Good day sirs and sirettes,
I have this ipsec config on my mikrotik (ROS 6.45.6):
/ip ipsec policy group
add name=ike2-policies
/ip ipsec profile
set [ find default=yes ] dh-group=ecp256,modp2048,modp1536,modp1024 \
enc-algorithm=aes-256,aes-128 hash-algorithm=sha256
add dh-group=ecp256,modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-128 \
hash-algorithm=sha256 name=ike2
/ip ipsec peer
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 disabled=yes enc-algorithms=\
aes-256-cbc,aes-256-ctr lifetime=8h pfs-group=none
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=8h \
name=ike2 pfs-group=none
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc name=\
windows pfs-group=none
/ip pool
add name=vpn-pool ranges=192.168.17.100-192.168.17.200
/ip ipsec mode-config
add address-pool=vpn-pool address-prefix-length=32 name=vpn-config
/ip ipsec identity
add auth-method=digital-signature certificate=server_cert,ca_cert \
generate-policy=port-strict match-by=certificate mode-config=vpn-config \
peer=ike2 policy-template-group=ike2-policies remote-certificate=ios
/ip ipsec policy
set 0 disabled=yes dst-address=192.168.17.0/24 group=ike2-policies proposal=\
ike2 src-address=0.0.0.0/0
add dst-address=192.168.17.0/24 group=ike2-policies proposal=windows \
src-address=0.0.0.0/0 template=yes
I have it working perfectly fine on Mojave, iOS 12, Linux, and Windows. But it just won’t work under the current MacOS (Catalina 15.0), the error message simply mentioned User Authentication Failed, while i don’t see nothing on mikrotik log:
Here’s the ROS log:
[b]LOG[/b]:
17:07:33 ipsec requested server id: <VPN FQDN SERVER>
17:07:33 ipsec processing payloads: NOTIFY
17:07:33 ipsec notify: INITIAL_CONTACT
17:07:33 ipsec notify: ESP_TFC_PADDING_NOT_SUPPORTED
17:07:33 ipsec notify: NON_FIRST_FRAGMENTS_ALSO
17:07:33 ipsec notify: MOBIKE_SUPPORTED
17:07:33 ipsec processing payload: AUTH
17:07:33 ipsec requested auth method: RSA
17:07:33 ipsec,debug => peer's auth (first 0x100 of 0x200)
17:07:33 ipsec,debug 54bb4a8a 56c5d160 923a5a21 d8a01e12 fe7aa476 4451688b fb4e227d 1958a190
17:07:33 ipsec,debug 34d2123b 6a4aedb3 bb7a1906 43d0723d 8684063e a96658e8 65b222ce bd328e0a
17:07:33 ipsec,debug 16ec285d 8e825e5a 68989e6f d3453ab5 022bbec3 fab92689 b10e40d6 c9e60823
17:07:33 ipsec,debug ceeff9db 94107734 d373e7da 1b7bdc93 e55ab9f8 f1e513bb 2661ba9f 91d45abf
17:07:33 ipsec,debug d9df57f9 43f3c92f e062b649 20bf1936 2c7cbeae 954792b6 96565514 57cce077
17:07:33 ipsec,debug 9c348e56 49fe1858 1be00bf2 18614e98 405f3cb5 d06d3e6d dfe34628 f9b24832
17:07:33 ipsec,debug d342b693 ced45f1c 1f021e18 daf42feb f92e649d 9a7693bd 64d84ad4 2e60ea24
17:07:33 ipsec,debug a5106eb6 d8164629 0f3c5ed8 f42d531a bdf756ca 83a9a8f6 01281b8e 76e3cd79
17:07:33 ipsec,debug => auth nonce (size 0x18)
17:07:33 ipsec,debug e8eb33b1 2df50820 40ce61c7 df524f4e dd7448bf 90cee198
17:07:33 ipsec,debug => SK_p (size 0x20)
17:07:33 ipsec,debug f61050b8 615d9cd1 7178e93d 48e71d4d 373226a4 da2a431a c2130f1c 1bad4ace
17:07:33 ipsec,debug => idhash (size 0x20)
17:07:33 ipsec,debug df36bcce 85a40ba8 8a6ef97f dfc75255 3eda6f52 1c471dd2 c82b7a02 7e00cf81
17:07:33 ipsec,info,account peer authorized: <SERVER IP>[4500]-<MY IP>[4500] spi:f4d269226bb65047:6afe4b3a1d640d26
17:07:33 ipsec,info,account account -- : peer authorized: <SERVER IP>[4500]-<MY IP>[4500] spi:f4d269226bb65047:6afe4b3a1d640d26
17:07:33 ipsec initial contact
17:07:33 ipsec processing payloads: NOTIFY
17:07:33 ipsec notify: INITIAL_CONTACT
17:07:33 ipsec notify: ESP_TFC_PADDING_NOT_SUPPORTED
17:07:33 ipsec notify: NON_FIRST_FRAGMENTS_ALSO
17:07:33 ipsec notify: MOBIKE_SUPPORTED
