IKEv2: IOS (9) and MacOSX (10.11) disconnect after 480 Sec

joerg

I try to setup an IKEv2-VPN for all platforms (Windows, Mac, Linux, Android, IOS). Everything works fine so far. The only issue i have is IOS (9) and MacOSX (10.11) (native clients) disconnect after 480 sec (8Min). I have the same behavior with different versions (2.2.6, 2.3, 2.3.1-DEVELOPMENT). Does anyone have similar issues or an idea why this happens?

Regards,

Jörg

Log:

Apr 26 09:31:44 charon 12[KNL] <con1|2>querying SAD entry with SPI c5ee17d6
Apr 26 09:31:44 charon 12[IKE] <con1|2>IKE_SA deleted
Apr 26 09:31:44 charon 12[IKE] <con1|2>IKE_SA con1[2] state change: ESTABLISHED => DELETING
Apr 26 09:31:44 charon 12[IKE] <con1|2>deleting IKE_SA con1[2] between XX.XX.XX.XX[vpn-test.test.tld]…XX.XX.XX.XX[XX.XX.XX.XX]
Apr 26 09:31:44 charon 12[IKE] <con1|2>received DELETE for IKE_SA con1[2]
Apr 26 09:31:44 charon 12[ENC] <con1|2>parsed INFORMATIONAL request 7 [ D ]
Apr 26 09:31:44 charon 12[NET] <con1|2>received packet: from XX.XX.XX.XX[4500] to XX.XX.XX.XX[4500] (68 bytes)
Apr 26 09:31:44 charon 12[MGR] IKE_SA con1[2] successfully checked out
Apr 26 09:31:44 charon 12[MGR] checkout IKEv2 SA by message with SPIs ecde9fba7e6f72f8_i 834280eec438a4c8_r
Apr 26 09:31:44 charon 15[MGR] <con1|2>checkin of IKE_SA successful
Apr 26 09:31:44 charon 15[MGR] <con1|2>checkin IKE_SA con1[2]
Apr 26 09:31:44 charon 15[NET] <con1|2>sending packet: from XX.XX.XX.XX[4500] to XX.XX.XX.XX[4500] (68 bytes)
Apr 26 09:31:44 charon 15[ENC] <con1|2>generating CREATE_CHILD_SA response 6 [ N(NO_PROP) ]
Apr 26 09:31:44 charon 15[IKE] <con1|3>IKE_SA con1[3] state change: CONNECTING => DESTROYING
Apr 26 09:31:44 charon 15[IKE] <con1|2>applying DH public value failed
Apr 26 09:31:44 charon 15[ENC] <con1|2>invalid DH public value size (256 bytes) for MODP_1024
Apr 26 09:31:44 charon 15[LIB] <con1|2>size of DH secret exponent: 1023 bits

Config:

<phase1><ikeid>1</ikeid>
<iketype>ikev2</iketype>
<interface>wan</interface>
<mobile><protocol>inet</protocol>
<myid_type>fqdn</myid_type>
<myid_data>vpn-test.test.tld</myid_data>
<peerid_type>any</peerid_type>
<peerid_data><encryption-algorithm><name>3des</name></encryption-algorithm>
<hash-algorithm>sha1</hash-algorithm>
<dhgroup>2</dhgroup>
<lifetime>28800</lifetime>
<pre-shared-key><private-key><certref>57173f204c549</certref>
<caref><authentication_method>eap-mschapv2</authentication_method>

<nat_traversal>on</nat_traversal>
<mobike>off</mobike>
<dpd_delay>10</dpd_delay>
<dpd_maxfail>5</dpd_maxfail></caref></private-key></pre-shared-key></peerid_data></mobile></phase1>
<phase2><ikeid>1</ikeid>
<uniqid>56fbb06abd4f6</uniqid>
<mode>tunnel</mode>
<reqid>1</reqid>
<localid><type>network</type>

<address>0.0.0.0</address>

<netbits>0</netbits></localid>
<remoteid><type>mobile</type></remoteid>
<protocol>esp</protocol>
<encryption-algorithm-option><name>aes</name>
<keylen>auto</keylen></encryption-algorithm-option>
<encryption-algorithm-option><name>3des</name></encryption-algorithm-option>
<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
<hash-algorithm-option>hmac_sha256</hash-algorithm-option>
<pfsgroup>0</pfsgroup>
<lifetime>3600</lifetime></phase2>
<uniqueids>never</uniqueids></con1|2></con1|2></con1|2></con1|3></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2>

jimp

Apr 26 09:31:44    charon      12[IKE] <con1|2>received DELETE for IKE_SA con1[2]</con1|2>

The client is sending the disconnect, check the client side.

