IPhone ipsec mutual psk vs mutual psk + xauth problems



  • I've got ipsec working with mutual psk – but once I enable mutual psk+xauth, it no longer works.

    There's some odd things about this config that also have me confused.  When I configure for mutual psk, there is no box to enter a mutual psk into -- only when I configure psk+xauth does it allow me to enter a psk.  I think this might only be a UI problem, because I think a PSK is being passed in the .mobileconfig file -- and I think its the one I configured for mutual psk + xauth.

    What is also odd is I can not seem to get ALL traffic to go through ipsec.  If I connect via my phone, turn off wifi, and traceroute to google, it does not appear to go through the ipsec path.  Probably unrelated, and maybe for another thread ...

    The config that works:

    
     <ipsec><client><enable></enable>
    		<user_source>Local Database</user_source>
    		<group_source>system</group_source>
    		<pool_address>10.11.11.0</pool_address>
    		<pool_netbits>24</pool_netbits>
    		<save_passwd></save_passwd>
    		<dns_domain>vpn.example.net</dns_domain>
    		<dns_server1>10.13.54.1</dns_server1></client> 
    	 <phase1><ikeid>1</ikeid>
    		<iketype>ikev2</iketype>
    		<interface>wan</interface>
    
    		<protocol>inet</protocol>
    		<myid_type>dyn_dns</myid_type>
    		<myid_data>home.example.net</myid_data>
    		<peerid_type>fqdn</peerid_type>
    		<peerid_data>examplevpn</peerid_data>
    		 <encryption-algorithm><name>aes</name>
    			<keylen>256</keylen></encryption-algorithm> 
    		<hash-algorithm>sha256</hash-algorithm>
    		<dhgroup>20</dhgroup>
    		<lifetime>28800</lifetime>
    		<pre-shared-key>sadfasdfasdfasf</pre-shared-key>
    		<private-key></private-key>
    
    		<caref></caref>
    		<authentication_method>pre_shared_key</authentication_method>
    
    		<nat_traversal>on</nat_traversal>
    		<mobike>on</mobike>
    		<dpd_delay>10</dpd_delay>
    		<dpd_maxfail>5</dpd_maxfail></phase1> 
    	 <phase2><ikeid>1</ikeid>
    		<uniqid>52354345234</uniqid>
    		<mode>tunnel</mode>
    		<reqid>1</reqid>
    		 <localid><type>lan</type></localid> 
    
    		<protocol>esp</protocol>
    		 <encryption-algorithm-option><name>aes</name>
    			<keylen>256</keylen></encryption-algorithm-option> 
    		<hash-algorithm-option>hmac_sha256</hash-algorithm-option>
    		<pfsgroup>20</pfsgroup>
    		<lifetime>3600</lifetime></phase2> 
    	 <logging><dmn>1</dmn>
    		<mgr>1</mgr>
    		<ike>1</ike>
    		<chd>1</chd>
    		<job>1</job>
    		<cfg>1</cfg>
    		<knl>1</knl>
    		<net>1</net>
    		<asn>1</asn>
    		<enc>1</enc>
    		<imc>1</imc>
    		<imv>1</imv>
    		<pts>1</pts>
    		<tls>1</tls>
    		<esp>1</esp>
    		<lib>1</lib></logging> 
    	<uniqueids>yes</uniqueids></ipsec> 
    
    

    When changing to + xauth, the config file only differs in this:

    
    <               <authentication_method>pre_shared_key</authentication_method>
    ---
    >               <authentication_method>xauth_psk_server</authentication_method>
    
    

    When using +xauth, the log file says…

    
    Sep 9 19:30:23	charon		10[NET] <bypasslan|8>sending packet: from 77.77.77.235[4500] to 10.99.99.110[4500] (80 bytes)
    Sep 9 19:30:23	charon		10[ENC] <bypasslan|8>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    Sep 9 19:30:23	charon		10[IKE] <bypasslan|8>peer supports MOBIKE
    Sep 9 19:30:23	charon		10[IKE] <bypasslan|8>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Sep 9 19:30:23	charon		10[CFG] <bypasslan|8>no alternative config found
    Sep 9 19:30:23	charon		10[CFG] <bypasslan|8>selected peer config 'bypasslan' inacceptable: constraint checking failed
    Sep 9 19:30:23	charon		10[CFG] <bypasslan|8>constraint requires public key authentication, but pre-shared key was used
    Sep 9 19:30:23	charon		10[CFG] <con1|8>switching to peer config 'bypasslan'
    Sep 9 19:30:23	charon		10[CFG] <con1|8>selected peer config 'con1' inacceptable: insufficient authentication rounds
    Sep 9 19:30:23	charon		10[IKE] <con1|8>authentication of 'examplevpn' with pre-shared key successful
    Sep 9 19:30:23	charon		10[CFG] <con1|8>selected peer config 'con1'
    Sep 9 19:30:23	charon		10[CFG] <8> looking for peer configs matching 77.77.77.235[home.example.net]...10.99.99.110[examplevpn]
    Sep 9 19:30:23	charon		10[ENC] <8> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr AUTH CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
    Sep 9 19:30:23	charon		10[ENC] <8> unknown attribute type (25)
    Sep 9 19:30:23	charon		10[NET] <8> received packet: from 10.99.99.110[4500] to 77.77.77.235[4500] (400 bytes)
    Sep 9 19:30:23	charon		10[NET] <8> sending packet: from 77.77.77.235[500] to 10.99.99.110[500] (288 bytes)
    Sep 9 19:30:23	charon		10[ENC] <8> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
    Sep 9 19:30:23	charon		10[IKE] <8> 10.99.99.110 is initiating an IKE_SA
    Sep 9 19:30:23	charon		10[ENC] <8> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
    Sep 9 19:30:23	charon		10[NET] <8> received packet: from 10.99.99.110[500] to 77.77.77.235[500] (272 bytes)
    Sep 9 19:29:52	charon		10[CFG] <con1|7>lease 10.11.11.1 by 'examplevpn' went offline
    Sep 9 19:29:52	charon		10[NET] <con1|7>sending packet: from 77.77.77.235[4500] to 10.99.99.110[4500] (80 bytes)
    Sep 9 19:29:52	charon		10[ENC] <con1|7>generating INFORMATIONAL response 46 [ ]
    Sep 9 19:29:52	charon		10[IKE] <con1|7>IKE_SA deleted
    Sep 9 19:29:52	charon		10[IKE] <con1|7>deleting IKE_SA con1[7] between 77.77.77.235[home.example.net]...10.99.99.110[examplevpn]
    Sep 9 19:29:52	charon		10[IKE] <con1|7>received DELETE for IKE_SA con1[7]
    Sep 9 19:29:52	charon		10[ENC] <con1|7>parsed INFORMATIONAL request 46 [ D ]
    Sep 9 19:29:52	charon		10[NET] <con1|7>received packet: from 10.99.99.110[4500] to 77.77.77.235[4500] (80 bytes)</con1|7></con1|7></con1|7></con1|7></con1|7></con1|7></con1|7></con1|7></con1|8></con1|8></con1|8></con1|8></bypasslan|8></bypasslan|8></bypasslan|8></bypasslan|8></bypasslan|8></bypasslan|8></bypasslan|8> 
    

    I'm ok with not using + xauth in my environment – it's just home.  But... I'm concerned with the PSK that isn't asked for in the GUI config.  What's up with that?  I am really using a shared secret right and not wide open?

    And why can't I force all traffic through the vpn even though I have "Provide a list of accessible networks to clients" UNchecked?