17:07:33 ipsec peer wants tunnel mode
17:07:33 ipsec processing payload: CONFIG
17:07:33 ipsec attribute: internal IPv4 address
17:07:33 ipsec attribute: internal IPv4 netmask
17:07:33 ipsec attribute: internal IPv4 DHCP
17:07:33 ipsec attribute: internal IPv4 DNS
17:07:33 ipsec attribute: internal IPv6 address
17:07:33 ipsec attribute: internal IPv6 DHCP
17:07:33 ipsec attribute: internal IPv6 DNS
17:07:33 ipsec attribute: unknown 0x19
17:07:33 ipsec,info acquired 192.168.17.195 address for <MY IP>, <LOCAL_IP>
17:07:33 ipsec processing payload: TS_I
17:07:33 ipsec 0.0.0.0/0
17:07:33 ipsec [::/0]
17:07:33 ipsec processing payload: TS_R
17:07:33 ipsec processing payload: TS_R
17:07:33 ipsec 0.0.0.0/0
17:07:33 ipsec [::/0]
17:07:33 ipsec TSi in tunnel mode replaced with config address: 192.168.17.195
17:07:33 ipsec canditate selectors: 0.0.0.0/0 <=> 192.168.17.195
17:07:33 ipsec canditate selectors: [::/0] <=> [::/0]
17:07:33 ipsec processing payload: SA
17:07:33 ipsec IKE Protocol: ESP
17:07:33 ipsec proposal #1
17:07:33 ipsec enc: aes256-cbc
17:07:33 ipsec auth: sha256
17:07:33 ipsec searching for policy for selector: 0.0.0.0/0 <=> 192.168.17.195
17:07:33 ipsec generating policy
17:07:33 ipsec matched proposal:
17:07:33 ipsec proposal #1
17:07:33 ipsec enc: aes256-cbc
17:07:33 ipsec auth: sha256
17:07:33 ipsec ike auth: finish
17:07:33 ipsec ID_R (ADDR4): <SERVER_IP>
17:07:33 ipsec processing payload: NONCE
17:07:33 ipsec,debug => auth nonce (size 0x10)
17:07:33 ipsec,debug cef70734 a6226945 b2512168 49141763
17:07:33 ipsec,debug => SK_p (size 0x20)
17:07:33 ipsec,debug 1d07cdd4 7a0a616e 5818c996 8e46ac90 68a4f7c3 1481e3f5 7cb8db24 e1fa5acf
17:07:33 ipsec,debug => idhash (size 0x20)
17:07:33 ipsec,debug d2bd0bf0 feb934b9 d74308df adf47d73 699327dc c8be910d 5acb0e96 b2600b8f
17:07:34 ipsec,debug => my auth (first 0x100 of 0x200)
17:07:34 ipsec,debug 6ec8ff63 74066749 12762d36 10c9a81d 7ba014e3 0ff0bfe7 c5ffb4b0 90a15dbd
17:07:34 ipsec,debug ce46b979 9a476578 2ccaceed dac57b9c 33ce4574 ff9c66f7 45448b4e 5623c86a
17:07:34 ipsec,debug 60eb8457 13580f08 41ed7dc0 fae725a2 5f0eedcd d737b97b 4aa7a2e6 cc63d32f
17:07:34 ipsec,debug 7f3b00db 84b57c57 61321ced 58fb056a 0992f52a ca335557 50123eb2 b591563a
17:07:34 ipsec,debug f611fa1a 0c5dd249 0a19bea5 48e9eed5 7c416784 86a27f0c 5b83ac02 971aeac0
17:07:34 ipsec,debug 8fffb35a 3d8772bf 9b029ac0 9a8764d8 5ee652af 3f895a23 da5bd5d3 b49e23e7
17:07:34 ipsec,debug c10cfeee cb5eddca 776a6c0d 5dca1c79 9710f76d bb7ab934 153ee90d 6fc8c06a
17:07:34 ipsec,debug 30ddbeb0 f710788d af5f8a53 70896963 bf3460a3 d07a78a3 92aabce9 8d2d838a
17:07:34 ipsec cert: <SERVER FQDN>
17:07:34 ipsec adding payload: CERT
17:07:34 ipsec,debug => (first 0x100 of 0x573)
17:07:34 ipsec,debug 00000573 04308205 6a308203 52a00302 01020208 0fe1d8cd 4e6a9f79 300d0609
17:07:34 ipsec,debug 2a864886 f70d0101 0b050030 2c312a30 28060355 04030c21 76706e2e 73616e66
17:07:34 ipsec,debug 6f6f6470 72696d61 6d616b6d 75722e6d 79776972 652e6f72 67301e17 0d313931
17:07:34 ipsec,debug 30313830 39303332 335a170d 32313132 32363039 30333233 5a302c31 2a302806
17:07:34 ipsec,debug 03550403 0c217670 6e2e7361 6e666f6f 64707269 6d616d61 6b6d7572 2e6d7977
17:07:34 ipsec,debug 6972652e 6f726730 82022230 0d06092a 864886f7 0d010101 05000382 020f0030
17:07:34 ipsec,debug 82020a02 82020100 c4ce0a48 33ef573f 21d5b04c 47de34fb 47b7aab4 c27d2545
17:07:34 ipsec,debug 69b5efae 912d7d87 48d3dfaa 252ceed8 163d74d7 7bcdc7b3 b03ea72d 898460bd
17:07:34 ipsec cert: <SERVER FQDN>
17:07:34 ipsec adding payload: CERT
17:07:34 ipsec,debug => (first 0x100 of 0x5df)
