marcony96

Q: ikev2 with certificates: bug or not?

Hi,

 

I am tryting to test IKEv2 VPN connection, that is using certificates for authentication. Client should be on MAC or iPhone/iPad. As I encountered some issues, I looked over community and found some posts that describe the problem just the same as I encountered.

 

So, before making any programming, I wanted to be sure that IKEv2 VPN can be established, using "clean" OS (without anything but the clean installation). Furthermore, I tried to configure VPN connection through OS built-in dialogs, and/or through Apple-Configurator created VPN profiles. Unfortunatelly, neither of these methods was successful.

 

On MAC, when trying to establish VPN connection, I am getting errors like:

 

...

Feb  5 10:26:59 132 nesessionmanager[9447]: Failed to find the VPN app for plugin type com.apple.neplugin.IKEv2\

Feb  5 10:26:59 132 neagent[9824]: IKEv2 Plugin: ikev2_dns_callback: Error -65554\

...

 

On iOS, a little bit different:

 

...

Feb  6 10:48:49 Gorans-iPhone nesessionmanager[3427] <Notice>: NESMIKEv2VPNSession[srxapple:B853702D-A36D-4D70-A780-5A28FDE4C449]: Received a start command from Preferences[3681]

Feb  6 10:48:49 Gorans-iPhone nesessionmanager[3427] <Notice>: NESMIKEv2VPNSession[srxapple:B853702D-A36D-4D70-A780-5A28FDE4C449]: status changed to connecting

Feb  6 10:48:49 Gorans-iPhone nesessionmanager[3427] <Error>: Plugin com.apple.neplugin.IKEv2 does not have a bundle URL

Feb  6 10:48:49 Gorans-iPhone neagent[4003] <Error>: IKEv2 Plugin: ikev2_dns_callback: Error -65554

...

 

Within the community, same errors are already reported, but it seems that nobody found solution for that. If I understand well, this is not programming issue, but OS bug, or installation bug, whatever.

 

The question is: Why the system cannot find VPN app for the plugint, which seems to be within OS. Looking through out the MAC filesystem, I am able to find /System/Library/Frameworks/NetworkExtension.framework/Versions/A/Resources/Plug inIKEv2.vpnplugin/Contents/Info.plist and relating files, so it seems that plugin is there, but the question is: is it at the right place, or is something missing?

 

On iOS, error is a little bit different, and reports that plugin does not have bundle URL. I do not understand meaning of that error.

 

Anyone can help with this? Any workaround that might help? Is there anyone that could open support request (feature request, whatever it is called), as I am not able to do that? I would appreciate any help with this issue?

 

BTW, I am reporting this issue on El Capitano (latest release), as well as on iOS 9.2.1

iPad, iOS 9.2.1

Posted on Feb 7, 2016 9:30 AM

Close

Q: ikev2 with certificates: bug or not?

  • All replies
  • Helpful answers

Page 1 Next
  • by Linc Davis,

    Linc Davis Linc Davis Feb 7, 2016 10:46 AM in response to marcony96
    Level 10 (208,022 points)
    Applications
    Feb 7, 2016 10:46 AM in response to marcony96
  • by marcony96,

    marcony96 marcony96 Feb 8, 2016 3:58 AM in response to Linc Davis
    Level 1 (0 points)
    Feb 8, 2016 3:58 AM in response to Linc Davis

    Does it mean that Apple TSI is opened? I am not too familiar with Apple support, and from GitHub link that you provided, I cannot be sure if Apple will ever see that incident support request, and will ever fix that?

     

    Do you think that there is any workaround for this issue? As I wrote, it seems that all files are within OS, but could be that something is placed in wrong folder...

  • by Linc Davis,

    Linc Davis Linc Davis Feb 8, 2016 6:12 AM in response to marcony96
    Level 10 (208,022 points)
    Applications
    Feb 8, 2016 6:12 AM in response to marcony96

    "OpenRadar" is not an official bug-tracking system, but usually bugs that are reported there have also been reported to Apple. If you wish, you can register for a free developer account and report the bug yourself.

  • by etresoft,

    etresoft etresoft Feb 8, 2016 1:35 PM in response to marcony96
    Level 7 (29,345 points)
    Mac OS X
    Feb 8, 2016 1:35 PM in response to marcony96

    Hello marcony96,

    VPNs are tricky stuff, especially brand new protocols. A lot depends on how your client and server are configured. You are attempting something pretty advanced, so you aren't going to find good responses in general-purpose forums like this one.

