[Swan] Dropping AUTH message containing INITIAL_CONTACT on OSX and Win10

[Mr. Jan Walter]

Hi there,
I have been trying to get both Windows 10 and OSX Mojave to connect to an 
Ubuntu Libreswan server in AWS. After trying xl2tpd and IKEv1 and not getting 
very far I figured I'd try IKEv2, following the configs in the Wiki, including 
generating the pk12 certificates.
The Ubuntu DEB seemed to have issues, so I thought I'd pull the latest release 
from github (yes, remembered to check out the release tag) and try it.
I am probably missing something really obvious, so I figured I'd post here.
OSX:
Dec 21 16:58:54 ip-10-0-0-194 pluto[29330]: packet from xx.xx.xx.xx:500: 
constructed local IKE proposals for ikev2-cp (IKE SA responder matching remote 
proposals): 
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;INTEG=HMAC_SHA2_512_256;DH=MODP2048 
2:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;INTEG=HMAC_SHA2_512_256;DH=MODP2048 
3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 
4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024Dec 21 
16:58:54 ip-10-0-0-194 pluto[29330]: packet from xx.xx.xx.xx:500: proposal 
4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 chosen from 
remote proposals 
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 
2:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=ECP_256 
3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP1536 
4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024[first-match]
 5:IKE:ENCR=3DES;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024Dec 21 16:58:54 
ip-10-0-0-194 pluto[29330]: packet from xx.xx.xx.xx:500: initiator guessed 
wrong keying material group (MODP2048); responding with INVALID_KE_PAYLOAD 
requesting MODP1024Dec 21 16:58:54 ip-10-0-0-194 pluto[29330]: packet from 
xx.xx.xx.xx:500: responding to SA_INIT message (ID 0) from 96.255.61.46:500 
with unencrypted notification INVALID_KE_PAYLOADDec 21 16:58:54 ip-10-0-0-194 
pluto[29330]: packet from xx.xx.xx.xx:500: proposal 
4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 chosen from 
remote proposals 
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 
2:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=ECP_256 
3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP1536 
4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024[first-match]
 5:IKE:ENCR=3DES;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024Dec 21 16:58:54 
ip-10-0-0-194 pluto[29330]: "ikev2-cp"[1] xx.xx.xx.xx  #1: STATE_PARENT_R1: 
received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_CBC_128 integ=HMAC_SHA1_96 
prf=HMAC_SHA1 group=MODP1024}Dec 21 16:58:54 ip-10-0-0-194 pluto[29330]: 
"ikev2-cp"[1] xx.xx.xx.xx  #1: dropping unexpected AUTH message containing 
INITIAL_CONTACT... notification; message payloads: SK; encrypted payloads: 
SA,IDi,IDr,N,TSi,TSr,CP; missing payloads: AUTHDec 21 16:58:54 ip-10-0-0-194 
pluto[29330]: "ikev2-cp"[1] xx.xx.xx.xx  #1: responding to AUTH message (ID 1) 
from xx.xx.xx.xx:500 with encrypted notification INVALID_SYNTAXDec 21 17:02:14 
ip-10-0-0-194 pluto[29330]: "ikev2-cp"[1] xx.xx.xx.xx  #1: deleting state 
(STATE_PARENT_R1) and NOT sending notificationDec 21 17:02:14 ip-10-0-0-194 
pluto[29330]: deleting connection "ikev2-cp"[1] xx.xx.xx.xx  instance with peer 
xx.xx.xx.xx  {isakmp=#0/ipsec=#0}Dec 21 17:36:57 ip-10-0-0-194 pluto[29330]: 
packet from xx.xx.xx.xx:500: constructed local IKE proposals for ikev2-cp (IKE 
SA responder matching remote proposals): 
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;INTEG=HMAC_SHA2_512_256;DH=MODP2048 
2:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;INTEG=HMAC_SHA2_512_256;DH=MODP2048 
3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 
4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024Dec 21 
17:36:57 ip-10-0-0-194 pluto[29330]: packet from xx.xx.xx.xx:500: proposal 
4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 chosen from 
remote proposals 
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 
2:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=ECP_256 
3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP1536 
4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024[first-match]
 5:IKE:ENCR=3DES;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024Dec 21 17:36:57 
ip-10-0-0-194 pluto[29330]: packet from xx.xx.xx.xx:500: initiator guessed 
wrong keying material group (MODP2048); responding with INVALID_KE_PAYLOAD 
requesting MODP1024Dec 21 17:36:57 ip-10-0-0-194 pluto[29330]: packet from 
xx.xx.xx.xx:500: responding to SA_INIT message (ID 0) from xx.xx.xx.xx:500 with 
unencrypted notification INVALID_KE_PAYLOADDec 21 17:36:57 ip-10-0-0-194 
pluto[29330]: packet from xx.xx.xx.xx:500: proposal 
4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 chosen from 
remote proposals 
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 
2:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=ECP_256 
3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP1536 
4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024[first-match]
 5:IKE:ENCR=3DES;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024Dec 21 17:36:57 
ip-10-0-0-194 pluto[29330]: "ikev2-cp"[2] xx.xx.xx.xx  #2: STATE_PARENT_R1: 
received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_CBC_128 integ=HMAC_SHA1_96 
prf=HMAC_SHA1 group=MODP1024}Dec 21 17:36:57 ip-10-0-0-194 pluto[29330]: 
"ikev2-cp"[2] xx.xx.xx.xx  #2: dropping unexpected AUTH message containing 
INITIAL_CONTACT... notification; message payloads: SK; encrypted payloads: 
SA,IDi,IDr,N,TSi,TSr,CP; missing payloads: AUTHDec 21 17:36:57 ip-10-0-0-194 
pluto[29330]: "ikev2-cp"[2] xx.xx.xx.xx  #2: responding to AUTH message (ID 1) 
from xx.xx.xx.xx:500 with encrypted notification INVALID_SYNTAX
Win10:Dec 21 19:17:44 ip-10-0-0-194 pluto[29330]: packet from xx.xx.xx.xx:500: 
constructed local IKE proposals for ikev2-cp (IKE SA responder matching remote 
proposals): 
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;INTEG=HMAC_SHA2_512_256;DH=MODP2048 
2:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;INTEG=HMAC_SHA2_512_256;DH=MODP2048 
3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 
4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024Dec 21 
19:17:44 ip-10-0-0-194 pluto[29330]: packet from xx.xx.xx.xx:500: proposal 
10:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 chosen 
from remote proposals 
1:IKE:ENCR=3DES;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP1024 
2:IKE:ENCR=3DES;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP1024 
3:IKE:ENCR=3DES;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP1024 
4:IKE:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP1024[first-match]
 5:IKE:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP1024 
6:IKE:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP1024 
7:IKE:ENCR=AES_CBC_192;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP1024 
8:IKE:ENCR=AES_CBC_192;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP1024 
9:IKE:ENCR=AES_CBC_192;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP1024 
10:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP1024[better-match]
 11:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP1024 
12:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_3...Dec 21 
19:17:44 ip-10-0-0-194 pluto[29330]: "ikev2-cp"[3] xx.xx.xx.xx  #3: 
STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_CBC_256 
integ=HMAC_SHA1_96 prf=HMAC_SHA1 group=MODP1024}Dec 21 19:17:44 ip-10-0-0-194 
pluto[29330]: "ikev2-cp"[3] xx.xx.xx.xx  #3: dropping unexpected AUTH message 
containing MOBIKE_SUPPORTED notification; message payloads: SKF; encrypted 
payloads: SA,IDi,CERTREQ,N,TSi,TSr,CP; missing payloads: AUTHDec 21 19:17:44 
ip-10-0-0-194 pluto[29330]: "ikev2-cp"[3] xx.xx.xx.xx  #3: responding to AUTH 
message (ID 1) from xx.xx.xx.xx:500 with encrypted notification INVALID_SYNTAX