17:07:34 ipsec,debug 000005df 04308205 d6308203 bea00302 01020208 791d1288 b0c575cb 300d0609
17:07:34 ipsec,debug 2a864886 f70d0101 0b050030 2c312a30 28060355 04030c21 76706e2e 73616e66
17:07:34 ipsec,debug 6f6f6470 72696d61 6d616b6d 75722e6d 79776972 652e6f72 67301e17 0d313931
17:07:34 ipsec,debug 30313830 36343933 365a170d 32313132 32363036 34393336 5a302c31 2a302806
17:07:34 ipsec,debug 03550403 0c217670 6e2e7361 6e666f6f 64707269 6d616d61 6b6d7572 2e6d7977
17:07:34 ipsec,debug 6972652e 6f726730 82022230 0d06092a 864886f7 0d010101 05000382 020f0030
17:07:34 ipsec,debug 82020a02 82020100 b2908338 73765d9c 4726882f 7577285a 25541324 84388ead
17:07:34 ipsec,debug 167dbdd7 9eeb48ef fcfff7d2 3d0ca7e1 45f47020 47b11e55 2f77427c fb45f391
17:07:34 ipsec adding payload: ID_R
17:07:34 ipsec,debug => (size 0xc)
17:07:34 ipsec,debug 0000000c 01000000 77023569
17:07:34 ipsec adding payload: AUTH
17:07:34 ipsec,debug => (first 0x100 of 0x208)
17:07:34 ipsec,debug 00000208 01000000 6ec8ff63 74066749 12762d36 10c9a81d 7ba014e3 0ff0bfe7
17:07:34 ipsec,debug c5ffb4b0 90a15dbd ce46b979 9a476578 2ccaceed dac57b9c 33ce4574 ff9c66f7
17:07:34 ipsec,debug 45448b4e 5623c86a 60eb8457 13580f08 41ed7dc0 fae725a2 5f0eedcd d737b97b
17:07:34 ipsec,debug 4aa7a2e6 cc63d32f 7f3b00db 84b57c57 61321ced 58fb056a 0992f52a ca335557
17:07:34 ipsec,debug 50123eb2 b591563a f611fa1a 0c5dd249 0a19bea5 48e9eed5 7c416784 86a27f0c
17:07:34 ipsec,debug 5b83ac02 971aeac0 8fffb35a 3d8772bf 9b029ac0 9a8764d8 5ee652af 3f895a23
17:07:34 ipsec,debug da5bd5d3 b49e23e7 c10cfeee cb5eddca 776a6c0d 5dca1c79 9710f76d bb7ab934
17:07:34 ipsec,debug 30ddbeb0 f710788d af5f8a53 70896963 bf3460a3 d07a78a3 92aabce9 8d2d838a
17:07:34 ipsec cert: <SERVER FQDN>
17:07:34 ipsec adding payload: CERT
17:07:34 ipsec,debug => (first 0x100 of 0x573)
17:07:34 ipsec,debug 00000573 04308205 6a308203 52a00302 01020208 0fe1d8cd 4e6a9f79 300d0609
17:07:34 ipsec,debug 2a864886 f70d0101 0b050030 2c312a30 28060355 04030c21 76706e2e 73616e66
17:07:34 ipsec,debug 6f6f6470 72696d61 6d616b6d 75722e6d 79776972 652e6f72 67301e17 0d313931
17:07:34 ipsec,debug 30313830 39303332 335a170d 32313132 32363039 30333233 5a302c31 2a302806
17:07:34 ipsec,debug 03550403 0c217670 6e2e7361 6e666f6f 64707269 6d616d61 6b6d7572 2e6d7977
17:07:34 ipsec,debug 6972652e 6f726730 82022230 0d06092a 864886f7 0d010101 05000382 020f0030
17:07:34 ipsec,debug 82020a02 82020100 c4ce0a48 33ef573f 21d5b04c 47de34fb 47b7aab4 c27d2545
17:07:34 ipsec,debug 69b5efae 912d7d87 48d3dfaa 252ceed8 163d74d7 7bcdc7b3 b03ea72d 898460bd
17:07:34 ipsec cert: <SERVER FQDN>
17:07:34 ipsec adding payload: CERT
17:07:34 ipsec,debug => (first 0x100 of 0x5df)
17:07:34 ipsec,debug 000005df 04308205 d6308203 bea00302 01020208 791d1288 b0c575cb 300d0609
17:07:34 ipsec,debug 2a864886 f70d0101 0b050030 2c312a30 28060355 04030c21 76706e2e 73616e66
17:07:34 ipsec,debug 6f6f6470 72696d61 6d616b6d 75722e6d 79776972 652e6f72 67301e17 0d313931
17:07:34 ipsec,debug 30313830 36343933 365a170d 32313132 32363036 34393336 5a302c31 2a302806
17:07:34 ipsec,debug 03550403 0c217670 6e2e7361 6e666f6f 64707269 6d616d61 6b6d7572 2e6d7977
17:07:34 ipsec,debug 6972652e 6f726730 82022230 0d06092a 864886f7 0d010101 05000382 020f0030
17:07:34 ipsec,debug 82020a02 82020100 b2908338 73765d9c 4726882f 7577285a 25541324 84388ead
17:07:34 ipsec,debug 167dbdd7 9eeb48ef fcfff7d2 3d0ca7e1 45f47020 47b11e55 2f77427c fb45f391
17:07:34 ipsec adding payload: ID_R
17:07:34 ipsec,debug => (size 0xc)
17:07:34 ipsec,debug 0000000c 01000000 77023569
17:07:34 ipsec adding payload: AUTH
17:07:34 ipsec,debug => (first 0x100 of 0x208)
17:07:34 ipsec,debug 00000208 01000000 6ec8ff63 74066749 12762d36 10c9a81d 7ba014e3 0ff0bfe7
