Q: OS X and IOS IKEv2 to use with StrongSwan and Windows RADIUS (NAP)

Hello everyone!

Our organization have Windows NAP, Windows Certification Services and many kind of clients wich uses Windows, android, OS X and iOS. All clients have certificates issued Windows CA, and I need that they connect to vpn transparently, without typing any username or password. I have configured them all to use IKEv2 with strongSwan and RADIUS, except OS X and iOS. When I try to connect to strongSwan server from OS X client, in logs I see:

Apr 1 15:25:37 vpn strongswan: 12[CFG] peer config match remote: 1 (ID_IPV4_ADDR -> c0:a8:17:fe)
Apr 1 15:25:37 vpn strongswan: 12[CFG] ike config match: 28 (192.168.23.168 192.168.23.254 IKEv2)
Apr 1 15:25:37 vpn strongswan: 12[CFG] candidate "ikev2-osx", match: 20/1/28 (me/other/ike)
Apr 1 15:25:37 vpn strongswan: 12[CFG] selected peer config 'ikev2-osx'
Apr 1 15:25:37 vpn strongswan: 12[IKE] initiating EAP_IDENTITY method (id 0x00)
Apr 1 15:25:37 vpn strongswan: 12[IKE] processing INTERNAL_IP4_ADDRESS attribute
Apr 1 15:25:37 vpn strongswan: 12[IKE] processing INTERNAL_IP4_DHCP attribute
Apr 1 15:25:37 vpn strongswan: 12[IKE] processing INTERNAL_IP4_DNS attribute
Apr 1 15:25:37 vpn strongswan: 12[IKE] processing INTERNAL_IP4_NETMASK attribute
Apr 1 15:25:37 vpn strongswan: 12[IKE] processing INTERNAL_IP6_ADDRESS attribute
Apr 1 15:25:37 vpn strongswan: 12[IKE] processing INTERNAL_IP6_DHCP attribute
Apr 1 15:25:37 vpn strongswan: 12[IKE] processing INTERNAL_IP6_DNS attribute
Apr 1 15:25:37 vpn strongswan: 12[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Apr 1 15:25:37 vpn strongswan: 12[IKE] peer supports MOBIKE, but disabled in config
Apr 1 15:25:37 vpn charon: 12[ENC] generating IKE_AUTH response 1 [ EF(6/6) ]
Apr 1 15:25:37 vpn charon: 12[NET] sending packet: from 192.168.23.168[4500] to 192.168.23.254[4500] (544 bytes)
Apr 1 15:25:37 vpn charon: 12[NET] sending packet: from 192.168.23.168[4500] to 192.168.23.254[4500] (544 bytes)
Apr 1 15:25:37 vpn charon: 12[NET] sending packet: from 192.168.23.168[4500] to 192.168.23.254[4500] (544 bytes)
Apr 1 15:25:37 vpn charon: 12[NET] sending packet: from 192.168.23.168[4500] to 192.168.23.254[4500] (544 bytes)
Apr 1 15:25:37 vpn charon: 12[NET] sending packet: from 192.168.23.168[4500] to 192.168.23.254[4500] (544 bytes)
Apr 1 15:25:37 vpn charon: 12[NET] sending packet: from 192.168.23.168[4500] to 192.168.23.254[4500] (320 bytes)
Apr 1 15:25:37 vpn charon: 11[NET] sending packet: from 192.168.23.168[4500] to 192.168.23.254[4500]
Apr 1 15:25:37 vpn charon: 11[NET] sending packet: from 192.168.23.168[4500] to 192.168.23.254[4500]
Apr 1 15:25:37 vpn charon: 11[NET] sending packet: from 192.168.23.168[4500] to 192.168.23.254[4500]
Apr 1 15:25:37 vpn charon: 11[NET] sending packet: from 192.168.23.168[4500] to 192.168.23.254[4500]
Apr 1 15:25:37 vpn charon: 11[NET] sending packet: from 192.168.23.168[4500] to 192.168.23.254[4500]
Apr 1 15:25:37 vpn charon: 11[NET] sending packet: from 192.168.23.168[4500] to 192.168.23.254[4500]
Apr 1 15:25:37 vpn charon: 15[NET] received packet: from 192.168.23.254[4500] to 192.168.23.168[4500]
Apr 1 15:25:37 vpn charon: 15[NET] waiting for data on sockets
Apr 1 15:25:37 vpn charon: 08[NET] received packet: from 192.168.23.254[4500] to 192.168.23.168[4500] (92 bytes)
Apr 1 15:25:37 vpn charon: 08[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Apr 1 15:25:37 vpn charon: 08[IKE] received EAP identity '192.168.23.254'
Apr 1 15:25:37 vpn charon: 08[CFG] RADIUS server '192.168.10.2' is candidate: 210
Apr 1 15:25:37 vpn charon: 08[CFG] sending RADIUS Access-Request to server '192.168.10.2'
Apr 1 15:25:37 vpn charon: 08[CFG] received RADIUS Access-Reject from server '192.168.10.2'
Apr 1 15:25:37 vpn charon: 08[IKE] RADIUS authentication of '192.168.23.254' failed
Apr 1 15:25:37 vpn charon: 08[IKE] initiating EAP_RADIUS method failed
Apr 1 15:25:37 vpn charon: 08[ENC] generating IKE_AUTH response 2 [ EAP/FAIL ]
Apr 1 15:25:37 vpn charon: 08[NET] sending packet: from 192.168.23.168[4500] to 192.168.23.254[4500] (76 bytes)
Apr 1 15:25:37 vpn charon: 08[IKE] IKE_SA ikev2-osx[4] state change: CONNECTING => DESTROYING

