IKEv2: IOS (9) and MacOSX (10.11) disconnect after 480 Sec



  • I try to setup an IKEv2-VPN for all platforms (Windows, Mac, Linux, Android, IOS). Everything works fine so far. The only issue i have is IOS (9) and MacOSX (10.11) (native clients) disconnect after 480 sec (8Min). I have the same behavior with different versions (2.2.6, 2.3, 2.3.1-DEVELOPMENT). Does anyone have similar issues or an idea why this happens?

    Regards,

    Jörg

    Log:

    Apr 26 09:31:44 charon 12[KNL] <con1|2>querying SAD entry with SPI c5ee17d6
    Apr 26 09:31:44 charon 12[IKE] <con1|2>IKE_SA deleted
    Apr 26 09:31:44 charon 12[IKE] <con1|2>IKE_SA con1[2] state change: ESTABLISHED => DELETING
    Apr 26 09:31:44 charon 12[IKE] <con1|2>deleting IKE_SA con1[2] between XX.XX.XX.XX[vpn-test.test.tld]…XX.XX.XX.XX[XX.XX.XX.XX]
    Apr 26 09:31:44 charon 12[IKE] <con1|2>received DELETE for IKE_SA con1[2]
    Apr 26 09:31:44 charon 12[ENC] <con1|2>parsed INFORMATIONAL request 7 [ D ]
    Apr 26 09:31:44 charon 12[NET] <con1|2>received packet: from XX.XX.XX.XX[4500] to XX.XX.XX.XX[4500] (68 bytes)
    Apr 26 09:31:44 charon 12[MGR] IKE_SA con1[2] successfully checked out
    Apr 26 09:31:44 charon 12[MGR] checkout IKEv2 SA by message with SPIs ecde9fba7e6f72f8_i 834280eec438a4c8_r
    Apr 26 09:31:44 charon 15[MGR] <con1|2>checkin of IKE_SA successful
    Apr 26 09:31:44 charon 15[MGR] <con1|2>checkin IKE_SA con1[2]
    Apr 26 09:31:44 charon 15[NET] <con1|2>sending packet: from XX.XX.XX.XX[4500] to XX.XX.XX.XX[4500] (68 bytes)
    Apr 26 09:31:44 charon 15[ENC] <con1|2>generating CREATE_CHILD_SA response 6 [ N(NO_PROP) ]
    Apr 26 09:31:44 charon 15[IKE] <con1|3>IKE_SA con1[3] state change: CONNECTING => DESTROYING
    Apr 26 09:31:44 charon 15[IKE] <con1|2>applying DH public value failed
    Apr 26 09:31:44 charon 15[ENC] <con1|2>invalid DH public value size (256 bytes) for MODP_1024
    Apr 26 09:31:44 charon 15[LIB] <con1|2>size of DH secret exponent: 1023 bits

    Config:

    <phase1><ikeid>1</ikeid>
    <iketype>ikev2</iketype>
    <interface>wan</interface>
    <mobile><protocol>inet</protocol>
    <myid_type>fqdn</myid_type>
    <myid_data>vpn-test.test.tld</myid_data>
    <peerid_type>any</peerid_type>
    <peerid_data><encryption-algorithm><name>3des</name></encryption-algorithm>
    <hash-algorithm>sha1</hash-algorithm>
    <dhgroup>2</dhgroup>
    <lifetime>28800</lifetime>
    <pre-shared-key><private-key><certref>57173f204c549</certref>
    <caref><authentication_method>eap-mschapv2</authentication_method>

    <nat_traversal>on</nat_traversal>
    <mobike>off</mobike>
    <dpd_delay>10</dpd_delay>
    <dpd_maxfail>5</dpd_maxfail></caref></private-key></pre-shared-key></peerid_data></mobile></phase1>
    <phase2><ikeid>1</ikeid>
    <uniqid>56fbb06abd4f6</uniqid>
    <mode>tunnel</mode>
    <reqid>1</reqid>
    <localid><type>network</type>

    <address>0.0.0.0</address>

    <netbits>0</netbits></localid>
    <remoteid><type>mobile</type></remoteid>
    <protocol>esp</protocol>
    <encryption-algorithm-option><name>aes</name>
    <keylen>auto</keylen></encryption-algorithm-option>
    <encryption-algorithm-option><name>3des</name></encryption-algorithm-option>
    <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
    <hash-algorithm-option>hmac_sha256</hash-algorithm-option>
    <pfsgroup>0</pfsgroup>
    <lifetime>3600</lifetime></phase2>
    <uniqueids>never</uniqueids></con1|2></con1|2></con1|2></con1|3></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2>


  • Rebel Alliance Developer Netgate

    Apr 26 09:31:44    charon      12[IKE] <con1|2>received DELETE for IKE_SA con1[2]</con1|2>

    The client is sending the disconnect, check the client side.

    I've left one connected on OS X for hours before without issue.



