98.xxx.xxx is initiating 
an IKE_SA

May 10 20:10:57 vpn-server charon: 06[IKE] local host is behind NAT, 
sending keep alives

May 10 20:10:57 vpn-server charon: 06[IKE] remote host is behind NAT

May 10 20:10:57 vpn-server charon: 06[IKE] DH group MODP_2048 
inacceptable, requesting MODP_1024

May 10 20:10:57 vpn-server charon: 06[ENC] generating IKE_SA_INIT 
response 0 [ N(INVAL_KE) ]

May 10 20:10:57 vpn-server charon: 06[NET] sending packet: from 
172.31.xxx.xxx[500] to 88.98.xxx.xxx[39064] (38 bytes)

May 10 20:10:57 vpn-server charon: 05[NET] received packet: from 
88.98.xxx.xxx[39064] to 172.31.xxx.xxx[500] (476 bytes)

May 10 20:10:57 vpn-server charon: 05[ENC] parsed IKE_SA_INIT request 
0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]

May 10 20:10:57 vpn-server charon: 05[IKE] 88.98.xxx.xxx is initiating 
an IKE_SA

May 10 20:10:57 vpn-server charon: 05[IKE] local host is behind NAT, 
sending keep alives

May 10 20:10:57 vpn-server charon: 05[IKE] remote host is behind NAT

May 10 20:10:57 vpn-server charon: 05[ENC] generating IKE_SA_INIT 
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]

May 10 20:10:57 vpn-server charon: 05[NET] sending packet: from 
172.31.xxx.xxx[500] to 88.98.xxx.xxx[39064] (316 bytes)

May 10 20:10:58 vpn-server charon: 04[NET] received packet: from 
88.98.xxx.xxx[39065] to 172.31.xxx.xxx[4500] (500 bytes)

May 10 20:10:58 vpn-server charon: 04[ENC] unknown attribute type (25)

May 10 20:10:58 vpn-server charon: 04[ENC] parsed IKE_AUTH request 1 [ 
IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 
DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]

May 10 20:10:58 vpn-server charon: 04[CFG] looking for peer configs 
matching 172.31.xxx.xxx[vpn1.xxx.com 
<http://vpn1.xxx.com>]...88.98.xxx.xxx[vpn1.xxx.com <http://vpn1.xxx.com>]

May 10 20:10:58 vpn-server charon: 04[CFG] selected peer config 
'roadwarrior'

May 10 20:10:58 vpn-server charon: 04[IKE] initiating EAP_IDENTITY 
method (id 0x00)

May 10 20:10:58 vpn-server charon: 04[IKE] received 
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding

May 10 20:10:58 vpn-server charon: 04[IKE] peer supports MOBIKE

May 10 20:10:58 vpn-server charon: 04[IKE] authentication of 
'vpn1.xxx.com <http://vpn1.xxx.com>' (myself) with RSA signature 
successful

May 10 20:10:58 vpn-server charon: 04[IKE] sending end entity cert 
"CN=vpn1.xxx.com <http://vpn1.xxx.com>"

May 10 20:10:58 vpn-server charon: 04[IKE] sending issuer cert "C=US, 
O=Let's Encrypt, CN=Let's Encrypt Authority X3"

May 10 20:10:58 vpn-server charon: 04[ENC] generating IKE_AUTH 
response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]

May 10 20:10:58 vpn-server charon: 04[ENC] splitting IKE message with 
length of 3596 bytes into 8 fragments

May 10 20:10:58 vpn-server charon: 04[ENC] generating IKE_AUTH 
response 1 [ EF(1/8) ]

May 10 20:10:58 vpn-server charon: 04[ENC] generating IKE_AUTH 
response 1 [ EF(2/8) ]

May 10 20:10:58 vpn-server charon: 04[ENC] generating IKE_AUTH 
response 1 [ EF(3/8) ]

May 10 20:10:58 vpn-server charon: 04[ENC] generating IKE_AUTH 
response 1 [ EF(4/8) ]

May 10 20:10:58 vpn-server charon: 04[ENC] generating IKE_AUTH 
response 1 [ EF(5/8) ]

May 10 20:10:58 vpn-server charon: 04[ENC] generating IKE_AUTH 
response 1 [ EF(6/8) ]

May 10 20:10:58 vpn-server charon: 04[ENC] generating IKE_AUTH 
response 1 [ EF(7/8) ]

May 10 20:10:58 vpn-server charon: 04[ENC] generating IKE_AUTH 
response 1 [ EF(8/8) ]

May 10 20:10:58 vpn-server charon: 04[NET] sending packet: from 
172.31.xxx.xxx[4500] to 88.98.xxx.xxx[39065] (544 bytes)

May 10 20:10:58 vpn-server charon: message repeated 6 times: [ 04[NET] 
sending packet: from 172.31.xxx.xxx[4500] to 88.98.xxx.xxx[39065] (544 
bytes)]

May 10 20:10:58 vpn-server charon: 04[NET] sending packet: from 
172.31.xxx.xxx[4500] to 88.98.xxx.xxx[39065] (192 bytes)

May 10 20:10:58 vpn-server charon: 03[NET] received packet: from 
88.98.xxx.xxx[39065] to 172.31.xxx.xxx[4500] (76 bytes)

May 10 20:10:58 vpn-server charon: 03[ENC] parsed IKE_AUTH request 2 [ 
EAP/RES/ID ]

May 10 20:10:58 vpn-server charon: 03[IKE] received EAP identity 'houmie'

May 10 20:10:58 vpn-server charon: 03[IKE] initiating EAP_MSCHAPV2 
method (id 0xAE)

