IPSec Setup broken after Update to iOS 10.2 and Mac OS 10.12.2

peer69

Hi everyone,

my IPSec VPN Setup is broken after this weeks client updates for iOS Devices (10.2) and MacOS (10.12.2). As connections worked flawlessly before I think recent changes coming with the update cause this problem, not the pfSense Setup.
Logs show the following for connection attempts:

Dec 14 12:15:30	charon		11[JOB] <con1|129> deleting half open IKE_SA after timeout
Dec 14 12:15:30	charon		11[JOB] deleting half open IKE_SA after timeout
Dec 14 12:15:20	charon		06[IKE] <con1|129> sending keep alive to {deviceip}[9575]
Dec 14 12:15:20	charon		06[IKE] sending keep alive to {deviceip}[9575]
Dec 14 12:15:00	charon		08[NET] <con1|129> sending packet: from {wanip}[4500] to {deviceip}[9575] (236 bytes)
Dec 14 12:15:00	charon		08[NET] sending packet: from {wanip}[4500] to {deviceip}[9575] (236 bytes)
Dec 14 12:15:00	charon		08[NET] <con1|129> sending packet: from {wanip}[4500] to {deviceip}[9575] (540 bytes)
Dec 14 12:15:00	charon		08[NET] sending packet: from {wanip}[4500] to {deviceip}[9575] (540 bytes)
Dec 14 12:15:00	charon		08[NET] <con1|129> sending packet: from {wanip}[4500] to {deviceip}[9575] (540 bytes)
Dec 14 12:15:00	charon		08[NET] sending packet: from {wanip}[4500] to {deviceip}[9575] (540 bytes)
Dec 14 12:15:00	charon		08[NET] <con1|129> sending packet: from {wanip}[4500] to {deviceip}[9575] (540 bytes)
Dec 14 12:15:00	charon		08[NET] sending packet: from {wanip}[4500] to {deviceip}[9575] (540 bytes)
Dec 14 12:15:00	charon		08[ENC] <con1|129> generating IKE_AUTH response 1 [ EF(4/4) ]
Dec 14 12:15:00	charon		08[ENC] generating IKE_AUTH response 1 [ EF(4/4) ]
Dec 14 12:15:00	charon		08[ENC] <con1|129> generating IKE_AUTH response 1 [ EF(3/4) ]
Dec 14 12:15:00	charon		08[ENC] generating IKE_AUTH response 1 [ EF(3/4) ]
Dec 14 12:15:00	charon		08[ENC] <con1|129> generating IKE_AUTH response 1 [ EF(2/4) ]
Dec 14 12:15:00	charon		08[ENC] generating IKE_AUTH response 1 [ EF(2/4) ]
Dec 14 12:15:00	charon		08[ENC] <con1|129> generating IKE_AUTH response 1 [ EF(1/4) ]
Dec 14 12:15:00	charon		08[ENC] generating IKE_AUTH response 1 [ EF(1/4) ]
Dec 14 12:15:00	charon		08[ENC] <con1|129> splitting IKE message with length of 1624 bytes into 4 fragments
Dec 14 12:15:00	charon		08[ENC] splitting IKE message with length of 1624 bytes into 4 fragments
Dec 14 12:15:00	charon		08[ENC] <con1|129> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Dec 14 12:15:00	charon		08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Dec 14 12:15:00	charon		08[IKE] <con1|129> sending end entity cert "C=DE, ST=City, L=City, O={org}, E={email}, CN={host.fqdn}"
Dec 14 12:15:00	charon		08[IKE] sending end entity cert "C=DE, ST=City, L=City, O={org}, E={email}, CN={host.fqdn}"
Dec 14 12:15:00	charon		08[IKE] <con1|129> authentication of '{host.fqdn}' (myself) with RSA signature successful
Dec 14 12:15:00	charon		08[IKE] authentication of '{host.fqdn}' (myself) with RSA signature successful
Dec 14 12:15:00	charon		08[IKE] <con1|129> peer supports MOBIKE
Dec 14 12:15:00	charon		08[IKE] peer supports MOBIKE
Dec 14 12:15:00	charon		08[IKE] <con1|129> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Dec 14 12:15:00	charon		08[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Dec 14 12:15:00	charon		08[IKE] <con1|129> initiating EAP_IDENTITY method (id 0x00)
Dec 14 12:15:00	charon		08[IKE] initiating EAP_IDENTITY method (id 0x00)
Dec 14 12:15:00	charon		08[CFG] <con1|129> selected peer config 'con1'
Dec 14 12:15:00	charon		08[CFG] selected peer config 'con1'
Dec 14 12:15:00	charon		08[CFG] <129> looking for peer configs matching {wanip}[{host.fqdn}]...{deviceip}[{vpnuser}]
Dec 14 12:15:00	charon		08[CFG] looking for peer configs matching {wanip}[{host.fqdn}]...{deviceip}[{vpnuser}]
Dec 14 12:15:00	charon		08[ENC] <129> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Dec 14 12:15:00	charon		08[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Dec 14 12:15:00	charon		08[NET] <129> received packet: from {deviceip}[9575] to {wanip}[4500] (360 bytes)
Dec 14 12:15:00	charon		08[NET] received packet: from {deviceip}[9575] to {wanip}[4500] (360 bytes)
Dec 14 12:15:00	charon		08[NET] <129> sending packet: from {wanip}[500] to {deviceip}[500] (313 bytes)
Dec 14 12:15:00	charon		08[NET] sending packet: from {wanip}[500] to {deviceip}[500] (313 bytes)
Dec 14 12:15:00	charon		08[ENC] <129> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Dec 14 12:15:00	charon		08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Dec 14 12:15:00	charon		08[IKE] <129> sending cert request for "C=DE, ST=City, L=City, O={org}, E={email}, CN={CA}"
Dec 14 12:15:00	charon		08[IKE] sending cert request for "C=DE, ST=City, L=City, O={org}, E={email}, CN={CA}"
Dec 14 12:15:00	charon		08[IKE] <129> remote host is behind NAT
Dec 14 12:15:00	charon		08[IKE] remote host is behind NAT
Dec 14 12:15:00	charon		08[IKE] <129> local host is behind NAT, sending keep alives
Dec 14 12:15:00	charon		08[IKE] local host is behind NAT, sending keep alives
Dec 14 12:15:00	charon		08[IKE] <129> {deviceip} is initiating an IKE_SA
Dec 14 12:15:00	charon		08[IKE] {deviceip} is initiating an IKE_SA
Dec 14 12:15:00	charon		08[ENC] <129> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Dec 14 12:15:00	charon		08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Dec 14 12:15:00	charon		08[NET] <129> received packet: from {deviceip}[500] to {wanip}[500] (280 bytes)
Dec 14 12:15:00	charon		08[NET] received packet: from {deviceip}[500] to {wanip}[500] (280 bytes)</con1|129></con1|129></con1|129></con1|129></con1|129></con1|129></con1|129></con1|129></con1|129></con1|129></con1|129></con1|129></con1|129></con1|129></con1|129></con1|129></con1|129></con1|129>

