Has anyone had any success configuring iked (6.1) to use eap (mschap) authentication from an iOS10 device. This works fine using a psk but I haven't had any success in trying to use eap.
My iked.conf looks like: user "test" "password" ikev2 "chap" \ passive esp \ from 0.0.0.0/0 to 10.1.1.0/24 \ local egress peer any \ eap "mschap-v2" \ config address 10.1.1.0/24 \ config name-server 8.8.8.8 \ tag vpn-chap Running iked -dvv generates a lot of debug output - the final bit before the connection fails suggests that iked is sending an EAP-IDENTITY message but doesn't get any reply (nothing else is logged and iPhone drops connection). There is obviously no easy of working out what is going on on the iPhone. ikev2_pld_eap: REQUEST id 0 length 5 EAP-IDENTITY ikev2_msg_send: IKE_AUTH response from 176.58.100.82:4500 to 82.38.52.109:57752 msgid 1, 656 bytes, NAT-T I note that the man page states that "Non-psk modes will require setting up certificates and RSA or ECDSA public keys; see iked(8) for more information" however it wasn't clear what I needed to do (I have just left the default /etc/iked keys - there isn't any obvious way to configure this on iOS) Full iked -dvv debug output below. Any ideas? Paul ikev2 "chap" passive esp inet from 0.0.0.0/0 to 10.1.1.0/24 local 176.58.100.82 peer any ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 lifetime 10800 bytes 536870912 eap "MSCHAP_V2" config address 10.1.1.0 config name-server 8.8.8.8 tag "vpn-chap" /etc/iked.conf: loaded 2 configuration rules ca_privkey_serialize: type RSA_KEY length 1191 ca_pubkey_serialize: type RSA_KEY length 270 ca_privkey_to_method: type RSA_KEY method RSA_SIG ca_getkey: received private key type RSA_KEY length 1191 ca_getkey: received public key type RSA_KEY length 270 ca_dispatch_parent: config reset ca_reload: local cert type RSA_KEY config_getocsp: ocsp_url none config_new_user: inserting new user test user "test" "password" ikev2_dispatch_cert: updated local CERTREQ type RSA_KEY length 0 config_getpolicy: received policy config_getpfkey: received pfkey fd 3 config_getcompile: compilation done config_getsocket: received socket fd 4 config_getsocket: received socket fd 5 config_getsocket: received socket fd 6 config_getsocket: received socket fd 7 ikev2_recv: IKE_SA_INIT request from initiator 82.38.52.109:56985 to 176.58.100.82:500 policy 'chap' id 0, 604 bytes ikev2_recv: ispi 0xa5625b340acafa18 rspi 0x0000000000000000 ikev2_policy2id: srcid FQDN/linode.members.linode.com length 29 ikev2_pld_parse: header ispi 0xa5625b340acafa18 rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 604 response 0 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 220 ikev2_pld_sa: more than one proposal specified ikev2_pld_sa: more 2 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264 ikev2_pld_ke: dh group MODP_2048 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 20 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 8 ikev2_pld_notify: protoid NONE spisize 0 type REDIRECT_SUPPORTED ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_nat_detection: peer source 0xa5625b340acafa18 0x0000000000000000 82.38.52.109:56985 ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT, enabling UDP encapsulation ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_nat_detection: peer destination 0xa5625b340acafa18 0x0000000000000000 176.58.100.82:500 ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 8 ikev2_pld_notify: protoid NONE spisize 0 type FRAGMENTATION_SUPPORTED sa_state: INIT -> SA_INIT ikev2_sa_negotiate: score 4 sa_stateok: SA_INIT flags 