17:07:34 ipsec,debug c5ffb4b0 90a15dbd ce46b979 9a476578 2ccaceed dac57b9c 33ce4574 ff9c66f7
17:07:34 ipsec,debug 45448b4e 5623c86a 60eb8457 13580f08 41ed7dc0 fae725a2 5f0eedcd d737b97b
17:07:34 ipsec,debug 4aa7a2e6 cc63d32f 7f3b00db 84b57c57 61321ced 58fb056a 0992f52a ca335557
17:07:34 ipsec,debug 50123eb2 b591563a f611fa1a 0c5dd249 0a19bea5 48e9eed5 7c416784 86a27f0c
17:07:34 ipsec,debug 5b83ac02 971aeac0 8fffb35a 3d8772bf 9b029ac0 9a8764d8 5ee652af 3f895a23
17:07:34 ipsec,debug da5bd5d3 b49e23e7 c10cfeee cb5eddca 776a6c0d 5dca1c79 9710f76d bb7ab934
17:07:34 ipsec,debug 153ee90d 6fc8c06a 30ddbeb0 f710788d af5f8a53 70896963 bf3460a3 d07a78a3
17:07:34 ipsec prepearing internal IPv4 address
17:07:34 ipsec prepearing internal IPv4 netmask
17:07:34 ipsec prepearing internal IPv4 DNS
17:07:34 ipsec prepearing internal IPv4 DNS
17:07:34 ipsec adding payload: CONFIG
17:07:34 ipsec,debug => (size 0x28)
17:07:34 ipsec,debug 00000028 02000000 00010004 c0a811c3 00020004 ffffffff 00030004 6f441b03
17:07:34 ipsec,debug 00030004 6f441b04
17:07:34 ipsec initiator selector: 192.168.17.195
17:07:34 ipsec adding payload: TS_I
17:07:34 ipsec,debug => (size 0x18)
17:07:34 ipsec,debug 00000018 01000000 07000010 0000ffff c0a811c3 c0a811c3
17:07:34 ipsec responder selector: 0.0.0.0/0
17:07:34 ipsec adding payload: TS_R
17:07:34 ipsec,debug => (size 0x18)
17:07:34 ipsec,debug 00000018 01000000 07000010 0000ffff 00000000 ffffffff
17:07:34 ipsec adding payload: SA
17:07:34 ipsec,debug => (size 0x2c)
17:07:34 ipsec,debug 0000002c 00000028 01030403 0e2deed1 0300000c 0100000c 800e0100 03000008
17:07:34 ipsec,debug 0300000c 00000008 05000000
17:07:34 ipsec <- ike2 reply, exchange: AUTH:1 <MY_IP>[4500]
17:07:34 ipsec,debug,packet => outgoing plain packet (size 0xe06)
17:07:34 ipsec,debug,packet 6afe4b3a 1d640d26 f4d26922 6bb65047 25202320 00000001 00000e06 25000573
17:07:34 ipsec,debug,packet 04308205 6a308203 52a00302 01020208 0fe1d8cd 4e6a9f79 300d0609 2a864886
17:07:34 ipsec,debug,packet f70d0101 0b050030 2c312a30 28060355 04030c21 76706e2e 73616e66 6f6f6470
17:07:34 ipsec,debug,packet 72696d61 6d616b6d 75722e6d 79776972 652e6f72 67301e17 0d313931 30313830
17:07:34 ipsec,debug,packet 39303332 335a170d 32313132 32363039 30333233 5a302c31 2a302806 03550403
17:07:34 ipsec,debug,packet 0c217670 6e2e7361 6e666f6f 64707269 6d616d61 6b6d7572 2e6d7977 6972652e
17:07:34 ipsec,debug,packet 6f726730 82022230 0d06092a 864886f7 0d010101 05000382 020f0030 82020a02
17:07:34 ipsec,debug,packet 82020100 c4ce0a48 33ef573f 21d5b04c 47de34fb 47b7aab4 c27d2545 69b5efae
17:07:34 ipsec,debug,packet
17:07:34 ipsec,debug,packet 912d7d87 48d3dfaa 252ceed8 163d74d7 7bcdc7b3 b03ea72d 898460bd f589fae1
17:07:34 ipsec,debug,packet 758df0e3 9584a89b eacb75b4 88502c49 ddd001f2 93630338 c5adca50 bae617cc
17:07:34 ipsec,debug,packet
17:07:34 ipsec,debug,packet 9d41e3ef a3cd0b75 68db7b52 42d2a9e3 cffe613b a9c8d29d 14d0e759 8c628c24
17:07:34 ipsec,debug,packet 0203c71a ff120bb8 d3f123be edbb0324 dcb3f948 0740245b d1bdf127 160390c9
17:07:34 ipsec,debug,packet 65488bf4 36b942ba 0d7d1b4a f8ad2652 f7f9f60d feaa321d 48655bfa af325f84
17:07:34 ipsec,debug,packet 97f252b3 967666e9 21261c95 b2b12700 000c0100 00007702 35692f00 02080100
17:07:34 ipsec,debug,packet 00006ec8 ff637406 67491276 2d3610c9 a81d7ba0 14e30ff0 bfe7c5ff b4b090a1
17:07:34 ipsec,debug,packet 5dbdce46 b9799a47 65782cca ceeddac5 7b9c33ce 4574ff9c 66f74544 8b4e5623
17:07:34 ipsec,debug,packet c86a60eb 84571358 0f0841ed 7dc0fae7 25a25f0e edcdd737 b97b4aa7 a2e6cc63
17:07:34 ipsec,debug,packet d32f7f3b 00db84b5 7c576132 1ced58fb 056a0992 f52aca33 55575012 3eb2b591
