ikev2 fails with mschap-v2

readme Fri, 18 Feb 2022 22:28:55 -0800

IKE is failing when I connect using a simple password defined in
/etc/iked.conf. I'm connecting from a native Mac client...is 
mschap-v2 on MacOS broken or are my configs wrong? Thanks in advance.


Working configuration and logs:

/etc/iked.conf - works with psk
################################
ikev2 "ROAD_WARRIOR" esp \
        from 0.0.0.0/0 to 10.1.255.0/24 \
        peer any local vpn.company.com \
        srcid vpn.company.com \
        dstid mac-laptop \
    psk "ASDFASDFASDFASDF"
        config address 10.1.255.0/24 \
    config name-server 10.1.255.1 \
        tag "$name-$id"

spi=0x1d5c3d767b281592: recv IKE_SA_INIT req 0 peer 172.20.20.11:53784 local 
192.168.110.50:500, 604 bytes, policy 'ROAD_WARRIOR'
spi=0x1d5c3d767b281592: ikev2_sa_responder_dh: want dh ECP_256, KE has 
MODP_2048 spi=0x1d5c3d767b281592: ikev2_resp_recv: failed to negotiate IKE SA
spi=0x1d5c3d767b281592: ikev2_add_error: INVALID_KE_PAYLOAD
spi=0x1d5c3d767b281592: send IKE_SA_INIT res 0 peer 172.20.20.11:53784 local 
192.168.110.50:500, 38 bytes
spi=0x1d5c3d767b281592: recv IKE_SA_INIT req 0 peer 172.20.20.11:53784 local 
192.168.110.50:500, 412 bytes, policy 'ROAD_WARRIOR'
spi=0x1d5c3d767b281592: send IKE_SA_INIT res 0 peer 172.20.20.11:53784 local 
192.168.110.50:500, 240 bytes
spi=0x1d5c3d767b281592: recv IKE_AUTH req 1 peer 172.20.20.11:56756 local 
192.168.110.50:4500, 560 bytes, policy 'ROAD_WARRIOR'
spi=0x1d5c3d767b281592: assigned address 10.1.255.179 to FQDN/mac-laptop
spi=0x1d5c3d767b281592: send IKE_AUTH res 1 peer 172.20.20.11:56756 local 
192.168.110.50:4500, 272 bytes, NAT-T
spi=0x1d5c3d767b281592: ikev2_childsa_enable: loaded SPIs: 0xa60629d5, 
0x016966b2 (enc aes-256 auth hmac-sha2-256)
spi=0x1d5c3d767b281592: ikev2_childsa_enable: loaded flows: 
ESP-0.0.0.0/0=10.1.255.0/24(0)
spi=0x1d5c3d767b281592: established peer 172.20.20.11:56756[FQDN/mac-laptop] 
local 192.168.110.50:4500[FQDN/vpn.company.com] assigned 10.1.255.179 policy 
'ROAD_WARRIOR' as responder (enc aes-256 auth hmac-sha2-256 group ecp256 prf 
hmac-sha2-256)

/etc/iked.conf - fails with username/password
##############################################
user "testuser" "testpassword"
ikev2 "ROAD_WARRIOR" esp \
        from 0.0.0.0/0 to 10.1.255.0/24 \
        peer any local vpn.company.com \
        srcid vpn.company.com \
        dstid mac-laptop \
    eap "mschap-v2" \
        config address 10.1.255.0/24 \
    config name-server 10.1.255.1 \
        tag "$name-$id"

starting the daemon......