  • I just got mine working. It was breaking because iOS rekeys every 480 seconds - the proposal wasn't being excepted even though it worked when the tunnels came up. Here's my working config which tunnels IPv4 and IPv6:

    <ipsec><client><enable><user_source>Local Database</user_source>
    <group_source>system</group_source>
    <pool_address>x.x.x.x</pool_address>
    <pool_netbits>29</pool_netbits>
    <pool_address_v6>xxxx:xxxx:xxxx:xxxx::1:0</pool_address_v6>
    <pool_netbits_v6>120</pool_netbits_v6>
    <dns_domain>example.com</dns_domain>
    <dns_server1>x.x.x.x</dns_server1>
    <dns_server2>xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx</dns_server2></enable></client>
    <logging><dmn>1</dmn>
    <mgr>1</mgr>
    <ike>1</ike>
    <chd>1</chd>
    <job>1</job>
    <cfg>1</cfg>
    <knl>1</knl>
    <net>1</net>
    <asn>1</asn>
    <enc>1</enc>
    <imc>1</imc>
    <imv>1</imv>
    <pts>1</pts>
    <tls>1</tls>
    <esp>1</esp>
    <lib>1</lib></logging>
    <uniqueids>yes</uniqueids>
    <phase1><ikeid>1</ikeid>
    <iketype>ikev2</iketype>
    <interface>wan</interface>
    <mobile><protocol>inet</protocol>
    <myid_type>fqdn</myid_type>
    <myid_data>vpn.example.com</myid_data>
    <peerid_type>user_fqdn</peerid_type>
    <peerid_data>vpn@example.com</peerid_data>
    <encryption-algorithm><name>aes</name>
    <keylen>256</keylen></encryption-algorithm>
    <hash-algorithm>sha256</hash-algorithm>
    <dhgroup>14</dhgroup>
    <lifetime>28800</lifetime>
    <pre-shared-key><private-key><certref>571b1b15b885c</certref>
    <caref><authentication_method>eap-mschapv2</authentication_method>

    <nat_traversal>on</nat_traversal>
    <mobike>on</mobike>
    <responderonly><dpd_delay>10</dpd_delay>
    <dpd_maxfail>5</dpd_maxfail></responderonly></caref></private-key></pre-shared-key></mobile></phase1>
    <phase2><ikeid>1</ikeid>
    <uniqid>57131edf92230</uniqid>
    <mode>tunnel</mode>
    <reqid>1</reqid>
    <localid><type>network</type>

    <address>0.0.0.0</address>

    <netbits>0</netbits></localid>

    <protocol>esp</protocol>
    <encryption-algorithm-option><name>aes</name>
    <keylen>256</keylen></encryption-algorithm-option>
    <hash-algorithm-option>hmac_sha256</hash-algorithm-option>
    <pfsgroup>0</pfsgroup>
    <lifetime>3600</lifetime></phase2>
    <phase2><ikeid>1</ikeid>
    <uniqid>571ac29f93916</uniqid>
    <mode>tunnel6</mode>
    <reqid>2</reqid>
    <localid><type>network</type>

    <address>::</address>

    <netbits>0</netbits></localid>

    <protocol>esp</protocol>
    <encryption-algorithm-option><name>aes</name>
    <keylen>256</keylen></encryption-algorithm-option>
    <hash-algorithm-option>hmac_sha256</hash-algorithm-option>
    <pfsgroup>0</pfsgroup>
    <lifetime>3600</lifetime></phase2>
    <noshuntlaninterfaces><mobilekey><ident>userx</ident>
    <type>EAP</type>
    <pre-shared-key>secret</pre-shared-key></mobilekey>
    <makebeforebreak></makebeforebreak></noshuntlaninterfaces></ipsec>



  • Thank you ohwell. Your config works for MacOSX. Unfortunatly Windows (i tested with Windows 10) does actually not support DH-Group 14. All Windows proposals use DH-Group 2 (MODP_1024). It seems that either Windows or Mac works. Linux with strongswan works with both configs, also the strongswan-app on Android…

    Apr 28 09:56:34 charon 11[CFG] <28> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
    Apr 28 09:56:34 charon 11[CFG] <28> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024





  • Thank you ohwell, works fine with Windows 10.

    I hope Apple will fix the rekeying for DH Group 2, although DH Group 14 is more secure. With DH Group 2 there is no need for registry-hacks, Apple-profiles etc.



  • Here is a working configuration for IKEv2 MS-CHAP V2 for iOS / OS X / Windows 10 and Android (StrongSwanClient (could not test native client):

    1. Add DWORD in Windows Registry with the value 1 according to the post of ohwell (Article chapter 2.2.2.2)

    2. Use this encryption for the connection:

    Phase 1: AES 256 + SHA256 + DH14
    Phase 2: AES 256 + SHA256 + DH Off

    Hope this helps someone. DH Group for Phase 2 is in my opinion not absolutely necessary but Group 14 should now work as well.



  • I've some additional issues even after following the section 2.2.2.2 of the document posted.

    Windows 10 client does not accept SHA256 on Phase 2. Only SHA1.

    07[CFG] <con1|141> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
    07[CFG] <con1|141> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
    07[IKE] <con1|141> no acceptable proposal found</con1|141></con1|141></con1|141>
    

    To solve this I just enabled SHA1 too in the Phase 2. After this the connection works flawlessly, but the routes aren't published.

    I need to manually put the route information on the Windows 10 machine with: "route add network/mask ip-address-of-vpn-connection"

    Anyone with the same issue?

    On OS X everything works fine.



  • Hello guys, as i am having the same problem, where can i find this config in order to change it?


Log in to reply