17:07:34 ipsec,debug,packet
17:07:34 ipsec,debug,packet 563af611 fa1a0c5d d2490a19 bea548e9 eed57c41 678486a2 7f0c5b83 ac02971a
17:07:34 ipsec,debug,packet eac08fff b35a3d87 72bf9b02 9ac09a87 64d85ee6 52af3f89 5a23da5b d5d3b49e
17:07:34 ipsec,debug,packet 23e7c10c feeecb5e ddca776a 6c0d5dca 1c799710 f76dbb7a b934153e e90d6fc8
17:07:34 ipsec,debug,packet c06a30dd beb0f710 788daf5f 8a537089 6963bf34 60a3d07a 78a392aa bce98d2d
17:07:34 ipsec,debug,packet 838ab290 21df26bb 78480951 fc211711 9aac9649 c5d081d4 a20e2cef 8895f6ca
17:07:34 ipsec,debug,packet 9f50c86b 90b8dd5b 2dd26ba5 d9d8f817 c7cd545f 02e54fe1 05c16457 4d9a5324
17:07:34 ipsec,debug,packet e4b9d2c3 beaa575b 155c5e9d 1520dbf8 f36b10b9 86c07294 cb39f186 7c4008c2
17:07:34 ipsec,debug,packet 24327574 aaef1b86 1895cdae 42bd4b68 b3274a53 d7a22733 7383f759 b7e0d465
17:07:34 ipsec,debug,packet
17:07:34 ipsec,debug,packet b264b218 aba9bd59 409be56a ac0203bc 74058132 00de97b9 449e8765 1f97cf1e
17:07:34 ipsec,debug,packet 8c8aa8fe e787e7cc 53e6f534 a779d99f fa1df15f 2202643e e3a6439b 601337d5
17:07:34 ipsec,debug,packet ce4df3f6 5ba940f1 cbb3b99c a3d0173f 486f3e2a af362284 298597a9 10500622
17:07:34 ipsec,debug,packet 182e65b3 3c1169de e413f0e5 07408410 efe071c9 b941059e e5f17756 698fb8db
17:07:34 ipsec,debug,packet dd422c00 00280200 00000001 0004c0a8 11c30002 0004ffff ffff0003 00046f44
17:07:34 ipsec,debug,packet 1b030003 00046f44 1b042d00 00180100 00000700 00100000 ffffc0a8 11c3c0a8
17:07:34 ipsec,debug,packet 11c32100 00180100 00000700 00100000 ffff0000 0000ffff ffff0000 002c0000
17:07:34 ipsec,debug,packet 00280103 04030e2d eed10300 000c0100 000c800e 01000300 00080300 000c0000
17:07:34 ipsec,debug,packet
17:07:34 ipsec,debug,packet 00080500 0000
17:07:34 ipsec adding payload: ENC
17:07:34 ipsec,debug => (first 0x100 of 0xe14)
17:07:34 ipsec,debug 25000e14 1b1db6c3 481398be 0a779ca3 a9671f51 fce1d3a6 1664388f 38db2976
17:07:34 ipsec,debug 4630df46 6351c68f 5bacb53d f465ef54 f6ab9822 ae4e6349 f201716f 83eb431a
17:07:34 ipsec,debug baaa9c0d ca8512b1 f7ff75b0 7f9dedeb a6fdc63f 24f91f59 b08616e7 e1838a21
17:07:34 ipsec,debug 8c4a4b99 c43dbcec 2fc916ed 18132075 ae464e82 e3383825 3b924546 c954e139
17:07:34 ipsec,debug d6e928c8 58f9bfd5 45f5a76a baa60f6f 5695a5cc b278e2d5 69581c62 2afa6cd9
17:07:34 ipsec,debug c5df2d5a e390aa92 095b1834 b37929b6 b5f0df2a 38304d57 84e15e4f 602489dd
17:07:34 ipsec,debug 773fdb6b 071acb73 9a4f2100 0bbefd32 adbe33bc 21b71c1a 12726d34 d6c1b7c4
17:07:34 ipsec,debug 148abefb 2e1195ce dcaaaca8 ee2c9bfa 67892880 29cdf266 b2232c3b 8d5c31c3
17:07:34 ipsec,debug ===== sending 3632 bytes from <SERVER_IP>[4500] to <MY_IP>[4500]
17:07:34 ipsec,debug 1 times of 3636 bytes message will be sent to <MY_IP>[4500]
17:07:34 ipsec,debug,packet 6afe4b3a 1d640d26 f4d26922 6bb65047 2e202320 00000001 00000e30 25000e14
17:07:34 ipsec,debug,packet 1b1db6c3 481398be 0a779ca3 a9671f51 fce1d3a6 1664388f 38db2976 4630df46
17:07:34 ipsec,debug,packet 6351c68f 5bacb53d f465ef54 f6ab9822 ae4e6349 f201716f 83eb431a baaa9c0d
17:07:34 ipsec,debug,packet ca8512b1 f7ff75b0 7f9dedeb a6fdc63f 24f91f59 b08616e7 e1838a21 8c4a4b99
17:07:34 ipsec,debug,packet c43dbcec 2fc916ed 18132075 ae464e82 e3383825 3b924546 c954e139 d6e928c8
17:07:34 ipsec,debug,packet 58f9bfd5 45f5a76a baa60f6f 5695a5cc b278e2d5 69581c62 2afa6cd9 c5df2d5a
17:07:34 ipsec,debug,packet e390aa92 095b1834 b37929b6 b5f0df2a 38304d57 84e15e4f 602489dd 773fdb6b
17:07:34 ipsec,debug => child keymat (size 0x80)
17:07:34 ipsec,debug 36eb9d97 896b2b5f db3a5446 1f924a4b da77d25f 77298226 688c6813 f7623a8a