     

    OpenRadar is particularly useless. Just look at the first comment on that report. And for that matter, look at the report itself. As bad as Apple's bug reporting process is, I don't know if I could come up with a better one given Apple's size. This particular bug report makes no mentions of certificate-based authentication. Since anyone can verify for themselves that IKEv2 works fine with a free VPN, this report is obviously invalid.

     

    But again, because VPNs are tricky stuff, and this is a general-purpose forum, I don't have the time to dig into your question in any detail. The best information I can find is in this StackOverflow post: http://apple.stackexchange.com/questions/217366/ikev2-vpn-el-capitan-10-11. I don't know if this solution will work in your case or what parameters you need to specify, but hopefully it will put you on the right path.

  • by marcony96,

    marcony96 marcony96 Feb 9, 2016 12:23 AM in response to etresoft
    Level 1 (0 points)
    Feb 9, 2016 12:23 AM in response to etresoft

    Thanks for trying to help. I looked over community articles and found some of them refering to same issue, but from the programming point. Non of the solved the issue for IKEv2 with certificate authentication. The same apply for the link you mentioned, as user changed method of authentication in order to get VPN working.

    I was also trying with different IKE/IPSec parameters, but non of the was useful. Therefore, last night I created two BugReports on Apple site, one for iOS, the other for OS X. I do not believe that this will help, but anyway.

     

    Marcony

  • by etresoft,

    etresoft etresoft Feb 9, 2016 5:04 AM in response to marcony96
    Level 7 (29,345 points)
    Mac OS X
    Feb 9, 2016 5:04 AM in response to marcony96

    Hello again Marcony,

    Apple's bug reporting system is generally vote-based. If you want to see a bug addressed, the best strategy is to get 100,000 of your friends to write bug reports on the same topic. Each "duplicate" is counted as a vote. It is always possible to get lucky and attract the attention of an Apple engineer, but generally it is a black hole from which not even light will ever emerge.

     

    Another strategy is to lobby for it on the developer forums. You don't need to be a developer to post in any of the developer forums, including the beta forums.

     

    FInally, you can post a message to one of Apple's mailing lists: https://lists.apple.com/mailman/listinfo

  • by marcony96,

    marcony96 marcony96 Feb 17, 2016 12:47 AM in response to etresoft
    Level 1 (0 points)
    Feb 17, 2016 12:47 AM in response to etresoft

    Hi,

     

    I made some progress on this issue. As I said, I opened two bug reports, and got help on the MAC OS X.

     

    In short:

     

    1. LocalIdentifier within VPN Profile, cannot be set as of type ASN1DN (I was using that one). This is incorrect information that can be found at both: Configuration Profile Key Reference, and also within Apple Configurator GUI.

     

    2. Certificate used (client side) must contain Subject Alternative Name, and that name should be then used as LocalIdentifier (in case where certificate authentication is used).

     

    After making new client certificate, and reconfiguring VPN connection details (on VPN server and client's VPN Profile), I got working VPN, for the moment on MAX OS X. But still then, the "error" is again present:

     

    15/02/16 16:57:08,292          nesessionmanager[3793]        NESMIKEv2VPNSession[appletest:F456A429-EE4B-4BC1-8D4A-16237AE707A1]: Received a start command from com.apple.preference.network.re[3786]

    15/02/16 16:57:08,294          nesessionmanager[3793]        NESMIKEv2VPNSession[appletest:F456A429-EE4B-4BC1-8D4A-16237AE707A1]: status changed to connecting

    15/02/16 16:57:08,301          nesessionmanager[3793]        Failed to find the VPN app for plugin type com.apple.neplugin.IKEv2

    15/02/16 16:57:08,333          neagent[3835]         IKEv2 Plugin: ikev2_dns_callback: Error -65554

    15/02/16 16:57:08,000          kernel[0] ipsec_ctl_connect: creating interface ipsec0

    15/02/16 16:57:08,338          configd[56]               network changed

    15/02/16 16:57:08,566          ApplicationManager[3834]     [EventWatchFile] open(/Users/fmc01/Library/Application Support/Firefox/(null)/prefs.js) has failed: No such file or directory

    15/02/16 16:57:08,567          com.apple.xpc.launchd[1]       (com.spigot.ApplicationManager[3834]) Service exited due to signal: Trace/BPT trap: 5

    15/02/16 16:57:08,567          diagnosticd[127]     error evaluating process info - pid: 3834, puniqueid: 3834

    15/02/16 16:57:08,567          com.apple.xpc.launchd[1]       (com.spigot.ApplicationManager) Service only ran for 1 seconds. Pushing respawn out by 9 seconds.