0x0000, require 0x0000 sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 ) ikev2_sa_keys: SKEYSEED with 32 bytes ikev2_sa_keys: S with 64 bytes ikev2_prfplus: T1 with 32 bytes ikev2_prfplus: T2 with 32 bytes ikev2_prfplus: T3 with 32 bytes ikev2_prfplus: T4 with 32 bytes ikev2_prfplus: T5 with 32 bytes ikev2_prfplus: T6 with 32 bytes ikev2_prfplus: T7 with 32 bytes ikev2_prfplus: Tn with 224 bytes ikev2_sa_keys: SK_d with 32 bytes ikev2_sa_keys: SK_ai with 32 bytes ikev2_sa_keys: SK_ar with 32 bytes ikev2_sa_keys: SK_ei with 32 bytes ikev2_sa_keys: SK_er with 32 bytes ikev2_sa_keys: SK_pi with 32 bytes ikev2_sa_keys: SK_pr with 32 bytes ikev2_add_proposals: length 44 ikev2_next_payload: length 48 nextpayload KE ikev2_next_payload: length 264 nextpayload NONCE ikev2_next_payload: length 36 nextpayload NOTIFY ikev2_nat_detection: local source 0xa5625b340acafa18 0xb0ecf0533bd7c719 176.58.100.82:500 ikev2_next_payload: length 28 nextpayload NOTIFY ikev2_nat_detection: local destination 0xa5625b340acafa18 0xb0ecf0533bd7c719 82.38.52.109:56985 ikev2_next_payload: length 28 nextpayload CERTREQ ikev2_add_certreq: type RSA_KEY length 1 ikev2_next_payload: length 5 nextpayload NONE ikev2_pld_parse: header ispi 0xa5625b340acafa18 rspi 0xb0ecf0533bd7c719 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 437 response 1 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48 ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264 ikev2_pld_ke: dh group MODP_2048 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 length 5 ikev2_pld_certreq: type RSA_KEY length 0 ikev2_msg_send: IKE_SA_INIT response from 176.58.100.82:500 to 82.38.52.109:56985 msgid 0, 437 bytes config_free_proposals: free 0x1a5cf5dd7680 ikev2_recv: IKE_AUTH request from initiator 82.38.52.109:57752 to 176.58.100.82:4500 policy 'chap' id 1, 496 bytes ikev2_recv: ispi 0xa5625b340acafa18 rspi 0xb0ecf0533bd7c719 ikev2_recv: updated SA to peer 82.38.52.109:57752 local 176.58.100.82:4500 ikev2_pld_parse: header ispi 0xa5625b340acafa18 rspi 0xb0ecf0533bd7c719 nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 496 response 0 ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 468 ikev2_msg_decrypt: IV length 16 ikev2_msg_decrypt: encrypted payload length 432 ikev2_msg_decrypt: integrity checksum length 16 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 432/432 padding 7 ikev2_pld_payloads: decrypted payload IDi nextpayload NOTIFY critical 0x00 length 12 ikev2_pld_id: id IPV4/192.168.3.102 length 8 ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical 0x00 length 8 ikev2_pld_notify: protoid NONE spisize 0 type INITIAL_CONTACT ikev2_pld_payloads: decrypted payload NOTIFY nextpayload IDr critical 0x00 length 8 ikev2_pld_notify: protoid NONE spisize 0 type MOBIKE_SUPPORTED ikev2_pld_payloads: decrypted payload IDr nextpayload CP critical 0x00 length 12 ikev2_pld_id: id FQDN/chap length 8 ikev2_pld_id: unexpected id payload ikev2_pld_payloads: decrypted payload CP nextpayload NOTIFY critical 0x00 length 40 ikev2_pld_cp: type REQUEST length 32 ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 0 ikev2_pld_cp: INTERNAL_IP4_DHCP 0x0006 length 0 ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 0 ikev2_pld_cp: INTERNAL_IP4_NETMASK 0x0002 length 0 ikev2_pld_cp: INTERNAL_IP6_ADDRESS 0x0008 length 0 ikev2_pld_cp: INTERNAL_IP6_DHCP 0x000c length 0 ikev2_pld_cp: INTERNAL_IP6_DNS 0x000a length 0 ikev2_pld_cp: <UNKNOWN:25> 0x0019 length 0 ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical 0x00 length 8 ikev2_pld_notify: protoid NONE spisize 0 type