17:07:34 ipsec,debug ef15c96a 9f306fb5 75566303 0bd441c7 6559a906 3f7fe8c6 23166084 6df820e9
17:07:34 ipsec,debug be079f43 a80c5295 7adca01a 40513c7e 6f38cd0d b9d5ead5 37d253c1 5f331c19
17:07:34 ipsec,debug ad04e646 4f797037 60bdee93 9bb8fc28 69963d80 599a8b09 3de81fde 745fab19
17:07:34 ipsec IPsec-SA established: <MY_IP>[4500]-><SERVER_IP>[4500] spi=0xe2deed1
17:07:34 ipsec IPsec-SA established: <SERVER_IP>[4500]-><MY_IP>[4500] spi=0x944dbfc
17:07:34 ipsec,debug ===== received 2256 bytes from <MY_IP>[4500] to <SERVER_IP>[4500]
17:07:34 ipsec,debug,packet 6afe4b3a 1d640d26 f4d26922 6bb65047 2e202308 00000001 000008d0 230008b4
17:07:34 ipsec,debug,packet b270fee1 d82b081f 55310153 82b6ff98 e102a672 7c4771b6 2e199420 5b96f4f5
17:07:34 ipsec,debug,packet 53fdae81 fc5c3ac4 5c27083b d1b939bd 1da7357d b7c04be5 234ba810 ad8b028c
17:07:34 ipsec,debug,packet 2b655f97 2d15e385 97ec0e5e f2211858 90c07659 7c0df22d 07638a50 d61509f2
17:07:34 ipsec,debug,packet a12b0870 e3a55288 d0438dfa a3da6027 6bab9e9e 4137973e e05a2264 094ed86b
17:07:34 ipsec,debug,packet 957b47ec b95d9227 c1654a5c e8d4649c 3a337ad0 9f90e628 637f0c40 2271ceb3
17:07:34 ipsec,debug,packet ed21201f b844a399 a96f00ce e23fd607 09e6dd9b e8b2eeb9 a20830eb 019c2d43
17:07:34 ipsec,debug,packet 1cb060f2 7a400742 a9dd0c3f eeab4159 5b50c3d3 9a672f7c c6909455 49a168a6
17:07:34 ipsec,debug,packet a6497608 6bcffbd0 66e07ad8 2a3b7d10 4de92695 8c61d319 95ebcb79 6d1a0a6c
17:07:34 ipsec,debug,packet 4da07aff 501689f1 e469afd4 ad30a684 16a89e7f 990f0edd a4aa25b7 bd50717b
17:07:34 ipsec,debug,packet 311b16c6 a0e4baed f146e1f8 a2588742 adb6772f f67a5cfc f05ac475 ec417dee
17:07:34 ipsec,debug,packet c7a88d10 a2fad4b5 756292ab 0b88de20 50dbc083 860b1d4f 5bb6be26 21c26cbf
17:07:34 ipsec,debug,packet 9557bb24 1e73b546 50fc19b9 c71c9d41 a22114ed 3bb4a794 c5e1e2ec 742b5521
17:07:34 ipsec,debug,packet b1cb9865 989896e7 f65d03d1 36df8887 6791cd17 07a78501 dae6b196 6d9f5717
17:07:34 ipsec,debug,packet 04282ada c98fb23d 0f064f7f 472a0d97 eeb0fada fcbbba59 c9298060 3556f646
17:07:34 ipsec,debug,packet 9a06dbf1 c23780ae ad289c19 bb73194d c353805c 05c55da6 100d8a7a 7695e2e4
17:07:34 ipsec,debug,packet 678f0f2a 489130b8 1c9dc9e7 75cd7a62 6a10ee78 8a3a7d6a fe31aaec 35034c44
17:07:34 ipsec,debug,packet d898a095 decb7f5c 22d1f855 ed8ecb32 e01898f1 ed605432 314f9943 af9118d5
17:07:34 ipsec,debug,packet 59241af3 7a9e3e04 00ce8722 4bc60dec db5a33a8 60b06fab ab005b3e 6d40a5ac
17:07:34 ipsec,debug,packet f9fe294f 1538911e 6e39d9c0 71cc6a63 31c4194e 25aa6a0f 4316fff8 d4176b88
17:07:34 ipsec,debug,packet 0beda96d c4d62167 509b93cd 0a897c80 db78fbda 01a0b4a6 b334fbde 2016557b
17:07:34 ipsec,debug,packet b529ccff 43d5404a af3f9f80 42f0c786 0585e530 028b6a82 d1175874 605cfc08
17:07:34 ipsec,debug,packet 4c5b02dd 74fabb1b 4d49ec76 0e56deba 684e8d9b 510593d7 634aeff2 cfe90e6f
17:07:34 ipsec,debug,packet 196c9f62 4d40a326 fcd9561f 839bf15b bee400dd cbd50a4f 2abc6a85 f4762196
17:07:34 ipsec,debug,packet e76df0d8 2648ac75 42f70b19 86682a32 3223fe47 542325e9 96901b58 66d3230b
17:07:34 ipsec,debug,packet 64b77a33 4afac4e1 74dcbd6d 835a8e06 959e84fd b3127169 01f2f1c3 b9031241
17:07:34 ipsec,debug,packet fab8b137 c39e929c d985abe6 647cdd9f 23c193d2 c607b0cf 1852b9c8 9fad66b4
17:07:34 ipsec,debug,packet b5baadfa f34d7964 c302e7af e4ba28a6 876f42bf 789ccb33 1acada5f 6a9bc194
17:07:34 ipsec,debug,packet 0421461b a43b0e08 8ea5a801 0c047b6b f66e71d5 6dcd7265 cd19dd00 f22c2370
17:07:34 ipsec,debug,packet b432113b 61870ded 2fc7e966 944b4e33 ed48854f 41510762 584c8777 4671dfd6
17:07:34 ipsec,debug,packet 66d8aaaf 30989ac2 22d063cf 2d41b361 fe420f70 c8ecde1d a95d7888 90cfc6b1