Anybody else running into this problem after the update?

peer69

Seems to be a trust issue. MacOS cancels the connection because the CA isn't trusted anymore. I used the self signed CA created with pfSense, added it to the keychain and marked it to be trusted (should be working the same when deploying it using a profile on iOS and MacOS devices).
I removed the profile on test devices running latest iOS and MacOS, added it again, trusted the CA again and IPSec works like it did before the update. As not updating is not an option I now need to figure out how to solve this without rolling out the profiles to all devices again, but thats a non pfSense related issue.

gogol

I also have problems that the VPN isn't working anymore on my iOS and MacOS devices.
My pfSense rootCA in my keychain is good because I can login in my emailserve, pfSense configuration and other servers which have a rootCA signed certificate.

Still searching for a solution because your solution does not work in my case. I even signed my mobileconfig profile with a user generated pfSense certificate.

gogol

This is from the log on iOS 10.2:

Dec 24 01:40:08 iPhone neagent(NetworkExtension)[632] <error>: ikev2_crypto_copy_remote_certificate_authority_array: failed to retrieve remote CA cert data by CN (xxx.xxx.xxx)
Dec 24 01:40:08 iPhone neagent(NetworkExtension)[632] <error>: Certificate authentication data could not be verified
Dec 24 01:40:08 iPhone neagent(NetworkExtension)[632] <error>: Failed to process IKE Auth (EAP) packet
Dec 24 01:40:08 iPhone neagent(NetworkExtension)[632] <info>: ikev2_callback: Received notification for ikeRef 3189F0 ChildRef 0
Dec 24 01:40:08 iPhone neagent(NetworkExtension)[632] <info>: IKEv2 Plugin: received notif IKE Status: Disconnected
Dec 24 01:40:08 iPhone neagent(NetworkExtension)[632] <info>: ikev2_callback: set status Disconnected
Dec 24 01:40:08 iPhone neagent(NetworkExtension)[632] <info>: Sending status update with status 0 and disconnect error 0</info></info></info></info></error></error></error>

The problem is there is not much info on the internet right now. I guess I have to switch to username/password instead of certificate authorization

gogol

Found it!

The VPN always worked without adding the server certificate. Apparently Apple changed something and the client (iOS, MacOS) also needs the remote server (pfSense) certificate.

I added it to the profile and got a working VPN again.

d.hoffmann

i had to replace the certificate chain.

Old CA
Name: smplyCA
CN=smply-ca

New CA
Name: firewall.mydomain.de
CN: firewall.mydomain.de

Old Server Cert:
Issuer: smplyCA
CN: firewall

New Server Cert:
Issuer: firewall.mydomain.de
CN: firewall.mydomain.de

Then i made a mobile config profile with Apple Configurator with both Certificates as a payload, remove the old profile, installed the new one, VPN works again.