ESP_TFC_PADDING_NOT_SUPPORTED ikev2_pld_payloads: decrypted payload NOTIFY nextpayload SA critical 0x00 length 8 ikev2_pld_notify: protoid NONE spisize 0 type NON_FIRST_FRAGMENTS_ALSO ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 200 ikev2_pld_sa: more than one proposal specified ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid ESP spisize 4 xforms 3 spi 0x005044ca ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 64 ikev2_pld_ts: count 2 length 56 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255 ikev2_pld_ts: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0 endport 65535 ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 64 ikev2_pld_ts: count 2 length 56 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255 ikev2_pld_ts: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0 endport 65535 ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff ikev2_resp_recv: NAT-T message received, updated SA sa_stateok: SA_INIT flags 0x0000, require 0x0000 sa_state: SA_INIT -> EAP policy_lookup: peerid '192.168.3.102' ikev2_msg_auth: responder auth data length 485 ca_setauth: auth length 485 ikev2_sa_negotiate: score 4 sa_stateflags: 0x0020 -> 0x0020 sa (required 0x0079 cert,auth,authvalid,sa,eapvalid) ikev2_ike_auth: no CERTREQ, using default ikev2_policy2id: srcid FQDN/linode.members.linode.com length 29 sa_stateflags: 0x0020 -> 0x0024 certreq,sa (required 0x0079 cert,auth,authvalid,sa,eapvalid) config_free_proposals: free 0x1a5cf5dd7e00 ca_setauth: auth length 256 ca_getreq: using local public key of type RSA_KEY ikev2_getimsgdata: imsg 24 rspi 0xb0ecf0533bd7c719 ispi 0xa5625b340acafa18 initiator 0 sa valid type 1 data length 256 ikev2_dispatch_cert: AUTH type 1 len 256 sa_stateflags: 0x0024 -> 0x002c certreq,auth,sa (required 0x0079 cert,auth,authvalid,sa,eapvalid) ikev2_getimsgdata: imsg 19 rspi 0xb0ecf0533bd7c719 ispi 0xa5625b340acafa18 initiator 0 sa valid type 11 data length 270 ikev2_dispatch_cert: cert type RSA_KEY length 270, ok sa_stateflags: 0x002c -> 0x002d cert,certreq,auth,sa (required 0x0079 cert,auth,authvalid,sa,eapvalid) ikev2_next_payload: length 33 nextpayload CERT ikev2_next_payload: length 275 nextpayload AUTH ikev2_next_payload: length 264 nextpayload EAP ikev2_next_payload: length 9 nextpayload NONE ikev2_msg_encrypt: decrypted length 581 ikev2_msg_encrypt: padded length 592 ikev2_msg_encrypt: length 582, padding 10, output length 624 ikev2_next_payload: length 628 nextpayload IDr ikev2_msg_integr: message length 656 ikev2_msg_integr: integrity checksum length 16 ikev2_pld_parse: header ispi 0xa5625b340acafa18 rspi 0xb0ecf0533bd7c719 nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 656 response 1 ikev2_pld_payloads: payload SK nextpayload IDr critical 0x00 length 628 ikev2_msg_decrypt: IV length 16 ikev2_msg_decrypt: encrypted payload length 592 ikev2_msg_decrypt: integrity checksum length 16 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 592/592 padding 10 ikev2_pld_payloads: decrypted payload IDr nextpayload CERT critical 0x00 length 33 ikev2_pld_id: id FQDN/linode.members.linode.com length 29 ikev2_pld_payloads: decrypted payload CERT nextpayload AUTH critical 0x00 length 275 ikev2_pld_cert: type RSA_KEY length 270 ikev2_pld_payloads: decrypted payload AUTH nextpayload EAP critical 0x00 length 264 ikev2_pld_auth: method RSA_SIG length 256 ikev2_pld_payloads: decrypted payload EAP nextpayload NONE critical 0x00 length 9 ikev2_pld_eap: REQUEST id 0 length 5 EAP-IDENTITY ikev2_msg_send: IKE_AUTH response from 176.58.100.82:4500 to 82.38.52.109:57752 msgid 1, 656 bytes, NAT-T