    15/02/16 16:57:08,711          ReportCrash[3820] Saved crash report for ApplicationManager[3834] version 1.1 (1.1.20) to /Users/fmc01/Library/Logs/DiagnosticReports/ApplicationManager_2016-02-15-16570 8_mac-00363.crash

    15/02/16 16:57:08,712          ReportCrash[3820] Removing excessive log: file:///Users/fmc01/Library/Logs/DiagnosticReports/ApplicationManager_2016-02-1 5-165346_mac-00363.crash

    15/02/16 16:57:08,000          kernel[0] ipsec0: is now delegating en0 (type 0x6, family 2, sub-family 3)

    15/02/16 16:57:08,772          acvpnagent[52]       A new network interface has been detected.

    15/02/16 16:57:08,772          acvpnagent[52]       Function: logInterfaces File: ../../vpn/AgentUtilities/Routing/InterfaceRouteMonitorCommon.cpp Line: 477 IP Address Interface List: FE80:0:0:0:A65E:60FF:FECA:4721 130.243.67.160 FE80:0:0:0:9C69:62FF:FEB3:410B 172.21.10.105

    15/02/16 16:57:08,772          acvpnagent[52]       Function: netInterfaceNoticeCategoryHandler File: ../../vpn/Agent/MainThread.cpp Line: 7496 Network Interface change detected, refreshing physical MAC addresses

    15/02/16 16:57:08,786          configd[56]               network changed: v4(en0:130.243.67.160, ipsec0+:172.21.10.105) DNS Proxy SMB

    15/02/16 16:57:09,111          nesessionmanager[3793]        NESMIKEv2VPNSession[appletest:F456A429-EE4B-4BC1-8D4A-16237AE707A1]: status changed to connected

    15/02/16 16:57:13,853          acvpnagent[52]       Function: GetPrimaryInterfaceIndex File: ../../vpn/Common/Utility/NetInterface_unix.cpp Line: 422 Unable to get global IPv6 information from system configuration.

    15/02/16 16:57:13,854          acvpnagent[52]       Function: determinePublicAddrCandidateFromDefRoute File: ../../vpn/AgentUtilities/HostConfigMgr.cpp Line: 1769 Invoked Function: CHostConfigMgr::FindDefaultRouteInterface Return Code: -24117215 (0xFE900021) Description: ROUTETABLE_ERROR_GETBESTROUTE_FAILED

    ...

     

     

     

    On the other side, with same VPN Profile, and same certificates uses as I am using on MAC, iOS now complains about certificate:

     

    Feb 16 17:52:34 Gorans-iPhone Preferences[7970] <Warning>: +[VPNBundleController networkingIsDisabled]: Airplane mode: 0, WiFi Enabled: 1

    Feb 16 17:52:34 Gorans-iPhone nesessionmanager[5631] <Notice>: NESMIKEv2VPNSession[vpntest:1BABAB0B-84B6-400E-B942-E1FC120C7EAB]: Received a start command from Preferences[7970]

    Feb 16 17:52:34 Gorans-iPhone nesessionmanager[5631] <Notice>: NESMIKEv2VPNSession[vpntest:1BABAB0B-84B6-400E-B942-E1FC120C7EAB]: status changed to connecting

    Feb 16 17:52:34 Gorans-iPhone nesessionmanager[5631] <Error>: Plugin com.apple.neplugin.IKEv2 does not have a bundle URL

    Feb 16 17:52:34 Gorans-iPhone neagent[8091] <Error>: IKEv2 Plugin: ikev2_dns_callback: Error -65554

    Feb 16 17:52:34 Gorans-iPhone configd[5547] <Notice>: network changed

    Feb 16 17:52:35 Gorans-iPhone neagent[8091] <Error>:  SecTrustEvaluate  [root AnchorTrusted]

    Feb 16 17:52:35 Gorans-iPhone neagent[8091] <Error>: Certificate authentication data could not be verified

    Feb 16 17:52:35 Gorans-iPhone neagent[8091] <Error>: Failed to process IKE Auth packet

    Feb 16 17:52:35 Gorans-iPhone neagent[8091] <Notice>: BUG in libdispatch client: kevent[EVFILT_READ] delete: "Bad file descriptor" - 0x9