I've left one connected on OS X for hours before without issue.

ohwell

I just got mine working. It was breaking because iOS rekeys every 480 seconds - the proposal wasn't being excepted even though it worked when the tunnels came up. Here's my working config which tunnels IPv4 and IPv6:

<ipsec><client><enable><user_source>Local Database</user_source>
<group_source>system</group_source>
<pool_address>x.x.x.x</pool_address>
<pool_netbits>29</pool_netbits>
<pool_address_v6>xxxx:xxxx:xxxx:xxxx::1:0</pool_address_v6>
<pool_netbits_v6>120</pool_netbits_v6>
<dns_domain>example.com</dns_domain>
<dns_server1>x.x.x.x</dns_server1>
<dns_server2>xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx</dns_server2></enable></client>
<logging><dmn>1</dmn>
<mgr>1</mgr>
<ike>1</ike>
<chd>1</chd>
<job>1</job>
<cfg>1</cfg>
<knl>1</knl>
<net>1</net>
<asn>1</asn>
<enc>1</enc>
<imc>1</imc>
<imv>1</imv>
<pts>1</pts>
<tls>1</tls>
<esp>1</esp>
<lib>1</lib></logging>
<uniqueids>yes</uniqueids>
<phase1><ikeid>1</ikeid>
<iketype>ikev2</iketype>
<interface>wan</interface>
<mobile><protocol>inet</protocol>
<myid_type>fqdn</myid_type>
<myid_data>vpn.example.com</myid_data>
<peerid_type>user_fqdn</peerid_type>
<peerid_data>vpn@example.com</peerid_data>
<encryption-algorithm><name>aes</name>
<keylen>256</keylen></encryption-algorithm>
<hash-algorithm>sha256</hash-algorithm>
<dhgroup>14</dhgroup>
<lifetime>28800</lifetime>
<pre-shared-key><private-key><certref>571b1b15b885c</certref>
<caref><authentication_method>eap-mschapv2</authentication_method>

<nat_traversal>on</nat_traversal>
<mobike>on</mobike>
<responderonly><dpd_delay>10</dpd_delay>
<dpd_maxfail>5</dpd_maxfail></responderonly></caref></private-key></pre-shared-key></mobile></phase1>
<phase2><ikeid>1</ikeid>
<uniqid>57131edf92230</uniqid>
<mode>tunnel</mode>
<reqid>1</reqid>
<localid><type>network</type>

<address>0.0.0.0</address>

<netbits>0</netbits></localid>

<protocol>esp</protocol>
<encryption-algorithm-option><name>aes</name>
<keylen>256</keylen></encryption-algorithm-option>
<hash-algorithm-option>hmac_sha256</hash-algorithm-option>
<pfsgroup>0</pfsgroup>
<lifetime>3600</lifetime></phase2>
<phase2><ikeid>1</ikeid>
<uniqid>571ac29f93916</uniqid>
<mode>tunnel6</mode>
<reqid>2</reqid>
<localid><type>network</type>

<address>::</address>

<netbits>0</netbits></localid>

<protocol>esp</protocol>
<encryption-algorithm-option><name>aes</name>
<keylen>256</keylen></encryption-algorithm-option>
<hash-algorithm-option>hmac_sha256</hash-algorithm-option>
<pfsgroup>0</pfsgroup>
<lifetime>3600</lifetime></phase2>
<noshuntlaninterfaces><mobilekey><ident>userx</ident>
<type>EAP</type>
<pre-shared-key>secret</pre-shared-key></mobilekey>
<makebeforebreak></makebeforebreak></noshuntlaninterfaces></ipsec>

joerg

Thank you ohwell. Your config works for MacOSX. Unfortunatly Windows (i tested with Windows 10) does actually not support DH-Group 14. All Windows proposals use DH-Group 2 (MODP_1024). It seems that either Windows or Mac works. Linux with strongswan works with both configs, also the strongswan-app on Android…

Apr 28 09:56:34 charon 11[CFG] <28> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Apr 28 09:56:34 charon 11[CFG] <28> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024

ohwell

Take a look at (at least) section 2.2.2.2 of http://download.microsoft.com/download/A/9/F/A9FD7E2D-023B-4925-A62F-58A7F1A6BD47/Microsoft%20Windows%208%20Windows%20Server%202012%20Supplemental%20Admin%20Guidance%20IPsec%20VPN%20Client.docx

I haven't tested this.

joerg

Thank you ohwell, works fine with Windows 10.

I hope Apple will fix the rekeying for DH Group 2, although DH Group 14 is more secure. With DH Group 2 there is no need for registry-hacks, Apple-profiles etc.

epionier

Here is a working configuration for IKEv2 MS-CHAP V2 for iOS / OS X / Windows 10 and Android (StrongSwanClient (could not test native client):

1. Add DWORD in Windows Registry with the value 1 according to the post of ohwell (Article chapter 2.2.2.2)

2. Use this encryption for the connection:

Phase 1: AES 256 + SHA256 + DH14
Phase 2: AES 256 + SHA256 + DH Off

Hope this helps someone. DH Group for Phase 2 is in my opinion not absolutely necessary but Group 14 should now work as well.

viniciusferrao

I've some additional issues even after following the section 2.2.2.2 of the document posted.

Windows 10 client does not accept SHA256 on Phase 2. Only SHA1.

07[CFG] <con1|141> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
07[CFG] <con1|141> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
07[IKE] <con1|141> no acceptable proposal found</con1|141></con1|141></con1|141>

To solve this I just enabled SHA1 too in the Phase 2. After this the connection works flawlessly, but the routes aren't published.

I need to manually put the route information on the Windows 10 machine with: "route add network/mask ip-address-of-vpn-connection"

Anyone with the same issue?

On OS X everything works fine.

chris88g4

Hello guys, as i am having the same problem, where can i find this config in order to change it?