17:07:34 ipsec,debug,packet 46128f82 3215b396 2b69d2af 57c055d0 2d569fd5 c35bc8a4 f7305aac ca151433
17:07:34 ipsec,debug,packet b1641866 36a43b24 48fd8611 6fe6f6cd dc642c78 4703c5dc e4ceedb7 7da260d9
17:07:34 ipsec,debug,packet c2cba6fd d4616777 8687cc1b 4906482b 278aa70d d18b966d 73c3a6cf e648c4a3
17:07:34 ipsec,debug,packet 8d402e8a 3760dab6 936ef3ac 29157266 411af2bd 87fe03a8 81abef9f 9b51dabb
17:07:34 ipsec,debug,packet 829b4c9f d8f17601 a804cce8 449d87f9 a6e520c1 ff5a1493 b19c2112 b3d5b4f8
17:07:34 ipsec,debug,packet 397e3cda 66a9c5c9 64902a25 91590bc7 8fbdb07a 2b35073d bf4f3333 734b26ef
17:07:34 ipsec,debug,packet 14ebb29a 1f4fcb7d d7cdbb22 a85b1382 29ac898f 0746b90d 767e7c22 afc2ff90
17:07:34 ipsec,debug,packet c62194d4 9d84ac1f 1c46d8ad 8d2cf4de e3594358 65790a95 e45ffdce 5f1df2c9
17:07:34 ipsec,debug,packet 89663756 efa0ac14 268c07e1 9eca3815 db36c342 0c44f39e cf84cd71 91bfdc31
17:07:34 ipsec,debug,packet 4ddaa05e 895040d1 c8c81338 10e33701 af2f8db4 61d3eb2b 243e2c70 37ad95aa
17:07:34 ipsec,debug,packet 2aae0218 9dcedadc 04494612 883dd920 5fd916f7 07881b60 573659e5 73ef12cb
17:07:34 ipsec,debug,packet d1e9472e 83fa9c99 a8ddbd35 73116a2f 9e890d4c abd3b414 f80aa35f a47a1351
17:07:34 ipsec,debug,packet d6064425 1f30d7e9 bc408710 6f40d83b c933f872 b6d5b675 d2678809 cd056bd7
17:07:34 ipsec,debug,packet 04b579d3 69b36458 175b3885 01cddd0a 3997c114 f52f5469 be83e6f3 8177fcd2
17:07:34 ipsec,debug,packet 08c7e94e cd964fab 74836caa a1ea0223 c61983ce 47fc1e10 f9c09a12 71bf2e96
17:07:34 ipsec,debug,packet df86adc1 de70d5cb 626b96ab aff0bec9 a02b4a04 383c3f15 056a4b51 badb262c
17:07:34 ipsec,debug,packet e31648eb 2078bf35 38072d44 9265dc7e 2d5c1bea c2938dee e12c87fd dcabfd68
17:07:34 ipsec,debug,packet a1c37203 d8b80a9a 3dd784e5 d867c88e 010e89f1 e8eb2a8d 21598ca3 643222f9
17:07:34 ipsec,debug,packet 1a520762 fa7f2887 1572b9c4 5a03cf15 66803909 377990e8 5f114f2f 8241f93f
17:07:34 ipsec,debug,packet 59efc3a0 a997c996 d0224ef9 ebbfb57d e9e5af0c aad332d4 81c14694 50e0a305
17:07:34 ipsec,debug,packet db1f037b 6417b459 80303c51 58df48e3 694e1f56 7376a58b afccedb4 f05a4189
17:07:34 ipsec,debug,packet cc5de49d 25b9a368 efc69b7b ab9e217c 76f94a80 24a81860 991b81a9 e80340cf
17:07:34 ipsec,debug,packet a9de361c 59f02bef 7e186bb7 86e5bb46 081a5198 0500c70b 2977837e f04c358b
17:07:34 ipsec,debug,packet e4990707 9094c1f6 995d3017 7faac662 8e85d922 0d709ab9 83265460 82f18b8b
17:09:58 ipsec,debug ===== sending 288 bytes from <SERVER_IP>[4500] to <MY_IP>[4500]
17:09:58 ipsec,debug 1 times of 292 bytes message will be sent to <MY_IP>[4500]
17:09:58 ipsec,debug,packet 6afe4b3a 1d640d26 f4d26922 6bb65047 2e202500 00000001 00000120 2a000104
17:09:58 ipsec,debug,packet 1b1db6c3 481398be 0a779ca3 a9671f51 b1037647 f9fa4892 1177d539 1de2ad50
17:09:58 ipsec,debug,packet 990fe10b e1ee8d77 11c3df9e b46f08e7 b41304bb 1bbea260 87f4c6e8 519a3940
17:09:58 ipsec,debug,packet 7de29fdd d05a3eb6 e1dbb254 5e9b9629 aa7fe048 78aae1ca 258b74c8 c22b81d8 17:09:58 ipsec,debug,packet 008e15c2 52d3dc58 2a0dbf41 5357237e e10a153a 3f8051db 370eee7d ce379e34
17:09:58 ipsec,debug,packet 97371d83 00604bef 053b7109 72719256 47263e22 2a190720 91926be3 2072d22c
17:09:58 ipsec,debug,packet dfe0c3e3 35c24141 085a7d92 b7a2524a 76e8e04e d1ce93b8 88e74787 4b411296
17:09:58 ipsec,debug,packet 644ec5b2 97a3b120 38e45af7 1148859d 946db95b 463519c0 7c38a460 dab57865
17:09:58 ipsec,debug,packet 53fa1929 2e9e32e0 49afb11e f2f9257c 6c148f21 e8d38740 fef87a48 130da80f
17:09:58 ipsec KA remove: <SERVER_IP>[4500]-><MY_IP>[4500]
17:09:58 ipsec,debug KA tree dump: <SERVER_IP>[4500]-><MY_IP>[4500] (in_use=1)
17:09:58 ipsec,debug KA removing this one...