    Feb 16 17:52:35 Gorans-iPhone nesessionmanager[5631] <Notice>: NESMIKEv2VPNSession[vpntest:1BABAB0B-84B6-400E-B942-E1FC120C7EAB]: status changed to disconnecting

    Feb 16 17:52:35 Gorans-iPhone configd[5547] <Notice>: network changed

    Feb 16 17:52:35 Gorans-iPhone kernel[0] <Notice>: SIOCPROTODETACH_IN6: ipsec0 error=6

    Feb 16 17:52:35 Gorans-iPhone nesessionmanager[5631] <Notice>: NESMIKEv2VPNSession[vpntest:1BABAB0B-84B6-400E-B942-E1FC120C7EAB]: status changed to disconnected, last stop reason Stop command received

    ...

     

    I am using CaCert signed certificates, for both: VPN server and client, so I am not sure what's causing this error. CaCert is public CA, but really not present on iOS list of trusted root CAs. Could it be the cause of the issue? Root CA certificate, that I am using in my tests, are accepted as "trusted" on iOS.

     

    I also made some tests with private (publicly not accessable) CA (my lab Microsoft 2008 CA). MAC OS X is working fine, but iOS again complains and cannot verify certificate. I am even not sure which certificate iOS is complaining about: client or VPN Server?

     

    Any idea how to solve this issue? Must I use root CA from the official List of available trusted root certificates in iOS 9?

     

     

    Marcony

  • by John Lockwood,

    John Lockwood John Lockwood Feb 17, 2016 3:03 AM in response to marcony96
    Level 6 (9,379 points)
    Servers Enterprise
    Feb 17, 2016 3:03 AM in response to marcony96

    I have not yet tried to use IKEv2. (Which is kind of ironic considering I originally suggested to Apple adding support for it, I also found and got Apple to fix a bug in the iOS Cisco IPSec i.e. IKEv1 client at the same time.)

     

    I am currently using IKEv1 with certificates but it should not be necessary to use an official rootCA. For my current setup I use my own self-signed rootCA and I send a copy of its public cert along with the client cert & key for the iPhone along with the VPN settings as a mobileconfig file.

     

    The same should apply to IKEv2.

     

    I plan to upgrade my StrongSwan5 based setup from IKEv1 to IKEv2 but need to find the time and plan how this will affect my currently running fleet of iOS devices so they do not lose connectivity.

     

    How are you creating your own self-signed certs? I use XCA. I find using Apple's Keychain Access utility inadequate for this sort of thing especially Subject-Alternative-Names and also found trying to do it via the command line too painful.

  • by etresoft,

    etresoft etresoft Feb 17, 2016 7:15 AM in response to marcony96
    Level 7 (29,345 points)
    Mac OS X
    Feb 17, 2016 7:15 AM in response to marcony96

    marcony96 wrote:

     

    Any idea how to solve this issue? Must I use root CA from the official List of available trusted root certificates in iOS 9?

    Hello again Marcony,

    That seems like a logical approach.

  • by marcony96,

    marcony96 marcony96 Feb 20, 2016 5:13 AM in response to John Lockwood
    Level 1 (0 points)
    Feb 20, 2016 5:13 AM in response to John Lockwood

    hi John,

     

    most of the time, I am preparing test certificates on my lab Win2008 CA (requires Win2008 AD). On the other hand, in some tests, I also used openssl, preparing everything on sam lab Linux VM.

     

    From my point of view, not a big deal to prepare keypair with CSR, with certain attributes (like SAN, required by Apple). Both can be done on Win2008 CA and/or with openssl.

     

    On the other side, I am at the moment without help in further tests, that Apple support is aksing from me. I really does not own iPhone/iPad, but always ask some of my colleagues with iOS devices, to do some tests for me. I am making tests with certain VPN Server (firewall), evaluating possibility of VPN connection from that firewall to Apple devices. As I found solution (due to help of Apple Support) for IKEv2 on MAC, now I need some help to find why iOS is complaining with same VPN profile (cannot authenticate certificate). Therefore, I prepared some COMODO-signed certificates for my VPN Server, and need someone to help me with tests. If you, or other person reading this discussion, wants to help, I would be grateful.

     

    Apple support send me some profile for "higher" logging, so this might also help in these tests. So, I need someone who could make some tests on his iPhone/iPad, using profiles/certificates that I prepared.

