DIY Cisco IPSec compatible server for use with iPhones etc.

As an update, I currently have an iPhone with iOS 7.0.4 successfully able to connect using a client certificate, but the exact same client certificate when used on a Mountain Lion Mac results in a failure, I get the following errors in Racoon.

2014-01-31 14:11:15: ERROR: Inpropper ID type passed: KEY_ID.

2014-01-31 14:11:15: ERROR: no peer's CERT payload found.

So the same server, the same client cert, even the same user account and it only works on an iPhone and not a Mac. 😟

I suspect the issue is related to the client cert even though it works on the iPhone. I did also find that if I generated a VPN client cert via Keychain Access and the Certificate Assistant then I could import the resulting certificate on the iPhone (I emailed it to the iPhone), I could also import the certificate to my login keychain on the Mac, but I could not import it in to the System keychain. As a result that form of certificate was not visible to the Cisco IPSec VPN client in System Preferences as it was not considered a valid machine certificate.

When I generated a certificate via OpenSSL it was accepted by the iPhone again, and this time was accepted in the System Keychain on the Mac and hence was selectable in the Cisco IPSec VPN client. However as mentioned above while the iPhone could connect with it, the Mac could not. The Mac instead caused the errors above on the Linux Racoon server.

Any clues anyone?

Ok, I found why the iPhone and Racoon were failing to connect and generating the following errors in Racoon

2014-01-31 14:11:15: ERROR: Inpropper ID type passed: KEY_ID.

2014-01-31 14:11:15: ERROR: no peer's CERT payload found.

It is down to what I believe to be a bug in Apple's built-in IPSec client in iOS 7.0.4 (and possibly earlier). I had initially started off with both Racoon and the iPhone successfully configured to use IPSec with a pre-shared-key, I had therefore of course entered appropriate details in the VPN profile on the iPhone for this i.e. the pre-shared-key and the Group Name.

When I moved on to testing using certificates instead of a PSK, I merely modified the existing VPN profile on the iPhone by swiping the switch over to certificate authentication which meant the iPhone 'hid' the PSK and Group Name fields. With a properly written program this should mean those fields are then disabled/ignored.

However despite the fact those fields are not applicable to a certificate based connections and had been made invisible, when the iPhone then tried connecting it was actually still trying to use those settings when talking to the Racoon server. The Racoon server was quite rightly confused by this and the result was that the errors above were produced and the connection would fail each time.

As you can see those errors are not terribly informative and even turning on max debugging information in Racoon did not help identify this issue. It was only when I tried the same thing with a StrongSwan VPN server (also in Linux) with again the same VPN profile on the iPhone that the log for StrongSwan showed up this problem.

The solution was therefore to make a new fresh profile on the iPhone that had not had any PSK/Group Name details entered. I could then connect successfully to Racoon.

I therefore now have achieved the following -

1. A (free) Cisco IPSec compatible VPN server in the form of Racoon
2. Certificate based authentication instead of PSK
3. LDAP authentication for the user login stage via xauth_rsa_server (linked to Open Directory)
4. Routing all traffic via the VPN connection

This in theory now meets all the criteria necessary to implement 'VPN on Demand' via Profile Manager. 🙂

(Further background on other IPSec solutions)

When I got stuck with Racoon (as above) I had then tried pfSense which is a pre-built FreeBSD based system with a nice web interface for setting up and running a VPN server. It actually underneath also uses Racoon. I therefore ended up hitting the same problem for the same reason - the bug on the iPhone. Once this was solved I did almost manage to get pfSense working but with one important exception. I found that if I configured it to not 'send a list of networks' to the client device i.e. to therefore route all traffic via the VPN connection then unfortunately it would fail to negotiate a phase2 connection and I would get the following errors.

Feb 3 15:47:31 racoon: [Self]: INFO: respond new phase 2 negotiation: 81.x.x.12[500]<=>86.x.x.247[500]

Feb 3 15:47:31 racoon: ERROR: failed to get sainfo.

Feb 3 15:47:31 racoon: ERROR: failed to get sainfo.

Feb 3 15:47:31 racoon: [86.x.x.247] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).

I was able to otherwise get it working with IPSec, certificates, and LDAP authentication, but not with routing all traffic. 😟

This is a shame as otherwise the web-interface for pfSense is a lot more pleasent and in particular makes it much easier to generate, manage, revoke, and check those certificates.

As mentioned above it was eventually StrongSwan which gave me the clue to solve the iPhone problem. StrongSwan is a totally different alternative to Racoon but like Racoon can provide a Cisco IPSec compatible VPN solution. Furthermore StrongSwan appears to be far more powerful and up-to-date technology-wise as it supports amongst other things the much newer IKE2 standard. Unfortunately it is hampered by having particularly poor documentation and an almost total lack of fully laid out example configurations.