My certificates are all self signed and generated under ROS, all of them have subject-alt-name and extended-key-usage attributes, less than 825 days of validity and more than 2048-bit key-size.
/certificates
add name=ca common-name=<SERVER FQDN> subject-alt-name=DNS:<SERVER FQDN> days-valid=810 key-size=4096
add name=vpn-server common-name=<SERVER FQDN> subject-alt-name=IP:<SERVER IP> days-valid=800 key-size=4096 key-usage=tls-server
add name=client-cert common-namme=<CLIENT HOSTNAME> subject-alt-name=IP:<CLIENT IP> days-valid=800 key-size=4096 key-usage=tls-client
Did i make some mistakes along the way or does anyone have any idea / same problem? I appreciate any kind of pointers / help.
EDIT:
Here’s the apple configurator file (vpn config):
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>IKEv2</key>
<dict>
<key>AuthenticationMethod</key>
<string>Certificate</string>
<key>ChildSecurityAssociationParameters</key>
<dict>
<key>DiffieHellmanGroup</key>
<integer>14</integer>
<key>EncryptionAlgorithm</key>
<string>AES-256</string>
<key>IntegrityAlgorithm</key>
<string>SHA2-256</string>
<key>LifeTimeInMinutes</key>
<integer>1440</integer>
</dict>
<key>DeadPeerDetectionRate</key>
<string>Medium</string>
<key>DisableMOBIKE</key>
<integer>0</integer>
<key>DisableRedirect</key>
<integer>0</integer>
<key>EnableCertificateRevocationCheck</key>
<integer>0</integer>
<key>EnableFallback</key>
<integer>0</integer>
<key>EnablePFS</key>
<true/>
<key>IKESecurityAssociationParameters</key>
<dict>
<key>DiffieHellmanGroup</key>
<integer>14</integer>
<key>EncryptionAlgorithm</key>
<string>AES-256</string>
<key>IntegrityAlgorithm</key>
<string>SHA2-256</string>
<key>LifeTimeInMinutes</key>
<integer>1440</integer>
</dict>
<key>LocalIdentifier</key>
<string>sanfood</string>
<key>PayloadCertificateUUID</key>
<string>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</string>
<key>RemoteAddress</key>
<string><SERVER FQDN></string>
<key>RemoteIdentifier</key>
<string><SERVER FQDN></string>
<key>UseConfigurationAttributeInternalIPSubnet</key>
<integer>0</integer>
</dict>
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
<integer>0</integer>
</dict>
<key>PayloadDescription</key>
<string>Configures VPN settings</string>
<key>PayloadDisplayName</key>
<string>VPN</string>
<key>PayloadIdentifier</key>
<string>com.apple.vpn.managed.SOME_UUID</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadUUID</key>
<string>SOME_UUID</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Proxies</key>
<dict>
<key>HTTPEnable</key>
<integer>0</integer>
<key>HTTPSEnable</key>
<integer>0</integer>
</dict>
<key>UserDefinedName</key>
<string>vpn</string>
<key>VPNType</key>
<string>IKEv2</string>
</dict>
<dict>
<key>Password</key>
<string>SOME_PASSWORD</string>
<key>PayloadCertificateFileName</key>
<string>SOME_CERT</string>
<key>PayloadContent</key>
<data>
SOME DATA
</data>
<key>PayloadDescription</key>
<string>Adds a PKCS#12-formatted certificate</string>
<key>PayloadDisplayName</key>
<string>cert_export_ios.p12</string>
<key>PayloadIdentifier</key>
<string>com.apple.security.pkcs12.SOME_UUID</string>
<key>PayloadType</key>
<string>com.apple.security.pkcs12</string>
<key>PayloadUUID</key>
<string>SOME_UUID</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
<dict>
<key>PayloadCertificateFileName</key>
<string>CA CERT</string>
<key>PayloadContent</key>
<data>
SOME DATA
</data>
<key>PayloadDescription</key>
<string>Adds a CA root certificate</string>
<key>PayloadDisplayName</key>
<string><SERVER FQDN></string>
<key>PayloadIdentifier</key>
<string>com.apple.security.root.SOME_UUID</string>
<key>PayloadType</key>
<string>com.apple.security.root</string>
<key>PayloadUUID</key>
<string>SOME_UUID</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>vpn</string>
<key>PayloadIdentifier</key>
<string>SOME UUID</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>SOME UUID</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>