IPhone ipsec mutual psk vs mutual psk + xauth problems
-
I've got ipsec working with mutual psk – but once I enable mutual psk+xauth, it no longer works.
There's some odd things about this config that also have me confused. When I configure for mutual psk, there is no box to enter a mutual psk into -- only when I configure psk+xauth does it allow me to enter a psk. I think this might only be a UI problem, because I think a PSK is being passed in the .mobileconfig file -- and I think its the one I configured for mutual psk + xauth.
What is also odd is I can not seem to get ALL traffic to go through ipsec. If I connect via my phone, turn off wifi, and traceroute to google, it does not appear to go through the ipsec path. Probably unrelated, and maybe for another thread ...
The config that works:
<ipsec><client><enable></enable> <user_source>Local Database</user_source> <group_source>system</group_source> <pool_address>10.11.11.0</pool_address> <pool_netbits>24</pool_netbits> <save_passwd></save_passwd> <dns_domain>vpn.example.net</dns_domain> <dns_server1>10.13.54.1</dns_server1></client> <phase1><ikeid>1</ikeid> <iketype>ikev2</iketype> <interface>wan</interface> <protocol>inet</protocol> <myid_type>dyn_dns</myid_type> <myid_data>home.example.net</myid_data> <peerid_type>fqdn</peerid_type> <peerid_data>examplevpn</peerid_data> <encryption-algorithm><name>aes</name> <keylen>256</keylen></encryption-algorithm> <hash-algorithm>sha256</hash-algorithm> <dhgroup>20</dhgroup> <lifetime>28800</lifetime> <pre-shared-key>sadfasdfasdfasf</pre-shared-key> <private-key></private-key> <caref></caref> <authentication_method>pre_shared_key</authentication_method> <nat_traversal>on</nat_traversal> <mobike>on</mobike> <dpd_delay>10</dpd_delay> <dpd_maxfail>5</dpd_maxfail></phase1> <phase2><ikeid>1</ikeid> <uniqid>52354345234</uniqid> <mode>tunnel</mode> <reqid>1</reqid> <localid><type>lan</type></localid> <protocol>esp</protocol> <encryption-algorithm-option><name>aes</name> <keylen>256</keylen></encryption-algorithm-option> <hash-algorithm-option>hmac_sha256</hash-algorithm-option> <pfsgroup>20</pfsgroup> <lifetime>3600</lifetime></phase2> <logging><dmn>1</dmn> <mgr>1</mgr> <ike>1</ike> <chd>1</chd> <job>1</job> <cfg>1</cfg> <knl>1</knl> <net>1</net> <asn>1</asn> <enc>1</enc> <imc>1</imc> <imv>1</imv> <pts>1</pts> <tls>1</tls> <esp>1</esp> <lib>1</lib></logging> <uniqueids>yes</uniqueids></ipsec>
When changing to + xauth, the config file only differs in this:
< <authentication_method>pre_shared_key</authentication_method> --- > <authentication_method>xauth_psk_server</authentication_method>
When using +xauth, the log file says…
Sep 9 19:30:23 charon 10[NET] <bypasslan|8>sending packet: from 77.77.77.235[4500] to 10.99.99.110[4500] (80 bytes) Sep 9 19:30:23 charon 10[ENC] <bypasslan|8>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Sep 9 19:30:23 charon 10[IKE] <bypasslan|8>peer supports MOBIKE Sep 9 19:30:23 charon 10[IKE] <bypasslan|8>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Sep 9 19:30:23 charon 10[CFG] <bypasslan|8>no alternative config found Sep 9 19:30:23 charon 10[CFG] <bypasslan|8>selected peer config 'bypasslan' inacceptable: constraint checking failed Sep 9 19:30:23 charon 10[CFG] <bypasslan|8>constraint requires public key authentication, but pre-shared key was used Sep 9 19:30:23 charon 10[CFG] <con1|8>switching to peer config 'bypasslan' Sep 9 19:30:23 charon 10[CFG] <con1|8>selected peer config 'con1' inacceptable: insufficient authentication rounds Sep 9 19:30:23 charon 10[IKE] <con1|8>authentication of 'examplevpn' with pre-shared key successful Sep 9 19:30:23 charon 10[CFG] <con1|8>selected peer config 'con1' Sep 9 19:30:23 charon 10[CFG] <8> looking for peer configs matching 77.77.77.235[home.example.net]...10.99.99.110[examplevpn] Sep 9 19:30:23 charon 10[ENC] <8> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr AUTH CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] Sep 9 19:30:23 charon 10[ENC] <8> unknown attribute type (25) Sep 9 19:30:23 charon 10[NET] <8> received packet: from 10.99.99.110[4500] to 77.77.77.235[4500] (400 bytes) Sep 9 19:30:23 charon 10[NET] <8> sending packet: from 77.77.77.235[500] to 10.99.99.110[500] (288 bytes) Sep 9 19:30:23 charon 10[ENC] <8> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ] Sep 9 19:30:23 charon 10[IKE] <8> 10.99.99.110 is initiating an IKE_SA Sep 9 19:30:23 charon 10[ENC] <8> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] Sep 9 19:30:23 charon 10[NET] <8> received packet: from 10.99.99.110[500] to 77.77.77.235[500] (272 bytes) Sep 9 19:29:52 charon 10[CFG] <con1|7>lease 10.11.11.1 by 'examplevpn' went offline Sep 9 19:29:52 charon 10[NET] <con1|7>sending packet: from 77.77.77.235[4500] to 10.99.99.110[4500] (80 bytes) Sep 9 19:29:52 charon 10[ENC] <con1|7>generating INFORMATIONAL response 46 [ ] Sep 9 19:29:52 charon 10[IKE] <con1|7>IKE_SA deleted Sep 9 19:29:52 charon 10[IKE] <con1|7>deleting IKE_SA con1[7] between 77.77.77.235[home.example.net]...10.99.99.110[examplevpn] Sep 9 19:29:52 charon 10[IKE] <con1|7>received DELETE for IKE_SA con1[7] Sep 9 19:29:52 charon 10[ENC] <con1|7>parsed INFORMATIONAL request 46 [ D ] Sep 9 19:29:52 charon 10[NET] <con1|7>received packet: from 10.99.99.110[4500] to 77.77.77.235[4500] (80 bytes)</con1|7></con1|7></con1|7></con1|7></con1|7></con1|7></con1|7></con1|7></con1|8></con1|8></con1|8></con1|8></bypasslan|8></bypasslan|8></bypasslan|8></bypasslan|8></bypasslan|8></bypasslan|8></bypasslan|8>
I'm ok with not using + xauth in my environment – it's just home. But... I'm concerned with the PSK that isn't asked for in the GUI config. What's up with that? I am really using a shared secret right and not wide open?
And why can't I force all traffic through the vpn even though I have "Provide a list of accessible networks to clients" UNchecked?