It seems, that OS X client do not transmit any id, except own ip address. If I try to specify id with "local id", then errors changes:

Apr 1 15:32:33 vpn charon: 08[CFG] sending RADIUS Access-Request to server '192.168.10.2'
Apr 1 15:32:33 vpn strongswan: 12[ENC] generating IKE_AUTH response 5 [ EAP/REQ/TLS ]
Apr 1 15:32:33 vpn strongswan: 12[ENC] splitting IKE message with length of 1484 bytes into 3 fragments
Apr 1 15:32:33 vpn strongswan: 12[ENC] generating IKE_AUTH response 5 [ EF(1/3) ]
Apr 1 15:32:33 vpn strongswan: 12[ENC] generating IKE_AUTH response 5 [ EF(2/3) ]
Apr 1 15:32:33 vpn strongswan: 12[ENC] generating IKE_AUTH response 5 [ EF(3/3) ]
Apr 1 15:32:33 vpn strongswan: 12[NET] sending packet: from 192.168.23.168[4500] to 192.168.23.254[4500] (544 bytes)
Apr 1 15:32:33 vpn strongswan: 12[NET] sending packet: from 192.168.23.168[4500] to 192.168.23.254[4500] (544 bytes)
Apr 1 15:32:33 vpn strongswan: 12[NET] sending packet: from 192.168.23.168[4500] to 192.168.23.254[4500] (528 bytes)
Apr 1 15:32:33 vpn strongswan: 11[NET] sending packet: from 192.168.23.168[4500] to 192.168.23.254[4500]
Apr 1 15:32:33 vpn strongswan: 11[NET] sending packet: from 192.168.23.168[4500] to 192.168.23.254[4500]
Apr 1 15:32:33 vpn strongswan: 11[NET] sending packet: from 192.168.23.168[4500] to 192.168.23.254[4500]
Apr 1 15:32:33 vpn strongswan: 15[NET] received packet: from 192.168.23.254[4500] to 192.168.23.168[4500]
Apr 1 15:32:33 vpn strongswan: 15[NET] waiting for data on sockets
Apr 1 15:32:33 vpn strongswan: 08[NET] received packet: from 192.168.23.254[4500] to 192.168.23.168[4500] (92 bytes)
Apr 1 15:32:33 vpn strongswan: 08[ENC] parsed IKE_AUTH request 6 [ EAP/RES/TLS ]
Apr 1 15:32:33 vpn strongswan: 08[CFG] sending RADIUS Access-Request to server '192.168.10.2'
Apr 1 15:32:33 vpn charon: 08[CFG] received RADIUS Access-Reject from server '192.168.10.2'
Apr 1 15:32:33 vpn charon: 08[IKE] RADIUS authentication of 'user' failed
Apr 1 15:32:33 vpn charon: 08[IKE] EAP method EAP_TLS failed for peer user
Apr 1 15:32:33 vpn charon: 08[ENC] generating IKE_AUTH response 6 [ EAP/FAIL ]
Apr 1 15:32:33 vpn charon: 08[NET] sending packet: from 192.168.23.168[4500] to 192.168.23.254[4500] (76 bytes)

In last case, Windows NAP returns reject code 23

An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.

