On Sat, Feb 19, 2022 at 12:28:15AM -0600, rea...@catastrophe.net wrote: > IKE is failing when I connect using a simple password defined in > /etc/iked.conf. I'm connecting from a native Mac client...is > mschap-v2 on MacOS broken or are my configs wrong? Thanks in advance. > > Working configuration and logs: > > /etc/iked.conf - works with psk > ################################ > ikev2 "ROAD_WARRIOR" esp \ > from 0.0.0.0/0 to 10.1.255.0/24 \ > peer any local vpn.company.com \ > srcid vpn.company.com \ > dstid mac-laptop \ > psk "ASDFASDFASDFASDF" > config address 10.1.255.0/24 \ > config name-server 10.1.255.1 \ > tag "$name-$id" > > spi=0x1d5c3d767b281592: recv IKE_SA_INIT req 0 peer 172.20.20.11:53784 local > 192.168.110.50:500, 604 bytes, policy 'ROAD_WARRIOR' > spi=0x1d5c3d767b281592: ikev2_sa_responder_dh: want dh ECP_256, KE has > MODP_2048 spi=0x1d5c3d767b281592: ikev2_resp_recv: failed to negotiate IKE SA > spi=0x1d5c3d767b281592: ikev2_add_error: INVALID_KE_PAYLOAD > spi=0x1d5c3d767b281592: send IKE_SA_INIT res 0 peer 172.20.20.11:53784 local > 192.168.110.50:500, 38 bytes > spi=0x1d5c3d767b281592: recv IKE_SA_INIT req 0 peer 172.20.20.11:53784 local > 192.168.110.50:500, 412 bytes, policy 'ROAD_WARRIOR' > spi=0x1d5c3d767b281592: send IKE_SA_INIT res 0 peer 172.20.20.11:53784 local > 192.168.110.50:500, 240 bytes > spi=0x1d5c3d767b281592: recv IKE_AUTH req 1 peer 172.20.20.11:56756 local > 192.168.110.50:4500, 560 bytes, policy 'ROAD_WARRIOR' > spi=0x1d5c3d767b281592: assigned address 10.1.255.179 to FQDN/mac-laptop > spi=0x1d5c3d767b281592: send IKE_AUTH res 1 peer 172.20.20.11:56756 local > 192.168.110.50:4500, 272 bytes, NAT-T > spi=0x1d5c3d767b281592: ikev2_childsa_enable: loaded SPIs: 0xa60629d5, > 0x016966b2 (enc aes-256 auth hmac-sha2-256) > spi=0x1d5c3d767b281592: ikev2_childsa_enable: loaded flows: > ESP-0.0.0.0/0=10.1.255.0/24(0) > spi=0x1d5c3d767b281592: established peer 172.20.20.11:56756[FQDN/mac-laptop] > local 192.168.110.50:4500[FQDN/vpn.company.com] assigned 10.1.255.179 policy > 'ROAD_WARRIOR' as responder (enc aes-256 auth hmac-sha2-256 group ecp256 prf > hmac-sha2-256) > > /etc/iked.conf - fails with username/password > ############################################## > user "testuser" "testpassword" > ikev2 "ROAD_WARRIOR" esp \ > from 0.0.0.0/0 to 10.1.255.0/24 \ > peer any local vpn.company.com \ > srcid vpn.company.com \ > dstid mac-laptop \ > eap "mschap-v2" \ > config address 10.1.255.0/24 \ > config name-server 10.1.255.1 \ > tag "$name-$id" > > starting the daemon...... > > # iked -d -v > ikev2 "ROAD_WARRIOR" passive tunnel esp inet from 0.0.0.0/0 to > 10.1.255.0/24 local 192.168.110.50 peer any ikesa enc aes-128-gcm enc > aes-256-gcm prf hmac-sha2-256 prf hmac-sha2-384 prf hmac-sha2-512 prf > hmac-sha1 group curve25519 group ecp521 group ecp384 group ecp256 group > modp4096 group modp3072 group modp2048 group modp1536 group modp1024 ikesa > enc aes-256 enc aes-192 enc aes-128 enc 3des prf hmac-sha2-256 prf > hmac-sha2-384 prf hmac-sha2-512 prf