vpn – making an attempt to hook up with er-x ikev2 from macOS with self-signed certificates

By
codesanitize
-
0
1
vpn – making an attempt to hook up with er-x ikev2 from macOS with self-signed certificates


psk works from all shoppers however we’re making an attempt to maneuver as much as certificates, which work nice from linux and android however not but from both macOS or ios. if anybody can provide any perception or pointers that will be most welcome!

With leftid/leftca/rightid/rightca constraints, linux and android are positive, however when both ios16.7.11 or macos15.6.1 makes an attempt to attach with both pubkey/pubkey or pubkey/eap-tls the er-x logs no matching peer config discovered.

With extra conns permitting %any for varied mixtures of leftid/leftca/rightid/rightca, ios falls previous any conn that defines leftid or rightid and settles on a conn that defines leftca and rightca, however there..

For pubkey/pubkey auth the er-x logs no trusted RSA public key discovered for .

For pubkey/eap-tls auth the er-x logs no personal key discovered for 'CN=vpn2'.

Working shoppers are utilizing pubkey/pubkey auth, and for them the er-x logs:

12[IKE] authentication of 'CN=v3.burdock' with RSA_EMSA_PKCS1_SHA2_384 profitable
12[IKE] authentication of 'CN=vpn2' (myself) with RSA_EMSA_PKCS1_SHA2_384 profitable

Working shoppers are opensuse tumbleweed strongswan6.0.1-3.1 and android14go strongswan2.5.6. CA and all keys, certs, and .p12 had been generated on rhel9 openssl genrsa/req/x509/pkcs12.

To setup macOS or ios i ready .mobileconfig, an instance is beneath the er-x logs..

The er-x v2.0.9-hotfix.7 is setup as ikev2 responder with no radius:

edgeOS set vpn ipsec settings:
set vpn ipsec allow-access-to-local-interface disable
set vpn ipsec auto-firewall-nat-exclude disable
set vpn ipsec include-ipsec-conf /config/user-data/strongciphers
set vpn ipsec include-ipsec-secrets /config/user-data/secrets and techniques
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec nat-traversal allow

/config/user-data/strongciphers:
conn %default
  left=
  leftsubnet=
  rightsourceip=
  fragmentation=sure
  keyexchange=ikev2
  ike=!
  esp=!
  inactivity=345600
  dpdaction=maintain
  kind=tunnel
  auto=add

conn  ocp
  leftcert=/config/user-data/vCN2.crt
  leftid="CN=vpn2"  
  leftca="C=us/ST=minnesota/O=Issue of 4/CN=fo4"
  rightca="C=us/ST=minnesota/O=Issue of 4/CN=fo4"
  rightid="C=us, ST=minnesota, O=Issue of 4, CN=cp10s"
  rightauth=pubkey
  leftauth=pubkey

conn  ob1
  additionally=ocp
  rightid="CN=v3.burdock"

conn  ma0
  additionally=ocp
  rightid="CN=v0.andymac"

conn  i8k
  additionally=ocp
  rightid="CN=v35.mgi8"

Extra conns to see what constraints are failing:

conn  leftca+rightca+leftid
  additionally=ocp
  rightid=%any

conn  leftca+rightca+rightid
  additionally=leftca+rightca
  rightid="CN=v35.mgi8"

conn  leftca+leftid
  additionally=leftca+rightca+leftid
  rightca=%any

conn  rightca+rightid
  additionally=leftca+rightca+rightid
  leftca=%any

conn  leftca+rightca
  proper=75.168.201.4
  rightid=%any
  rightca="C=us/ST=minnesota/O=Issue of 4/CN=fo4"
  leftca="C=us/ST=minnesota/O=Issue of 4/CN=fo4"
  leftid=%any
  leftauth=pubkey
  rightauth=pubkey

Extra conns to attempt eap-tls auth:

conn  iet
  additionally=i8k
  rightauth=eap-tls
  eap_identity=%identification
  rightsendcert=at all times
  leftsendcert=at all times


conn  leftca+rightca+leftid+eap-tls
  additionally=leftca+rightca+leftid
  rightauth=eap-tls
  eap_identity=%any


conn  leftca+rightca+rightid+eap-tls
  additionally=leftca+rightca+rightid
  rightauth=eap-tls
  eap_identity=%any


conn  leftca+leftid+eap-tls
  additionally=leftca+leftid
  rightauth=eap-tls
  eap_identity=%any


conn  rightca+rightid+eap-tls
  additionally=rightca+rightid
  rightauth=eap-tls
  eap_identity=%any


conn  leftca+rightca+eap-tls
  additionally=leftca+rightca
  rightauth=eap-tls
  eap_identity=%any

linux strongswan success:

