IKEv2-setup
IKEv2-setup copied to clipboard
jawj
Having issues with macOS Monetary
Using the latest MacBook Pro M1, Couldn't get my VPN connection to work, the issue is that when you install the profile, Monetary won't ask for username and password, it will just install the VPN with authentication set to "Certificate" when you change it to user name and password, it will just fail with "User Authentication failed" (I believe on Big Sur if you fiddle with your username and password it will stop working, you have to enter them right while installing the profile).
Here are some logs from the server and console.log, might be useful to get some insight of what's going on.
server:
Nov 1 19:29:00 localhost charon: 14[NET] received packet: from *CLIENT_IP[500] to *SERVER_IP[500] (308 bytes)
Nov 1 19:29:00 localhost charon: 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Nov 1 19:29:00 localhost charon: 14[IKE] *CLIENT_IP is initiating an IKE_SA
Nov 1 19:29:00 localhost charon: 14[IKE] remote host is behind NAT
Nov 1 19:29:00 localhost charon: 14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Nov 1 19:29:00 localhost charon: 14[NET] sending packet: from *SERVER_IP[500] to *CLIENT_IP[500] (316 bytes)
Nov 1 19:29:00 localhost charon: 08[NET] received packet: from *CLIENT_IP[44166] to *SERVER_IP[4500] (344 bytes)
Nov 1 19:29:00 localhost charon: 08[ENC] unknown attribute type (25)
Nov 1 19:29:00 localhost charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
Nov 1 19:29:00 localhost charon: 08[CFG] looking for peer configs matching *SERVER_IP[*SERVER_IP.sslip.io]...*CLIENT_IP[192.168.100.20]
Nov 1 19:29:00 localhost charon: 08[CFG] selected peer config 'roadwarrior'
Nov 1 19:29:00 localhost charon: 08[IKE] initiating EAP_IDENTITY method (id 0x00)
Nov 1 19:29:00 localhost charon: 08[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Nov 1 19:29:00 localhost charon: 08[IKE] peer supports MOBIKE
Nov 1 19:29:00 localhost charon: 08[IKE] authentication of '*SERVER_IP.sslip.io' (myself) with RSA signature successful
Nov 1 19:29:00 localhost charon: 08[IKE] sending end entity cert "CN=*SERVER_IP.sslip.io"
Nov 1 19:29:00 localhost charon: 08[IKE] sending issuer cert "C=US, O=Let's Encrypt, CN=R3"
Nov 1 19:29:00 localhost charon: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
Nov 1 19:29:00 localhost charon: 08[ENC] splitting IKE message with length of 3524 bytes into 3 fragments
Nov 1 19:29:00 localhost charon: 08[ENC] generating IKE_AUTH response 1 [ EF(1/3) ]
Nov 1 19:29:00 localhost charon: 08[ENC] generating IKE_AUTH response 1 [ EF(2/3) ]
Nov 1 19:29:00 localhost charon: 08[ENC] generating IKE_AUTH response 1 [ EF(3/3) ]
Nov 1 19:29:00 localhost charon: 08[NET] sending packet: from *SERVER_IP[4500] to *CLIENT_IP[44166] (1248 bytes)
Nov 1 19:29:00 localhost charon: 08[NET] sending packet: from *SERVER_IP[4500] to *CLIENT_IP[44166] (1248 bytes)
Nov 1 19:29:00 localhost charon: 08[NET] sending packet: from *SERVER_IP[4500] to *CLIENT_IP[44166] (1154 bytes)
Nov 1 19:29:30 localhost charon: 16[JOB] deleting half open IKE_SA with *CLIENT_IP after timeout
client:
error 19:36:12.545228+0300 NEIKEv2Provider Bootstrapping; external subsystem UIKit_PKSubsystem refused setup
error 19:36:12.553841+0300 NEIKEv2Provider cannot open file at line 45340 of [d24547a13b]
error 19:36:13.741080+0300 NEIKEv2Provider Certificate authentication data could not be verified
error 19:36:13.735157+0300 NEIKEv2Provider Certificate evaluation error = kSecTrustResultRecoverableTrustFailure
error 19:36:13.740283+0300 NEIKEv2Provider Certificate is not trusted
error 19:36:13.745767+0300 NEIKEv2Provider Failed to find suitable address, path supports IPv4 yes IPv6 yes
error 19:36:13.752697+0300 NEIKEv2Provider IKE received error Operation canceled
error 19:36:13.741632+0300 NEIKEv2Provider IKEv2Session[1, 1CDDA57A7DE6AEAA-EBAFCA7A04EFF0A6] Failed to process IKE Auth (EAP) packet (connect)
error 19:36:13.741997+0300 NEIKEv2Provider IKEv2Session[1, 1CDDA57A7DE6AEAA-EBAFCA7A04EFF0A6] Failed to process IKE Auth packet (connect)
error 19:36:12.553860+0300 NEIKEv2Provider os_unix.c:45340: (2) open(/var/db/DetachedSignatures) - No such file or directory
PS: I've been using this .mobileconfig for 2 years across all my Apple devices and it has been working flawlessly, and still works on my iPhone and my old MacBook.
Thanks for the report. I haven't upgraded to Monterey yet, but I guess I'll do it soon and take a look.
OK, I just upgraded and tried this out.
I can confirm your finding that there is no prompt at installation time for a username and password, with the result that the connection can't be authenticated.
However, as a workaround, you can go into System Preferences > Network, pick the new VPN connection, click 'Authentication Settings ...', pick 'Username', and enter the user name and password. That seems to work fine for me.
I wonder if there's any change I can make to the XML file that would make this smoother, though ...
That’s exactly the first thing I did, but it keeps telling me that "User Authentication failed" Even my older macbook pro, if i skip the initial prompt to enter the correct username/pssword the Authentication Settings way doesn’t work at all, I need to remove the profile and reinstall it.
OK, that's not what I'm seeing. Weird.
Fundamentally this seems like a bug in Monterey, in that it ignores the AuthenticationMethod: None key-value pair in the config file unless an AuthName string is given, so maybe the best option is to report this to Apple.
It works fine if we set username and password in the file.
If we set only username, the user is prompted for a password every time.
So — I could possibly generate an AppleScript for use on the Mac that prompts for username and password and writes those into the XML file before installing. But this is kind of hacky.
I will try that when I get back, I’d appreciate a snippet for how the username/password should be in the XML file. Thank you.
<!-- find this: -->
<key>ExtendedAuthEnabled</key>
<true/>
<!-- and insert (and edit) below: -->
<key>AuthName</key>
<string>your-username</string>
<key>AuthPassword</key>
<string>your-password</string>
That worked for me! it's probably as you said, a bug in Monterey in the new MBP, Touch ID could be related too.
Thank you.
I see that this is still a problem on 12.1. Reopening as a note to self to look into addressing it.
I've now replaced the .mobileconfig file with an AppleScript script for macOS, which prompts for credentials and then creates and opens temporary .mobileconfig file with them in.