3g91ld3a

Q: iOS 6+ repair of 2048-bit certificates-based for L2TP over IPsec VPN

Dear Apple Team,

 

I respectfully request that you repair the "native" VPN client built into OS X 10.8, and iOS 6. The problem is, the VPN client is mangling the certificate payload for certificates larger than 1024 bits. This is a fragmentation problem; when the client hits the standard ~1500 MTU of most network devices, it fragments the certificate. Fragmenting it is fine, but the client is not handling it correctly. The effect is that users with 2048-bit certs or higher cannot get on the VPN. The VPN server observes a faulty certificate or faulty payload. I have spoken with Enterprise support, who were most professional, and excellent, however, they indicated there was no support for the native client. Yet, since this *used* to work in iOS5 and below, as well as 10.7 and earlier, clearly something has broken in 10.8 and iOS6. 

 

We all love using our iPads, iPhones, and OS X  devices in business. Please keep it that way and restore this lost functionality; any security-conscious organization that requires certificates for VPN will also require 2048-bit certificates (or more).

 

You can see more detail here (for the OS X part, at least: https://discussions.apple.com/thread/4158642?start=0&tstart=0)

 

Thank you very much.

iPad 2, iOS 6

Posted on Feb 2, 2013 3:21 PM

Close

Q: iOS 6+ repair of 2048-bit certificates-based for L2TP over IPsec VPN

  • All replies
  • Helpful answers

  • by Frankenburger,

    Frankenburger Frankenburger Feb 24, 2013 2:02 AM in response to 3g91ld3a
    Level 1 (0 points)
    Feb 24, 2013 2:02 AM in response to 3g91ld3a

    Hi, i have the same problem, and debugged it in depth.

    I use 2048 bit ssl certs.

    Iphone and ipad both work with these certificates, so there must be a difference in the racoon source.

    First i enabled the debugging at file: /etc/racoon/racoon.conf

     

    (be sure,that racoon is not running, or you will get err (61). Reboot to fix)

     

    added:

    path logfile "/var/log/racoon.log";

    log debug2;

     

    did as root:

    touch /var/log/racoon.log

    chown root:admin /var/log/racoon.log

    chmod 640 /var/log/racoon.log

     

    So the error at the end after hashing the cert:

    2013-02-24 10:48:51: [483] DEBUG: hmac(hmac_sha1)

    2013-02-24 10:48:51: [483] DEBUG: HASH (init) computed:

    2013-02-24 10:48:51: [483] DEBUG:

    4c36a99e e9ddb045 03d54006 92b5c9ff c9732e72

    2013-02-24 10:48:51: [483] ERROR: error -25308 errSecInteractionNotAllowed.

    2013-02-24 10:48:51: [483] ERROR: failed to sign.

    2013-02-24 10:48:51: [483] ERROR: failed to get sign2013-02-24 10:48:51: [483] ERROR: failed to allocate send buffer2013-02-24 10:48:51: [483] ERROR: failed to process packet.

    2013-02-24 10:48:51: [483] ERROR: phase1 negotiation failed.

    2013-02-24 10:48:51: [483] DEBUG: IV freed

     

    The CA cert and the client are are trusted. (verified in the keystore, showing valid cert)

     

    I also played around with turning dpd off, and ike_frag to on.

    No change. Seems like the dog bytes in his tail.

     

    Any updates in this issue ?

     

    Rgds.

    Frank

  • by Frankenburger,

    Frankenburger Frankenburger Feb 24, 2013 2:07 AM in response to Frankenburger
    Level 1 (0 points)
    Feb 24, 2013 2:07 AM in response to Frankenburger

    Forgot to mention, i am using only 1024 bit certificates.

    IOS 6.x is working.

    OSX 10.8 not.

     

     

    Rgds.

     

    Frank