# iked -d -v
ikev2 "ROAD_WARRIOR" passive tunnel esp inet from 0.0.0.0/0 to
10.1.255.0/24 local 192.168.110.50 peer any ikesa enc aes-128-gcm enc
aes-256-gcm prf hmac-sha2-256 prf hmac-sha2-384 prf hmac-sha2-512 prf
hmac-sha1 group curve25519 group ecp521 group ecp384 group ecp256 group
modp4096 group modp3072 group modp2048 group modp1536 group modp1024 ikesa
enc aes-256 enc aes-192 enc aes-128 enc 3des prf hmac-sha2-256 prf
hmac-sha2-384 prf hmac-sha2-512 prf hmac-sha1 auth hmac-sha2-256 auth
hmac-sha2-384 auth hmac-sha2-512 auth hmac-sha1 group curve25519 group
ecp521 group ecp384 group ecp256 group modp4096 group modp3072 group
modp2048 group modp1536 group modp1024 childsa enc aes-128-gcm enc
aes-256-gcm group none esn noesn childsa enc aes-256 enc aes-192 enc aes-128
auth hmac-sha2-256 auth hmac-sha2-384 auth hmac-sha2-512 auth hmac-sha1
group none esn noesn srcid vpn.company.com dstid mac-laptop lifetime 10800
bytes 4294967296 eap "MSCHAP_V2" config address 10.1.255.0 config
name-server 10.1.255.1 tag "$name-$id"
user "testuser" "testpassword"

[..]

spi=0x5a37ce60a7490c70: recv IKE_SA_INIT req 0 peer 172.20.20.11:64235 local 
192.168.110.50:500, 604 bytes, policy 'ROAD_WARRIOR'
spi=0x5a37ce60a7490c70: ikev2_sa_responder_dh: want dh ECP_256, KE has MODP_2048
spi=0x5a37ce60a7490c70: ikev2_resp_recv: failed to negotiate IKE SA
spi=0x5a37ce60a7490c70: ikev2_add_error: INVALID_KE_PAYLOAD
spi=0x5a37ce60a7490c70: send IKE_SA_INIT res 0 peer 172.20.20.11:64235 local 
192.168.110.50:500, 38 bytes
spi=0x5a37ce60a7490c70: recv IKE_SA_INIT req 0 peer 172.20.20.11:64235 local 
192.168.110.50:500, 412 bytes, policy 'ROAD_WARRIOR'
spi=0x5a37ce60a7490c70: send IKE_SA_INIT res 0 peer 172.20.20.11:64235 local 
192.168.110.50:500, 265 bytes
spi=0x5a37ce60a7490c70: recv IKE_AUTH req 1 peer 172.20.20.11:58037 local 
192.168.110.50:4500, 512 bytes, policy 'ROAD_WARRIOR'
spi=0x5a37ce60a7490c70: ikev2_pld_eap: REQUEST id 0 length 5 EAP-IDENTITY
spi=0x5a37ce60a7490c70: send IKE_AUTH res 1 peer 172.20.20.11:58037 local 
192.168.110.50:4500, 1472 bytes, NAT-T
spi=0x92b7ead070f25c61: recv IKE_SA_INIT req 0 peer 172.20.20.11:64235 local 
192.168.110.50:500, 604 bytes, policy 'ROAD_WARRIOR'
spi=0x92b7ead070f25c61: ikev2_sa_responder_dh: want dh ECP_256, KE has MODP_2048
spi=0x92b7ead070f25c61: ikev2_resp_recv: failed to negotiate IKE SA
spi=0x92b7ead070f25c61: ikev2_add_error: INVALID_KE_PAYLOAD
spi=0x92b7ead070f25c61: send IKE_SA_INIT res 0 peer 172.20.20.11:64235 local 
192.168.110.50:500, 38 bytes
spi=0x92b7ead070f25c61: recv IKE_SA_INIT req 0 peer 172.20.20.11:64235 local 
192.168.110.50:500, 412 bytes, policy 'ROAD_WARRIOR'
spi=0x92b7ead070f25c61: send IKE_SA_INIT res 0 peer 172.20.20.11:64235 local 
192.168.110.50:500, 265 bytes
spi=0x92b7ead070f25c61: recv IKE_AUTH req 1 peer 172.20.20.11:58037 local 
192.168.110.50:4500, 512 bytes, policy 'ROAD_WARRIOR'
spi=0x92b7ead070f25c61: ikev2_pld_eap: REQUEST id 0 length 5 EAP-IDENTITY
spi=0x92b7ead070f25c61: send IKE_AUTH res 1 peer 172.20.20.11:58037 local 
192.168.110.50:4500, 1472 bytes, NAT-T

ikev2 fails with mschap-v2

Reply via email to