Config file:
conn ikev2-cp    authby=rsasig    ikev2=insist    cisco-unity=yes    # The 
server's actual IP goes here - not elastic IPs    left=10.0.0.194    
leftcert=vv.mufgtsi.net    leftid=@vv.mufgtsi.net    leftsendcert=always    
leftsubnet=0.0.0.0/0    leftrsasigkey=%cert    
ike=aes256-sha2_512;modp2048,aes128-sha2_512;modp2048,aes256-sha1;modp1024,aes128-sha1;modp1024
    esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512    # 
Clients    right=%any    # your addresspool to use - you might need NAT rules 
if providing full internet to clients    rightaddresspool=10.0.0.240-10.0.0.250 
   # optional rightid with restrictions    # rightid="C=CA, L=Toronto, 
O=Libreswan Project, OU=*, CN=*, E=*"    rightca=%same    rightrsasigkey=%cert  
  #    # connection configuration    # DNS servers for clients to use    
#modecfgdns=8.8.8.8,193.100.157.123    # Versions up to 3.22 used modecfgdns1 
and modecfgdns2    #modecfgdns1=8.8.8.8    #modecfgdns2=193.110.157.123    
narrowing=yes    # recommended dpd/liveness to cleanup vanished clients    
dpddelay=30    dpdtimeout=120    dpdaction=clear    auto=add    #ikev2=insist   
 rekey=no    # ikev2 fragmentation support requires libreswan 3.14 or newer    
fragmentation=yes    # optional PAM username verification (eg to implement 
bandwidth quota    # pam-authorize=yes
Anyways, thoughts appreciated, and happy holidays!
Cheers,
Jan

_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan