User profile for user: 3g91ld3a
3g91ld3a Author
User level: Level 1
0 points

iOS 6+ repair of 2048-bit certificates-based for L2TP over IPsec VPN

Dear Apple Team,


I respectfully request that you repair the "native" VPN client built into OS X 10.8, and iOS 6. The problem is, the VPN client is mangling the certificate payload for certificates larger than 1024 bits. This is a fragmentation problem; when the client hits the standard ~1500 MTU of most network devices, it fragments the certificate. Fragmenting it is fine, but the client is not handling it correctly. The effect is that users with 2048-bit certs or higher cannot get on the VPN. The VPN server observes a faulty certificate or faulty payload. I have spoken with Enterprise support, who were most professional, and excellent, however, they indicated there was no support for the native client. Yet, since this *used* to work in iOS5 and below, as well as 10.7 and earlier, clearly something has broken in 10.8 and iOS6.


We all love using our iPads, iPhones, and OS X devices in business. Please keep it that way and restore this lost functionality; any security-conscious organization that requires certificates for VPN will also require 2048-bit certificates (or more).


You can see more detail here (for the OS X part, at least: https://discussions.apple.com/thread/4158642?start=0&tstart=0)


Thank you very much.

iPad 2, iOS 6

Posted on Feb 2, 2013 3:20 PM

Reply
2 replies
User profile for user: Frankenburger
Frankenburger
User level: Level 1
8 points

Feb 24, 2013 2:02 AM in response to 3g91ld3a

Hi, i have the same problem, and debugged it in depth.

I use 2048 bit ssl certs.

Iphone and ipad both work with these certificates, so there must be a difference in the racoon source.

First i enabled the debugging at file: /etc/racoon/racoon.conf


(be sure,that racoon is not running, or you will get err (61). Reboot to fix)


added:

path logfile "/var/log/racoon.log";

log debug2;


did as root:

touch /var/log/racoon.log

chown root:admin /var/log/racoon.log

chmod 640 /var/log/racoon.log


So the error at the end after hashing the cert:

2013-02-24 10:48:51: [483] DEBUG: hmac(hmac_sha1)

2013-02-24 10:48:51: [483] DEBUG: HASH (init) computed:

2013-02-24 10:48:51: [483] DEBUG:

4c36a99e e9ddb045 03d54006 92b5c9ff c9732e72

2013-02-24 10:48:51: [483] ERROR: error -25308 errSecInteractionNotAllowed.

2013-02-24 10:48:51: [483] ERROR: failed to sign.

2013-02-24 10:48:51: [483] ERROR: failed to get sign2013-02-24 10:48:51: [483] ERROR: failed to allocate send buffer2013-02-24 10:48:51: [483] ERROR: failed to process packet.

2013-02-24 10:48:51: [483] ERROR: phase1 negotiation failed.

2013-02-24 10:48:51: [483] DEBUG: IV freed


The CA cert and the client are are trusted. (verified in the keystore, showing valid cert)


I also played around with turning dpd off, and ike_frag to on.

No change. Seems like the dog bytes in his tail.


Any updates in this issue ?


Rgds.

Frank

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

iOS 6+ repair of 2048-bit certificates-based for L2TP over IPsec VPN

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up