ikev2 with certificates: bug or not?

Does it mean that Apple TSI is opened? I am not too familiar with Apple support, and from GitHub link that you provided, I cannot be sure if Apple will ever see that incident support request, and will ever fix that?

Do you think that there is any workaround for this issue? As I wrote, it seems that all files are within OS, but could be that something is placed in wrong folder...

Thanks for trying to help. I looked over community articles and found some of them refering to same issue, but from the programming point. Non of the solved the issue for IKEv2 with certificate authentication. The same apply for the link you mentioned, as user changed method of authentication in order to get VPN working.

I was also trying with different IKE/IPSec parameters, but non of the was useful. Therefore, last night I created two BugReports on Apple site, one for iOS, the other for OS X. I do not believe that this will help, but anyway.

Marcony

Hi,

I made some progress on this issue. As I said, I opened two bug reports, and got help on the MAC OS X.

In short:

1. LocalIdentifier within VPN Profile, cannot be set as of type ASN1DN (I was using that one). This is incorrect information that can be found at both: Configuration Profile Key Reference, and also within Apple Configurator GUI.

2. Certificate used (client side) must contain Subject Alternative Name, and that name should be then used as LocalIdentifier (in case where certificate authentication is used).

After making new client certificate, and reconfiguring VPN connection details (on VPN server and client's VPN Profile), I got working VPN, for the moment on MAX OS X. But still then, the "error" is again present:

15/02/16 16:57:08,292 nesessionmanager[3793] NESMIKEv2VPNSession[appletest:F456A429-EE4B-4BC1-8D4A-16237AE707A1]: Received a start command from com.apple.preference.network.re[3786]

15/02/16 16:57:08,294 nesessionmanager[3793] NESMIKEv2VPNSession[appletest:F456A429-EE4B-4BC1-8D4A-16237AE707A1]: status changed to connecting

15/02/16 16:57:08,301 nesessionmanager[3793] Failed to find the VPN app for plugin type com.apple.neplugin.IKEv2

15/02/16 16:57:08,333 neagent[3835] IKEv2 Plugin: ikev2_dns_callback: Error -65554

15/02/16 16:57:08,000 kernel[0] ipsec_ctl_connect: creating interface ipsec0

15/02/16 16:57:08,338 configd[56] network changed

15/02/16 16:57:08,566 ApplicationManager[3834] [EventWatchFile] open(/Users/fmc01/Library/Application Support/Firefox/(null)/prefs.js) has failed: No such file or directory

15/02/16 16:57:08,567 com.apple.xpc.launchd[1] (com.spigot.ApplicationManager[3834]) Service exited due to signal: Trace/BPT trap: 5

15/02/16 16:57:08,567 diagnosticd[127] error evaluating process info - pid: 3834, puniqueid: 3834

15/02/16 16:57:08,567 com.apple.xpc.launchd[1] (com.spigot.ApplicationManager) Service only ran for 1 seconds. Pushing respawn out by 9 seconds.

15/02/16 16:57:08,711 ReportCrash[3820] Saved crash report for ApplicationManager[3834] version 1.1 (1.1.20) to /Users/fmc01/Library/Logs/DiagnosticReports/ApplicationManager_2016-02-15-16570 8_mac-00363.crash

15/02/16 16:57:08,712 ReportCrash[3820] Removing excessive log: file:///Users/fmc01/Library/Logs/DiagnosticReports/ApplicationManager_2016-02-1 5-165346_mac-00363.crash

15/02/16 16:57:08,000 kernel[0] ipsec0: is now delegating en0 (type 0x6, family 2, sub-family 3)

15/02/16 16:57:08,772 acvpnagent[52] A new network interface has been detected.

