latest #iked -dvv log is below:
ikev2_pld_payloads: decrypted payload CERTREQ nextpayload CP critical
0x00 length 5
ikev2_pld_certreq: type X509_CERT signatures length 0
ikev2_pld_payloads: decrypted payload CP nextpayload NOTIFY critical
0x00 length 36
ikev2_pld_cp: type REQUEST length 28
ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 0
ikev2_pld_cp: INTERNAL_IP4_NETMASK 0x0002 length 0
ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 0
ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 0
ikev2_pld_cp: INTERNAL_IP4_NBNS 0x0004 length 0
ikev2_pld_cp: INTERNAL_IP4_NBNS 0x0004 length 0
ikev2_pld_cp: APPLICATION_VERSION 0x0007 length 0
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical
0x00 length 8
ikev2_pld_notify: protoid IKE spisize 0 type INITIAL_CONTACT
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical
0x00 length 8
ikev2_pld_notify: protoid IKE spisize 0 type ESP_TFC_PADDING_NOT_SUPPORTED
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload SA critical
0x00 length 8
ikev2_pld_notify: protoid IKE spisize 0 type NON_FIRST_FRAGMENTS_ALSO
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00
length 92
ikev2_pld_sa: more 0 reserved 0 length 88 proposal #1 protoid ESP
spisize 4 xforms 8 spi 0xf3268010
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id DES
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_MD5_96
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00
length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0
endport 65535
ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00
length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0
endport 65535
ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
sa_stateok: SA_INIT flags 0x00, require 0x00
ikev2_msg_auth: responder auth data length 357
ca_setauth: auth length 357
ikev2_sa_negotiate: score 7
config_free_proposals: free 0x203519780
sa_stateflags: 0x0c -> 0x0c auth,sa (required 0x0d cert,auth,sa)
sa_stateok: EAP flags 0x0c, require 0x0d cert,auth,sa
config_free_proposals: free 0x203519b80
ca_setauth: auth length 256
ikev2_getimsgdata: imsg 21 rspi 0xe580667dddd31820 ispi
0x417f3816fccfc162 initiator 0 sa valid type 1 data length 256
ikev2_dispatch_cert: AUTH type 1 len 256
sa_stateflags: 0x0c -> 0x0c auth,sa (required 0x0d cert,auth,sa)
sa_stateok: EAP flags 0x0c, require 0x0d cert,auth,sa
On 10.08.2017 11:13, Denis wrote:
> Hi,
>
> Have fully working setup OpenIKEd + Win7x64 using IKEv2 and MSCHAP-v2 but
> BlackBerry device stop negotiating and fail while connecting.
> Exact BlackBerry SW version is: 10.3.2.2836.
>
> Cert and 2048bit key in *.P12 form transferred to BlackBerry device.
>
> 10.0.20.0/24 is local network
> 10.0.10.0/24 is IPsec network
> DNS server is 10.0.20.1
>
> /etc/iked.conf is:
>
> ikev2 "winauth" passive esp \
> from 10.0.20.0/24 to 10.0.10.0/24 \
> local IP_of_server peer any \
> srcid myserver.domain \
> eap "mschap-v2" \
> config address 10.0.10.10 \
> config netmask 255.255.255.0 \
> config name-server 10.0.20.1 \
> # ikesa auth hmac-sha1 enc 3des group modp2048 \
> # childsa auth hmac-sha1 enc aes-256 group modp2048 \
> tag "$name-$id"
>
> OBSD has working PF setup to allow IPSEC traffic {isakmp, ipsec-nat-t} and
> both protos {ah, esp}.
>
> Trying to make the same setup with BlackBerry 10.3.2.2836 OS using the same
> /etc/iked.conf.
>
> In BlackBerry phone tried various profiles (general profile is listed below):
> ---------------------------------------
> Server address: IP_of_server
> Gateway type: Generic IKEv2 VPN Server (tried Microsoft IKEv2 VPN
> Server, but unsuccessful too)
> Auth Type: EAP-MSCHAPv2
> Authentication ID Type: FQDN
> Auth ID: myserver.domain
> MSCHAPv2 EAP Identity: username
> MSCHAPv2 EAP Identity: username
> MSCHAPv2 Password: userpass
> Gateway Auth Type: PKI
> Gateway Auth ID Type: FQDN
> Gateway Auth ID: myserver.domain
> Allow Untrusted Cert: Prompt
> Gateway CA Cert: CAmyserver.domain.name
> Perfect Forward Secrecy: set_to_YES
> Auto IP: set_to_YES
> Auto DNS: set_to_YES
> Auto Determine Algorithm: set_to_YES
>
> IKE lifetime in Sec.: 86400
> IPSec Lifetime: 10800
> NAT Keep Alive: 30
> DPD Frequency: 240
>
> Use Proxy: set_to_NO
> -----------------------------
>
> #iked -dvv negotiating with BlackBerry phone:
>
> ...
> ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 272
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 240
> ikev2_msg_decrypt: integrity checksum length 12
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 240/240 padding 15
> ikev2_pld_payloads: decrypted payload IDi nextpayload CERTREQ critical
> 0x00 length 19
> ikev2_pld_id: id FQDN/myserver.domain length 15
> ikev2_pld_payloads: decrypted payload CERTREQ nextpayload CP critical
> 0x00 length 5
> ikev2_pld_certreq: type X509_CERT signatures length 0
> ikev2_pld_certreq: invalid certificate request
> ikev2_resp_recv: failed to parse message
>
> The same connection works fine between Win7 and iked. Log of iked is below:
> ...
> ikev2_msg_decrypt: encrypted payload length 160
> ikev2_msg_decrypt: integrity checksum length 12
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 160/160 padding 7
> ikev2_pld_payloads: decrypted payload AUTH nextpayload CP critical 0x00
> length 28
> ikev2_pld_auth: method SHARED_KEY_MIC length 20
> ikev2_pld_payloads: decrypted payload CP nextpayload SA critical 0x00
> length 32
> ikev2_pld_cp: type REPLY length 24
> ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 4
> ikev2_pld_cp: INTERNAL_IP4_NETMASK 0x0002 length 4
> ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 4
> ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00
> length 44
> ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP
> spisize 4 xforms 3 spi 0x84ea51d8
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
> ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
> ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00
> length 24
> ikev2_pld_ts: count 1 length 16
> ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0
> endport 65535
> ikev2_pld_ts: start 10.0.10.0 end 10.0.10.255
> ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00
> length 24
> ikev2_pld_ts: count 1 length 16
> ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0
> endport 65535
> ikev2_pld_ts: start 10.0.20.0 end 10.0.20.255
> ikev2_msg_send: IKE_AUTH from IP_of_server:4500 to IP_of_client:4500,
> 212 bytes, NAT-T
> pfkey_sa_add: update spi 0x84ea51d8
> pfkey_sa: udpencap port 4500
> ikev2_childsa_enable: loaded CHILD SA spi 0x84ea51d8
> pfkey_sa_add: add spi 0xcfea0559
> pfkey_sa: udpencap port 4500
> ikev2_childsa_enable: loaded CHILD SA spi 0xcfea0559
> ikev2_childsa_enable: loaded flow 0x20527e400
> ikev2_childsa_enable: loaded flow 0x204a56800
> sa_state: EAP_VALID -> ESTABLISHED from IP_of_client:4500 to
> IP_of_server:4500 policy 'winauth'
>
> Or what phone model (Brand) I can use to have IPSEC working on the road?
>
> Thanks.
>
>
--
mailto: den...@mindall.org