In NAP log:

"WIN-DC1","IAS",04/01/2016,16:24:55,1,"user","corp.domain.ru/Users/user user","192.168.23.168[4500]","192.168.23.254[4500]",,,"vpn","192.168.23.168",6,0,"192.168.20.4","vpn",,,5,,,2,5,"vpn_users",0,"311 1 192.168.10.2 03/30/2016 07:13:03 93",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Использовать проверку подлинности Windows для всех пользователей",1,,,,
"WIN-DC1","IAS",04/01/2016,16:24:55,11,,"corp.domain.ru/Users/user user",,,,,,,,0,"192.168.20.4","vpn",,,,,,,5,"vpn_users",0,"311 1 192.168.10.2 03/30/2016 07:13:03 93",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Использовать проверку подлинности Windows для всех пользователей",1,,,,
"WIN-DC1","IAS",04/01/2016,16:24:55,1,"user","corp.domain.ru/Users/user user","192.168.23.168[4500]","192.168.23.254[4500]",,,"vpn","192.168.23.168",6,0,"192.168.20.4","vpn",,,5,,,2,5,"vpn_users",0,"311 1 192.168.10.2 03/30/2016 07:13:03 94",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Использовать проверку подлинности Windows для всех пользователей",1,,,,
"WIN-DC1","IAS",04/01/2016,16:24:55,11,,"corp.domain.ru/Users/user user",,,,,,,,0,"192.168.20.4","vpn",,,,,,,5,"vpn_users",0,"311 1 192.168.10.2 03/30/2016 07:13:03 94",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Использовать проверку подлинности Windows для всех пользователей",1,,,,
"WIN-DC1","IAS",04/01/2016,16:24:55,1,"user","corp.domain.ru/Users/user user","192.168.23.168[4500]","192.168.23.254[4500]",,,"vpn","192.168.23.168",6,0,"192.168.20.4","vpn",,,5,,,2,5,"vpn_users",0,"311 1 192.168.10.2 03/30/2016 07:13:03 95",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Использовать проверку подлинности Windows для всех пользователей",1,,,,
"WIN-DC1","IAS",04/01/2016,16:24:55,11,,"corp.domain.ru/Users/user user",,,,,,,,0,"192.168.20.4","vpn",,,,,,,5,"vpn_users",0,"311 1 192.168.10.2 03/30/2016 07:13:03 95",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Использовать проверку подлинности Windows для всех пользователей",1,,,,
"WIN-DC1","IAS",04/01/2016,16:24:55,1,"user","corp.domain.ru/Users/user user","192.168.23.168[4500]","192.168.23.254[4500]",,,"vpn","192.168.23.168",6,0,"192.168.20.4","vpn",,,5,,,2,5,"vpn_users",0,"311 1 192.168.10.2 03/30/2016 07:13:03 96",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Использовать проверку подлинности Windows для всех пользователей",1,,,,
"WIN-DC1","IAS",04/01/2016,16:24:55,11,,"corp.domain.ru/Users/user user",,,,,,,,0,"192.168.20.4","vpn",,,,,,,5,"vpn_users",0,"311 1 192.168.10.2 03/30/2016 07:13:03 96",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Использовать проверку подлинности Windows для всех пользователей",1,,,,
"WIN-DC1","IAS",04/01/2016,16:24:55,1,"user","corp.domain.ru/Users/user user","192.168.23.168[4500]","192.168.23.254[4500]",,,"vpn","192.168.23.168",6,0,"192.168.20.4","vpn",,,5,,,2,5,"vpn_users",0,"311 1 192.168.10.2 03/30/2016 07:13:03 97",,,,"Microsoft: cмарт-карта или иной сертификат",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Использовать проверку подлинности Windows для всех пользователей",1,,,,
"WIN-DC1","IAS",04/01/2016,16:24:55,3,,"corp.domain.ru/Users/user user",,,,,,,,0,"192.168.20.4","vpn",,,,,,,5,"vpn_users",23,"311 1 192.168.10.2 03/30/2016 07:13:03 97",,,,"Microsoft: cмарт-карта или иной сертификат",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Использовать проверку подлинности Windows для всех пользователей",1,,,,

Windows and Android devices connects to VPN fine.

May be someone create this kind of connectivity and can help me to do so?