15/02/16 16:57:08,772 acvpnagent[52] Function: logInterfaces File: ../../vpn/AgentUtilities/Routing/InterfaceRouteMonitorCommon.cpp Line: 477 IP Address Interface List: FE80:0:0:0:A65E:60FF:FECA:4721 130.243.67.160 FE80:0:0:0:9C69:62FF:FEB3:410B 172.21.10.105

15/02/16 16:57:08,772 acvpnagent[52] Function: netInterfaceNoticeCategoryHandler File: ../../vpn/Agent/MainThread.cpp Line: 7496 Network Interface change detected, refreshing physical MAC addresses

15/02/16 16:57:08,786 configd[56] network changed: v4(en0:130.243.67.160, ipsec0+:172.21.10.105) DNS Proxy SMB

15/02/16 16:57:09,111 nesessionmanager[3793] NESMIKEv2VPNSession[appletest:F456A429-EE4B-4BC1-8D4A-16237AE707A1]: status changed to connected

15/02/16 16:57:13,853 acvpnagent[52] Function: GetPrimaryInterfaceIndex File: ../../vpn/Common/Utility/NetInterface_unix.cpp Line: 422 Unable to get global IPv6 information from system configuration.

15/02/16 16:57:13,854 acvpnagent[52] Function: determinePublicAddrCandidateFromDefRoute File: ../../vpn/AgentUtilities/HostConfigMgr.cpp Line: 1769 Invoked Function: CHostConfigMgr::FindDefaultRouteInterface Return Code: -24117215 (0xFE900021) Description: ROUTETABLE_ERROR_GETBESTROUTE_FAILED

...

On the other side, with same VPN Profile, and same certificates uses as I am using on MAC, iOS now complains about certificate:

Feb 16 17:52:34 Gorans-iPhone Preferences[7970] <Warning>: +[VPNBundleController networkingIsDisabled]: Airplane mode: 0, WiFi Enabled: 1

Feb 16 17:52:34 Gorans-iPhone nesessionmanager[5631] <Notice>: NESMIKEv2VPNSession[vpntest:1BABAB0B-84B6-400E-B942-E1FC120C7EAB]: Received a start command from Preferences[7970]

Feb 16 17:52:34 Gorans-iPhone nesessionmanager[5631] <Notice>: NESMIKEv2VPNSession[vpntest:1BABAB0B-84B6-400E-B942-E1FC120C7EAB]: status changed to connecting

Feb 16 17:52:34 Gorans-iPhone nesessionmanager[5631] <Error>: Plugin com.apple.neplugin.IKEv2 does not have a bundle URL

Feb 16 17:52:34 Gorans-iPhone neagent[8091] <Error>: IKEv2 Plugin: ikev2_dns_callback: Error -65554

Feb 16 17:52:34 Gorans-iPhone configd[5547] <Notice>: network changed

Feb 16 17:52:35 Gorans-iPhone neagent[8091] <Error>: SecTrustEvaluate [root AnchorTrusted]

Feb 16 17:52:35 Gorans-iPhone neagent[8091] <Error>: Certificate authentication data could not be verified

Feb 16 17:52:35 Gorans-iPhone neagent[8091] <Error>: Failed to process IKE Auth packet

Feb 16 17:52:35 Gorans-iPhone neagent[8091] <Notice>: BUG in libdispatch client: kevent[EVFILT_READ] delete: "Bad file descriptor" - 0x9

Feb 16 17:52:35 Gorans-iPhone nesessionmanager[5631] <Notice>: NESMIKEv2VPNSession[vpntest:1BABAB0B-84B6-400E-B942-E1FC120C7EAB]: status changed to disconnecting

Feb 16 17:52:35 Gorans-iPhone configd[5547] <Notice>: network changed

Feb 16 17:52:35 Gorans-iPhone kernel[0] <Notice>: SIOCPROTODETACH_IN6: ipsec0 error=6

Feb 16 17:52:35 Gorans-iPhone nesessionmanager[5631] <Notice>: NESMIKEv2VPNSession[vpntest:1BABAB0B-84B6-400E-B942-E1FC120C7EAB]: status changed to disconnected, last stop reason Stop command received

...

I am using CaCert signed certificates, for both: VPN server and client, so I am not sure what's causing this error. CaCert is public CA, but really not present on iOS list of trusted root CAs. Could it be the cause of the issue? Root CA certificate, that I am using in my tests, are accepted as "trusted" on iOS.