hmac-sha1 auth hmac-sha2-256 auth > hmac-sha2-384 auth hmac-sha2-512 auth hmac-sha1 group curve25519 group > ecp521 group ecp384 group ecp256 group modp4096 group modp3072 group > modp2048 group modp1536 group modp1024 childsa enc aes-128-gcm enc > aes-256-gcm group none esn noesn childsa enc aes-256 enc aes-192 enc aes-128 > auth hmac-sha2-256 auth hmac-sha2-384 auth hmac-sha2-512 auth hmac-sha1 > group none esn noesn srcid vpn.company.com dstid mac-laptop lifetime 10800 > bytes 4294967296 eap "MSCHAP_V2" config address 10.1.255.0 config > name-server 10.1.255.1 tag "$name-$id" > user "testuser" "testpassword" > > [..] > > spi=0x5a37ce60a7490c70: recv IKE_SA_INIT req 0 peer 172.20.20.11:64235 local > 192.168.110.50:500, 604 bytes, policy 'ROAD_WARRIOR' > spi=0x5a37ce60a7490c70: ikev2_sa_responder_dh: want dh ECP_256, KE has > MODP_2048 > spi=0x5a37ce60a7490c70: ikev2_resp_recv: failed to negotiate IKE SA > spi=0x5a37ce60a7490c70: ikev2_add_error: INVALID_KE_PAYLOAD > spi=0x5a37ce60a7490c70: send IKE_SA_INIT res 0 peer 172.20.20.11:64235 local > 192.168.110.50:500, 38 bytes > spi=0x5a37ce60a7490c70: recv IKE_SA_INIT req 0 peer 172.20.20.11:64235 local > 192.168.110.50:500, 412 bytes, policy 'ROAD_WARRIOR' > spi=0x5a37ce60a7490c70: send IKE_SA_INIT res 0 peer 172.20.20.11:64235 local > 192.168.110.50:500, 265 bytes > spi=0x5a37ce60a7490c70: recv IKE_AUTH req 1 peer 172.20.20.11:58037 local > 192.168.110.50:4500, 512 bytes, policy 'ROAD_WARRIOR' > spi=0x5a37ce60a7490c70: ikev2_pld_eap: REQUEST id 0 length 5 EAP-IDENTITY > spi=0x5a37ce60a7490c70: send IKE_AUTH res 1 peer 172.20.20.11:58037 local > 192.168.110.50:4500, 1472 bytes, NAT-T > spi=0x92b7ead070f25c61: recv IKE_SA_INIT req 0 peer 172.20.20.11:64235 local > 192.168.110.50:500, 604 bytes, policy 'ROAD_WARRIOR' > spi=0x92b7ead070f25c61: ikev2_sa_responder_dh: want dh ECP_256, KE has > MODP_2048 > spi=0x92b7ead070f25c61: ikev2_resp_recv: failed to negotiate IKE SA > spi=0x92b7ead070f25c61: ikev2_add_error: INVALID_KE_PAYLOAD > spi=0x92b7ead070f25c61: send IKE_SA_INIT res 0 peer 172.20.20.11:64235 local > 192.168.110.50:500, 38 bytes > spi=0x92b7ead070f25c61: recv IKE_SA_INIT req 0 peer 172.20.20.11:64235 local > 192.168.110.50:500, 412 bytes, policy 'ROAD_WARRIOR' > spi=0x92b7ead070f25c61: send IKE_SA_INIT res 0 peer 172.20.20.11:64235 local > 192.168.110.50:500, 265 bytes > spi=0x92b7ead070f25c61: recv IKE_AUTH req 1 peer 172.20.20.11:58037 local > 192.168.110.50:4500, 512 bytes, policy 'ROAD_WARRIOR' > spi=0x92b7ead070f25c61: ikev2_pld_eap: REQUEST id 0 length 5 EAP-IDENTITY > spi=0x92b7ead070f25c61: send IKE_AUTH res 1 peer 172.20.20.11:58037 local > 192.168.110.50:4500, 1472 bytes, NAT-T > >
Hard to tell what's going wrong here. Looks like the mac ignores the IKE_AUTH response and restarts the handshake. I haven't seen any other reports about problems with the mac implementation and i don't have one to test. You could try enabling verbose logging with 'iked -dvvv' or 'ikectl log verbose' and see if that gives us any clues.