2025-09-02Tue15:26:33.829442250 11[IKE] sending cert request for "C=us, ST=minnesota, O=Issue of 4, CN=fo4"
2025-09-02Tue15:26:33.932254294 12[IKE] acquired cert request for "C=us, ST=minnesota, O=Issue of 4, CN=fo4"
2025-09-02Tue15:26:33.941238479 12[IKE] acquired finish entity cert "CN=v3.burdock"
2025-09-02Tue15:26:33.951721700 12[CFG] chosen peer config 'ob1'
2025-09-02Tue15:26:33.962570545 12[CFG] searching for peer configs matching 209.23.153.218[CN=vpn2]...75.168.201.4[CN=v3.burdock]
2025-09-02Tue15:26:33.972918228 12[CFG] utilizing certificates "CN=v3.burdock"
2025-09-02Tue15:26:33.983016733 12[CFG] utilizing trusted ca certificates "C=us, ST=minnesota, O=Issue of 4, CN=fo4"
2025-09-02Tue15:26:33.993417055 12[CFG] checking certificates standing of "CN=v3.burdock"
2025-09-02Tue15:26:34.003503771 12[CFG] certificates standing is just not out there
2025-09-02Tue15:26:34.013905703 12[CFG] reached self-signed root ca with a path size of 0
2025-09-02Tue15:26:34.024131190 12[IKE] authentication of 'CN=v3.burdock' with RSA_EMSA_PKCS1_SHA2_384 profitable
2025-09-02Tue15:26:34.590868572 12[IKE] authentication of 'CN=vpn2' (myself) with RSA_EMSA_PKCS1_SHA2_384 profitable
2025-09-02Tue15:26:34.599865476 12[IKE] IKE_SA ob1[1] established between 209.23.153.218[CN=vpn2]...75.168.201.4[CN=v3.burdock]
2025-09-02Tue15:26:34.626143424 12[IKE] sending finish entity cert "CN=vpn2"
2025-09-02Tue15:26:34.643871279 12[CFG] assigning new lease to 'CN=v3.burdock'
2025-09-02Tue15:26:34.652668319 12[IKE] assigning digital IP 192.168.128.232 to see 'CN=v3.burdock'
2025-09-02Tue15:26:34.661558280 12[IKE] CHILD_SA ob1{1} established with SPIs c5f6d310_i c639e9c2_o and TS 192.168.128.0/21 === 192.168.128.232/32

macOS pubkey/pubkey fail with out extra conns:

2025-09-02Tue17:33:00.971136240 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
2025-09-02Tue17:33:01.582956854 10[IKE] sending cert request for "C=us, ST=minnesota, O=Issue of 4, CN=fo4"
2025-09-02Tue17:33:01.591894784 10[ENC] producing IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
2025-09-02Tue17:33:01.801170091 07[ENC] unknown attribute kind (25)
2025-09-02Tue17:33:01.810754323 07[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) IDr AUTH CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
2025-09-02Tue17:33:01.819981944 07[IKE] acquired finish entity cert "CN=v0.andymac"
2025-09-02Tue17:33:01.828913602 07[CFG] searching for peer configs matching 209.23.153.218[CN=vpn2]...216.161.16.228[CN=v0.andymac]
2025-09-02Tue17:33:01.837854638 07[CFG] no matching peer config discovered

macOS pubkey/eap-tls fail with out extra conns:

2025-09-02Tue17:33:52.938130654 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
2025-09-02Tue17:33:53.558368423 13[IKE] sending cert request for "C=us, ST=minnesota, O=Issue of 4, CN=fo4"
2025-09-02Tue17:33:53.568995315 13[ENC] producing IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
2025-09-02Tue17:33:53.597353294 14[ENC] unknown attribute kind (25)
2025-09-02Tue17:33:53.606563740 14[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
2025-09-02Tue17:33:53.615827286 14[CFG] searching for peer configs matching 209.23.153.218[CN=vpn2]...216.161.16.228[CN=v0.andymac]
2025-09-02Tue17:33:53.624648306 14[CFG] no matching peer config discovered

ios pubkey/pubkey fail with extra conns:

2025-09-02Tue14:56:09.977252160 15[IKE] sending cert request for "C=us, ST=minnesota, O=Issue of 4, CN=fo4"
2025-09-02Tue14:56:10.255344044 14[IKE] acquired finish entity cert "CN=v35.mgi8"
2025-09-02Tue14:56:10.264680500 14[CFG] searching for peer configs matching 209.23.153.218[CN=vpn2]...75.168.201.4[CN=v35.mgi8]
2025-09-02Tue14:56:10.274140569 14[CFG] chosen peer config 'leftca+rightca'
2025-09-02Tue14:56:10.283629794 14[IKE] no trusted RSA public key discovered for 'CN=v35.mgi8'

ios pubkey/eap-tls fail with extra conns:

2025-09-02Tue14:59:42.466288610 04[IKE] sending cert request for "C=us, ST=minnesota, O=Issue of 4, CN=fo4"
2025-09-02Tue14:59:42.542169258 11[CFG] searching for peer configs matching 209.23.153.218[CN=vpn2]...75.168.201.4[CN=v35.mgi8]
2025-09-02Tue14:59:42.551241540 11[CFG] chosen peer config 'leftca+rightca'
2025-09-02Tue14:59:42.561625241 11[IKE] peer requested EAP, config inacceptable
2025-09-02Tue14:59:42.572299465 11[CFG] switching to see config 'leftca+rightca+eap-tls'
2025-09-02Tue14:59:42.611799700 11[IKE] no personal key discovered for 'CN=vpn2'