     

    Marcony

  • by marcony96,

    marcony96 marcony96 Feb 20, 2016 5:15 AM in response to etresoft
    Level 1 (0 points)
    Feb 20, 2016 5:15 AM in response to etresoft

    Hi Etresoft,

     

    I prepared new certificates for my test VPN Server, signing them by COMODO CA, which is on list of iOS 9 trusted CAs.

     

    Now, I am looking for someone who could help me testing new VPN configuration, as I do not own iPhone/iPad. If you are interested to make some tests, please let me know. My colleague who is helping me most of the time (with his iPad), is at the moment not able to help me.

     

    Marcony

  • by marcony96,

    marcony96 marcony96 Feb 25, 2016 2:25 AM in response to marcony96
    Level 1 (0 points)
    Feb 25, 2016 2:25 AM in response to marcony96

    Hi,

     

    just to update this post with information that last night, I successfully tested VPN connection from iOS to my test VPN server, using certificates.

     

    For the latest test, I generated VPN server certificate, that is signed by COMIDO CA (in fact, at the very root is AddTrust Externall CA Root, which is on list of trusted root CAs for iOS 9.x, link:  List of available trusted root certificates in iOS 9 - Apple Support  

    In our test, client certificate was signed by my lab CA (MS2008).

     

    So, it seems that iOS does not care about client certificate chain, but when trying to authenticate VPN Server, it seems that VPN Server's certificate must be on list of trusted root CAs for iOS 9 (look at the link abouve).

    To mention that in previous tests, we were using VPN server certificate, signed by public CaCert CA, but that VPN connection failed, as Apple iOS device returned error:

    Feb 16 17:52:35 Gorans-iPhone neagent[8091] <Error>:  SecTrustEvaluate  [root AnchorTrusted]

    Feb 16 17:52:35 Gorans-iPhone neagent[8091] <Error>: Certificate authentication data could not be verified

    Feb 16 17:52:35 Gorans-iPhone neagent[8091] <Error>: Failed to process IKE Auth packet

     

    At the moment, I am not sure if there is any way, that server's certificate signed by public CA which is not on a list of trusted root CAs for iOS 9, can be used in some way. I asked Apple Support, and hope that I'll get some answer.

     

    Another question come to my mind: does anyone know about the procedure, which one public Certificate Authority (CA) should start, in order to be included on a list of trusted root CAs for iOS 9.x? I tried to find answer over Internet, without success so far.

     

    Marcony

  • by John Lockwood,

    John Lockwood John Lockwood Feb 25, 2016 2:43 AM in response to marcony96
    Level 6 (9,379 points)
    Servers Enterprise
    Feb 25, 2016 2:43 AM in response to marcony96

    I still have not had a chance to upgrade our StrongSwan5 setup so I can test this but as a general comment with regards to VPN certificates I do currently use my own self-signed rootCA and from it generated VPN server and client certificates. I configure the client device via an MDM solution and have a profile which contains the public certificate of my self-signed rootCA, and the client certificate (both the public and private parts) plus of course the VPN settings themselves.

     

    By sending the public certificate of my self-signed rootCA as part of the profile I am telling me client device to 'trust' my self-signed rootCA and therefore to also trust the VPN servers certificate. If you are using your own self-signed rootCA and also use off that an intermediary CA then you need to include the public part of that as well.

     

    You do NOT send the private key of your self-signed rootCA nor do you need to send either the public or private parts of the VPN server certificate.

     

    The above should equally apply to using IKEv2 and if not Apple have a bug.

     

    If you are using an official rootCA which means one pre-installed as standard in iOS and OS X then you do not need to include it in the profile.

  • by marcony96,

    marcony96 marcony96 Mar 2, 2016 12:02 PM in response to John Lockwood
    Level 1 (0 points)
    Mar 2, 2016 12:02 PM in response to John Lockwood

    To update this discussion with latest results from my tests:

     

    1. It is possible to use self-signed certificates for iOS VPN client. I tested it with certificates issues by my Win2008 lab CA.

    2. I found that root CA from CaCerts (www.cacert.org), that I was using in some of my tests, cannot be "verified" on iOS. I am not sure what is the reason for that, but both root CA that can be downloaded from CaCert site (class1 and class3), cannot be assigned on iOS Phone (9.2.1) as "Verified".

    3. Any other root CA that I was using, which was successfully assigned as "Verified", was used without any issues in my VPN tests. No matter if this was public or private CA.

     

    So, it seems that some certificates cannot be verified on iOS. Such certificates cannot be used for certificate authentication in VPN connection.

     

    Marcony

Page 1 Next