I was able to get it working well enough to not only resolve the iPhone problem but also eventually to making a successful IPSec connection with certificate authentication. Where I eventually gave up was with trying to get it to authenticate the user phase via LDAP using xauth-pam.

I did manage to get ssh connections to authenticate via PAM and LDAP on the same Linux server so I feel I had managed to sort out the PAM setup (the PAM documentation is almost as bad as StrongSwan - but not quite). However I could not get StrongSwan to work with an LDAP account. I was also not 100% convinced that StrongSwan was correctly verifying the certificates and might therefore have been simply accepting anything.

I would be grateful if anyone else has successfully configured StrongSwan with xauth-pam and LDAP if they could provide some guidance.

Likewise if anyone else has successfully got pfSense working with IPSec, certificates, and routing all traffic that would be helpful as well.

-------

Next steps.

Apart from now setting up Profile Manager to implement 'VPN on Demand' I also need to sort out a certificate management system i.e. PKI. I am considering using EJBCA although I am awaiting for 6.0.4 to be released as earlier versions have a bug in the SCEP component that makes it incompatible with Macs. (Supposed to be fixed in 6.0.4) See https://jira.primekey.se/browse/ECA-3364

Thanks for the reply, I had forgotten to update this thread with my further results. I have actually since got it fully working myself.

As per my previous post to this thread I had given up on Racoon and switched to StrongSwan, initially I tried StrongSwan4 which is the standard for Ubuntu 12.04 but ended up using StrongSwan5 like you. This was to allow using the xauth-noauth plugin again it seems like you. I did also discover that contrary to Apple's documentation, if one manually edits the mobileconfig file used to configure the client one can embed the username and password. Both xauth-noauth and embedding the username/password would solve the issue of stopping the client device constantly asking the user to enter the username and password each time VPN on Demand is triggered.

As I ended up using xauth-noauth I did not need to use ldap authentication of the username/password but as I recall I did manage to get PAM authentication setup successfully which is what StrongSwan uses to do ldap (another reason for switching to StrongSwan5).

I will have a more detailed look at your settings later to see if they improve on mine. In the meantime you could have a look at this http://jelockwood.blogspot.co.uk/2014/03/how-to-do-vpn-on-demand-for-ios-at-zero .html

After successfully running a StrongSwan based VPN solution for VPN on Demand for iOS devices a problem emerged, users were reporting they could not connect successfully. Initially this was hard to pin down as some users had on occasion been running out of data allowance, and sometimes the signal strength of cellular networks was too weak. However I eventually determined it always worked on EE and WiFi even using the same settings and devices but did not work on O2.

After further testing I determined it was due to O2 not liking the size of the packets used to connect and exchange security certificates. These packets as they contain copies of the certificates are much bigger than packets just containing a pre-shared-key. Fortunately with StrongSwan there is an option to enable handling the fragmentation of large packets in to smaller ones and this has successfully resolved the problem. To enable this feature you need to add the following to /etc/ipsec.conf

fragmentation=yes

So if you have been having problems connecting to an IPSec VPN when using security certificates it might be worth investigating and trying a similar option.

splashx wrote:

I'm unable to replicate either setups. I'm using iOS 8.0.2 and strongSwan 5.2.0 on Debian 7.6.0.

I've also followed the steps from here: https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)

I am using StrongSwan 5.1.2 under Ubuntu. For me with my environment and setup yes it is still working with iOS8 and 8.0.2. I notice a few differences between your setup and mine which you could look into and detail them below.

My own article is at http://jelockwood.blogspot.co.uk/2014/03/how-to-do-vpn-on-demand-for-ios-at-zero .html

1. Different version of StrongSwan, as mentioned I am using 5.1.2
2. I am using xauth-noauth to disable asking the client device for a username and password, this is because officially you cannot save the password in the mobileconfig file and if you don't either disable xauth or cheat and manually add the password then every time it tries to do a VPN on Deman connection it will ask the user to re-enter their password - defeating the whole point of VPN on Demand being automatic. I have not tested to see if manually adding a password to a mobileconfig still works with iOS8.
3. My /etc/ipsec.conf conn ios section is as follows

conn ios
  keyexchange=ikev1
  authby=rsasig
  leftrsasigkey=%cert
  rightrsasigkey=%cert
  fragmentation=yes
  left=%defaultroute
  leftsubnet=0.0.0.0/0
  leftfirewall=yes
  leftcert=serverCert.pem
  right=%any
  rightsubnet=10.0.1.0/24
  rightsourceip=10.0.1.0/24
  leftauth=rsa
  rightauth=rsa
  rightauth2=xauth-noauth
  auto=add