.mobileconfig:

   


 
  PayloadDisplayName v35.mgi8 fo4 vpn
  PayloadIdentifier vpn.fo4.profile.v35.mgi8
  PayloadType    Configuration
  PayloadUUID    1359f5c7-de90-4bf8-ab46-cf9c135aa2bb
  PayloadVersion  1
  PayloadContent
  
    
     PayloadCertificateFileName fo4.ca.crt
     PayloadContent   ...
     PayloadDescription fo4 CA
     PayloadDisplayName fo4 CA
     PayloadIdentifier vpn.fo4.ca.v35.mgi8
     PayloadType    com.apple.safety.root
     PayloadUUID    7f9b98a2-c485-4b5b-be64-b44e3ca9e7f8
     PayloadVersion  1
   
    
     PayloadCertificateFileName mgi8.p12
     PayloadContent   ...
     PayloadDescription mgi8 Shopper Id(Cert+Key)
     PayloadDisplayName v35.mgi8
     PayloadIdentifier vpn.fo4.clientidentity.v35.mgi8
     PayloadType    com.apple.safety.pkcs12
     PayloadUUID    ae52c04c-17fa-41b4-8973-8aaac7ec5877
     PayloadVersion  1
   
    
     IKEv2
     
      AuthenticationMethod Certificates
      ExtendedAuthEnabled  0 
      LocalIdentifier    CN=v35.mgi8
      RemoteIdentifier   CN=vpn1
      RemoteAddress     209.23.153.217
      PayloadCertificateUUID ae52c04c-17fa-41b4-8973-8aaac7ec5877
      OnDemandEnabled    0 
     
     UserDefinedName     v35kk.vpn1
     PayloadDescription   v35kk.vpn1
     PayloadDisplayName   v35kk.vpn1
     PayloadIdentifier vpn.fo4.v35kk.vpn1.mgi8
     PayloadType   com.apple.vpn.managed
     PayloadUUID   be1f0300-4296-4a57-99a8-7d04c95395ec
     PayloadVersion  1
     VPNType     IKEv2
   
    
     IKEv2
     
      AuthenticationMethod Certificates
      ExtendedAuthEnabled  1 
      LocalIdentifier    CN=v35.mgi8
      RemoteIdentifier   CN=vpn1
      RemoteAddress     209.23.153.217
      PayloadCertificateUUID ae52c04c-17fa-41b4-8973-8aaac7ec5877
      OnDemandEnabled    0 
     
     UserDefinedName     v35et.vpn1
     PayloadDescription   v35et.vpn1
     PayloadDisplayName   v35et.vpn1
     PayloadIdentifier vpn.fo4.v35et.vpn1.mgi8
     PayloadType   com.apple.vpn.managed
     PayloadUUID   e87a04d2-88e4-41af-8567-e21d8f18042e
     PayloadVersion  1
     VPNType     IKEv2
   
    
     IKEv2
     
      AuthenticationMethod Certificates
      ExtendedAuthEnabled  0 
      LocalIdentifier    CN=v35.mgi8
      RemoteIdentifier   CN=vpn2
      RemoteAddress     209.23.153.218
      PayloadCertificateUUID ae52c04c-17fa-41b4-8973-8aaac7ec5877
      OnDemandEnabled    0 
     
     UserDefinedName     v35kk.vpn2
     PayloadDescription   v35kk.vpn2
     PayloadDisplayName   v35kk.vpn2
     PayloadIdentifier vpn.fo4.v35kk.vpn2.mgi8
     PayloadType   com.apple.vpn.managed
     PayloadUUID   97b53a13-c6a5-4d1a-ae01-29acbc7d5c7e
     PayloadVersion  1
     VPNType     IKEv2
   
    
     IKEv2
     
      AuthenticationMethod Certificates
      ExtendedAuthEnabled  1 
      LocalIdentifier    CN=v35.mgi8
      RemoteIdentifier   CN=vpn2
      RemoteAddress     209.23.153.218
      PayloadCertificateUUID ae52c04c-17fa-41b4-8973-8aaac7ec5877
      OnDemandEnabled    0 
     
     UserDefinedName     v35et.vpn2
     PayloadDescription   v35et.vpn2
     PayloadDisplayName   v35et.vpn2
     PayloadIdentifier vpn.fo4.v35et.vpn2.mgi8
     PayloadType   com.apple.vpn.managed
     PayloadUUID   5cc916f3-bdd6-4ba0-91c6-1ce76da1f567
     PayloadVersion  1
     VPNType     IKEv2

LEAVE A REPLY

Please enter your comment!
Please enter your name here