I also made some tests with private (publicly not accessable) CA (my lab Microsoft 2008 CA). MAC OS X is working fine, but iOS again complains and cannot verify certificate. I am even not sure which certificate iOS is complaining about: client or VPN Server?

Any idea how to solve this issue? Must I use root CA from the official List of available trusted root certificates in iOS 9?

Marcony

hi John,

most of the time, I am preparing test certificates on my lab Win2008 CA (requires Win2008 AD). On the other hand, in some tests, I also used openssl, preparing everything on sam lab Linux VM.

From my point of view, not a big deal to prepare keypair with CSR, with certain attributes (like SAN, required by Apple). Both can be done on Win2008 CA and/or with openssl.

On the other side, I am at the moment without help in further tests, that Apple support is aksing from me. I really does not own iPhone/iPad, but always ask some of my colleagues with iOS devices, to do some tests for me. I am making tests with certain VPN Server (firewall), evaluating possibility of VPN connection from that firewall to Apple devices. As I found solution (due to help of Apple Support) for IKEv2 on MAC, now I need some help to find why iOS is complaining with same VPN profile (cannot authenticate certificate). Therefore, I prepared some COMODO-signed certificates for my VPN Server, and need someone to help me with tests. If you, or other person reading this discussion, wants to help, I would be grateful.

Apple support send me some profile for "higher" logging, so this might also help in these tests. So, I need someone who could make some tests on his iPhone/iPad, using profiles/certificates that I prepared.

Marcony

Hi Etresoft,

I prepared new certificates for my test VPN Server, signing them by COMODO CA, which is on list of iOS 9 trusted CAs.

Now, I am looking for someone who could help me testing new VPN configuration, as I do not own iPhone/iPad. If you are interested to make some tests, please let me know. My colleague who is helping me most of the time (with his iPad), is at the moment not able to help me.

Marcony

Hi,

just to update this post with information that last night, I successfully tested VPN connection from iOS to my test VPN server, using certificates.

For the latest test, I generated VPN server certificate, that is signed by COMIDO CA (in fact, at the very root is AddTrust Externall CA Root, which is on list of trusted root CAs for iOS 9.x, link: List of available trusted root certificates in iOS 9 - Apple Support

In our test, client certificate was signed by my lab CA (MS2008).

So, it seems that iOS does not care about client certificate chain, but when trying to authenticate VPN Server, it seems that VPN Server's certificate must be on list of trusted root CAs for iOS 9 (look at the link abouve).

To mention that in previous tests, we were using VPN server certificate, signed by public CaCert CA, but that VPN connection failed, as Apple iOS device returned error:

Feb 16 17:52:35 Gorans-iPhone neagent[8091] <Error>: SecTrustEvaluate [root AnchorTrusted]

Feb 16 17:52:35 Gorans-iPhone neagent[8091] <Error>: Certificate authentication data could not be verified

Feb 16 17:52:35 Gorans-iPhone neagent[8091] <Error>: Failed to process IKE Auth packet

At the moment, I am not sure if there is any way, that server's certificate signed by public CA which is not on a list of trusted root CAs for iOS 9, can be used in some way. I asked Apple Support, and hope that I'll get some answer.

Another question come to my mind: does anyone know about the procedure, which one public Certificate Authority (CA) should start, in order to be included on a list of trusted root CAs for iOS 9.x? I tried to find answer over Internet, without success so far.

Marcony

To update this discussion with latest results from my tests:

1. It is possible to use self-signed certificates for iOS VPN client. I tested it with certificates issues by my Win2008 lab CA.

2. I found that root CA from CaCerts (www.cacert.org), that I was using in some of my tests, cannot be "verified" on iOS. I am not sure what is the reason for that, but both root CA that can be downloaded from CaCert site (class1 and class3), cannot be assigned on iOS Phone (9.2.1) as "Verified".

3. Any other root CA that I was using, which was successfully assigned as "Verified", was used without any issues in my VPN tests. No matter if this was public or private CA.

So, it seems that some certificates cannot be verified on iOS. Such certificates cannot be used for certificate authentication in VPN connection.

Marcony