May 10 20:10:58 vpn-server charon: 03[ENC] generating IKE_AUTH 
response 2 [ EAP/REQ/MSCHAPV2 ]

May 10 20:10:58 vpn-server charon: 03[NET] sending packet: from 
172.31.xxx.xxx[4500] to 88.98.xxx.xxx[39065] (100 bytes)

May 10 20:10:58 vpn-server charon: 02[NET] received packet: from 
88.98.xxx.xxx[39065] to 172.31.xxx.xxx[4500] (124 bytes)

May 10 20:10:58 vpn-server charon: 02[ENC] parsed IKE_AUTH request 3 [ 
EAP/RES/MSCHAPV2 ]

May 10 20:10:58 vpn-server charon: 02[ENC] generating IKE_AUTH 
response 3 [ EAP/REQ/MSCHAPV2 ]

May 10 20:10:58 vpn-server charon: 02[NET] sending packet: from 
172.31.xxx.xxx[4500] to 88.98.xxx.xxx[39065] (132 bytes)

May 10 20:10:58 vpn-server charon: 01[NET] received packet: from 
88.98.xxx.xxx[39065] to 172.31.xxx.xxx[4500] (68 bytes)

May 10 20:10:58 vpn-server charon: 01[ENC] parsed IKE_AUTH request 4 [ 
EAP/RES/MSCHAPV2 ]

May 10 20:10:58 vpn-server charon: 01[IKE] EAP method EAP_MSCHAPV2 
succeeded, MSK established

May 10 20:10:58 vpn-server charon: 01[ENC] generating IKE_AUTH 
response 4 [ EAP/SUCC ]

May 10 20:10:58 vpn-server charon: 01[NET] sending packet: from 
172.31.xxx.xxx[4500] to 88.98.xxx.xxx[39065] (68 bytes)

May 10 20:10:58 vpn-server charon: 12[NET] received packet: from 
88.98.xxx.xxx[39065] to 172.31.xxx.xxx[4500] (84 bytes)

May 10 20:10:58 vpn-server charon: 12[ENC] parsed IKE_AUTH request 5 [ 
AUTH ]

May 10 20:10:58 vpn-server charon: 12[IKE] authentication of 
'vpn1.xxx.com <http://vpn1.xxx.com>' with EAP successful

May 10 20:10:58 vpn-server charon: 12[IKE] authentication of 
'vpn1.xxx.com <http://vpn1.xxx.com>' (myself) with EAP

May 10 20:10:58 vpn-server charon: 12[IKE] IKE_SA roadwarrior[2] 
established between 172.31.xxx.xxx[vpn1.xxx.com 
<http://vpn1.xxx.com>]...88.98.xxx.xxx[vpn1.xxx.com <http://vpn1.xxx.com>]

May 10 20:10:58 vpn-server charon: 12[IKE] peer requested virtual IP %any

May 10 20:10:58 vpn-server charon: 12[CFG] assigning new lease to 'houmie'

May 10 20:10:58 vpn-server charon: 12[IKE] assigning virtual IP 
10.10.10.1 to peer 'houmie'

May 10 20:10:58 vpn-server charon: 12[IKE] peer requested virtual IP %any6

May 10 20:10:58 vpn-server charon: 12[IKE] no virtual IP found for 
%any6 requested by 'houmie'

May 10 20:10:58 vpn-server charon: 12[IKE] CHILD_SA roadwarrior{1} 
established with SPIs c0b075ce_i 0789b8c0_o and TS 0.0.0.0/0 
<http://0.0.0.0/0> === 10.10.10.1/32 <http://10.10.10.1/32>

May 10 20:10:58 vpn-server charon: 12[ENC] generating IKE_AUTH 
response 5 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) 
N(NO_ADD_ADDR) ]

May 10 20:10:58 vpn-server charon: 12[NET] sending packet: from 
172.31.xxx.xxx[4500] to 88.98.xxx.xxx[39065] (228 bytes)


The config that is working for my iphone is this:

config setup

  strictcrlpolicy=yes

  uniqueids=never

conn roadwarrior

  auto=add

  compress=no

  type=tunnel

  keyexchange=ikev2

  fragmentation=yes

  forceencaps=yes

ike=aes256gcm16-sha256-ecp521,aes256-sha256-ecp384,aes256-3des-sha1-modp1024!

esp=aes256gcm16-sha256,aes256-3des-sha256-sha1!

  dpdaction=clear

  dpddelay=180s

  rekey=no

  left=%any

  leftid=@vpn1.xxx.com <http://vpn1.xxx.com>

  leftcert=cert.pem

  leftsendcert=always

  leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>

  right=%any

  rightid=%any

  rightauth=eap-mschapv2

  eap_identity=%any

  rightdns=8.8.8.8,8.8.4.4

  rightsourceip=10.10.10.0/24 <http://10.10.10.0/24>

  rightsendcert=never


Please let me know if you see any obvious problem. But I strongly 
believe they have blocked the IKEV2 traffic...

Many Thanks,
Houman



On 9 May 2018 at 15:40, Jafar Al-Gharaibeh <ja...@atcorp.com 
<mailto:ja...@atcorp.com>> wrote:

    Hi Tobias,

        Thanks for the correction.   What I meant to say is :

                 The PRF algorithm is derived from the integrity
    algorithm, but only if a DH group is also configured.

     Correct?

    Regards,
    Jafar


    On 5/9/2018 2:21 AM, Tobias Brunner wrote:

        Hi Jafar,

            No need to configure a prf, it is already assumed when you
            configured a DH group; so you can drop prfsha256.

        Small correction, the PRF algorithm, if not configured
        explicitly, is
        not derived from the DH group, but the integrity algorithm, in
        this case
        sha256.

        Regards,
        Tobias