IKEv2 with macOS 13.1

[pierlu]

IKEv2 EAP username/pass connection from macOS 13.1 to Linux Ubuntu 22.04 fails with

pfkey_sa: NAT-T: type=UDP encap (2) sport=4500 dport=4500
pfkey_sa: unsupported integrity algorithm HMAC_SHA2_256_128
ikev2_childsa_enable: failed to load CHILD SA spi 0xd316e0d9
spi=0xd0f5d9995c2f573f: ikev2_childsa_delete: deleted CHILD SA spi 0xd316e0d9
spi=0xd0f5d9995c2f573f: ikev2_childsa_delete: deleted CHILD SA spi 0x0c4a3c5f
ikev2_resp_recv: failed to send auth response
spi=0xd0f5d9995c2f573f: sa_state: EAP_VALID -> CLOSED from 80.xxx.xxx.117:4500 to 92.xxx.xxx.23:4500 policy 'IKEv2 RoadWarrior'
ikev2_recv: closing SA
spi=0xd0f5d9995c2f573f: sa_free: IKE_AUTH failed

7.1 and 7.0 versions of openiked crashed with segfault.

In version 7.2 the iked daemon doesn't crash, the macOS connection stays UP (the panel says "connected"), but as seen from the logs above server-side is actually down, and the traffic is not flowing.
Is HMAC_SHA2_256_128 support in linux/openssl broken?

[tobhe]

Linux does a weird thing where it truncates HMAC_SHA2_256_128 to 96 bits by default when using the old pfkey kernel interface (which we do). This makes it incompatible with other implementations which is why it is (or at least i thought it is) disabled by default there. I wonder why it still works for you. Do you have an esp auth hmac-sha2-256 line in your config file?

[pierlu]

yes, I have

        ikesa auth hmac-sha2-256 enc aes-256 prf hmac-sha2-256 group modp2048  \
        childsa auth hmac-sha2-256 enc aes-256 group modp2048 \

without these lines doesn't come up macOS-side.
Putting the lines and seeing "connected" in OSX doesn't oviously let you ping the local-side autoassigned ip address.
That's weird and at least some kind of bug of macOS.
In iOS without the lines the tunnel comes up with aes-128 and sha1 childsa (which is apparently not allowed on macOS) .

[tobhe]

I see, i wonder where our defaults are incompatible. It depends on what macos is sending as default proposal but you could try replacing hmac-sha2-256 with hmac-sha2-384 and see if that works. I think we should try to catch that linux error earlier and try to find a way to make it all work out of the box with macos (if that is possible)

EDIT: I did some testing and it looks like hmac-sha2-384 is not enabled by default on macos but hmac-sha1 is. This is the log output I got:

spi=0x1910ace9733748ad: ikev2_log_proposal: ESP #1 ENCR=AES_CBC-256
spi=0x1910ace9733748ad: ikev2_log_proposal: ESP #1 INTEGR=HMAC_SHA2_256_128
spi=0x1910ace9733748ad: ikev2_log_proposal: ESP #1 ESN=NONE
spi=0x1910ace9733748ad: ikev2_log_proposal: ESP #2 ENCR=AES_CBC-256
spi=0x1910ace9733748ad: ikev2_log_proposal: ESP #2 INTEGR=HMAC_SHA2_256_128
spi=0x1910ace9733748ad: ikev2_log_proposal: ESP #2 ESN=NONE
spi=0x1910ace9733748ad: ikev2_log_proposal: ESP #3 ENCR=AES_CBC-256
spi=0x1910ace9733748ad: ikev2_log_proposal: ESP #3 INTEGR=HMAC_SHA2_256_128
spi=0x1910ace9733748ad: ikev2_log_proposal: ESP #3 ESN=NONE
spi=0x1910ace9733748ad: ikev2_log_proposal: ESP #4 ENCR=AES_CBC-128
spi=0x1910ace9733748ad: ikev2_log_proposal: ESP #4 INTEGR=HMAC_SHA1_96
spi=0x1910ace9733748ad: ikev2_log_proposal: ESP #4 ESN=NONE
spi=0x1910ace9733748ad: ikev2_log_proposal: ESP #5 ENCR=3DES
spi=0x1910ace9733748ad: ikev2_log_proposal: ESP #5 INTEGR=HMAC_SHA1_96
spi=0x1910ace9733748ad: ikev2_log_proposal: ESP #5 ESN=NONE

So changing the line to childsa auth hmac-sha1 \ should do the trick for now.

[pierlu]

It seems that last macOS 13.1 (but not iOS) wants only ESP childsa INTEGR=HMAC_SHA2_256_128

So I went to the AppConfigurator app for Mac, created a custom profile, loaded into the OS and after that was able to connect forcing hmac-sha2-384 client-side.

The following linux Ubuntu 22.04 server configuration in a policy permits macOS 13.1, last Windows11 (Version 10.0.22000 Build 22000) and iOS 16.1.2 clients to connect to iked in IKEv2 ms-chap. Windows 11 is picky about having a trusted public certificate in /etc/iked/certs matching srcid (I use one from letsencrypt), in macOS and iOS you can eventually override it with Apple Configurator.

user "user1" "pass1"
user "user2" "pass2"
set fragmentation
set mobike
set enforcesingleikesa
ikev2 "winmacRW" quick passive tunnel esp inet \
        from any to dynamic \
        local any peer any \
        ikesa auth hmac-sha2-384 auth hmac-sha2-256 enc aes-256 enc aes-128 prf hmac-sha2-384 prf hmac-sha2-256 group ecp384 group modp2048 group modp1024 \
        childsa auth hmac-sha2-384 auth hmac-sha2-256 auth hmac-sha1 enc aes-256 enc aes-128 group ecp384 group modp2048 group modp1024 noesn \
        srcid "xxxxx" \
        eap "mschap-v2" \
        config address 100.100.100.0/24 \
        config name-server 1.1.1.1 \
        config protected-subnet 0.0.0.0/0 \
        tag "$name-$id"

For mac and iOS, you should create and load a custom profile with Apple Configurator (only available on mac) to enforce hmac-sha2-384. As a side note, the created Apple Configurator .mobileconfig file, contains an error and is not digested by default by macOS and iOS. You should edit it manually eliminating the spurious DNS directive entries in the first few rows, right before the VPN conf payload.