Android 12 IKEv2 & RRAS

Hello Alisson,

Any method should work - I just use the certmgr Certificate Export Wizard:

Since, for the MSCHAPv2 option, all that we are actually interested in is the root CA certificate, you should make sure that this option is set:

Gary

Oh, But that's exactly what I've been doing and it doesn't work:

Even on my android 12 I can install only the root CA certificate (.cer file):

But both fail when I try to connect:

the log The error log is always the same: unauthenticated user. Through PPTP or L2TP works perfectly with the same user. I also tested it on a macbook, same error: unauthenticated user. funny that this error, both on android and macbook, is instantaneous, without even 1 second of processing time. Because of that I was thinking that it could be something related to DHgroup...

Hello Alisson,

That all looks good, so further investigation is needed.

What I would do would be to trace the IKEv2 protocol, using ETW (Event Tracing for Windows) on the VPN server; however, it is unlikely that you would be able to interpret the trace data - I would be happy to analyse the data but you might have security/confidentiality concerns about sharing such data.

Another option would be to just trace the network traffic at the packet level. This would give less information, since most of the data is encrypted, but the size and number of packets would help identify at which protocol step the error was occurring.

The commands that I would use to start and stop a trace are: pktmon start --capture --comp nics --flags 0x10 --pkt-size 0 --trace --provider Microsoft-Windows-WFP --keywords 0x3FFFFFFFFFFF --provider Microsoft-Windows-RRAS --provider "IKEEXT Trace Provider" --keywords 0x10 --level 4 --provider {e7ba355a-ec20-5993-dd3b-9215e4d8a23c} --file-name why.etl and pktmon stop.

Gary

Get the error: Error: Parameter '--provider' requires a value.

As it did not recognize one of the parameters passed to the provider...

Hello Alisson,

You could try replacing "IKEEXT Trace Provider" with {106B464D-8043-46B1-8CB8-E92A0CD7A560} (the GUID for that provider). The string may be localized (different text in Portuguese),

Gary

Hello Alisson,

Try pasting the command into a "Command" window rather than a PowerShell window.

EDIT

In a PowerShell window, the GUID string needs to be quoted:

pktmon start --capture --comp nics --flags 0x10 --pkt-size 0 --trace --provider Microsoft-Windows-WFP --keywords 0x3FFFFFFFFFFF --provider Microsoft-Windows-RRAS --provider "IKEEXT Trace Provider" --keywords 0x10 --level 4 --provider "{e7ba355a-ec20-5993-dd3b-9215e4d8a23c}" --file-name why.etl

Gary

Here in https://drive.google.com/file/d/1kcENGj7jmF4zXKh6aLSSB2OgwxxMRpCo/view?usp=drivesdk

Hello Alisson,

The group negotiation is working well. The connection is failing because the VPN server is expecting PSK (pre-shared key, shared secret) authentication. There is still some more information to be gleaned from the trace data, but it is now getting late in the evening here in Switzerland (22:45).

Gary

OK. I'm going to test removing this option from the PSK. Then post if it worked. Ty so much for all your help so far. Good night! Sorry for the inconvenience!

Still does not work. Which options should i mark in the security tab and in the authentication methods window ? I've tried several combinations without success.

Same (multiples combinations) for the "constrains" tab in network policy. How i set this part?

Also, Connection request policies need to be configured on the NPS server too?

Hello Alisson,

I don't have access to a Windows Server at the moment (I have been retired for many years) and just use the Windows client "Incoming Connections" for VPN:

I configure policies either via the registry (see [MS-RRASM]) or editing %SystemRoot%\System32\IAS\IAS.xml.

I know which settings are appropriate but I can't guide you through interactions with the RRAS user interface.

You don't need a custom IPsec policy (especially no Preshared Key) and you do need MS-CHAP v2 as an authentication method; I would enable "Allow machine certificate authentication for IKEv2" too. The server needs a suitable certificate (plus private key) in its Personal store.

Once you have set things up, perform another test/trace and send me the results.

Gary

FINALLY FINALLY it looks like we are now close to solving it. I removed as many non-MSCHAPv2 settings as possible and the unauthenticated user error is gone! But giving way to a new one: "20063 Remote Access Connection Manager Failed to start because the protocol engine [IKEv2] failed to initialize. The request is no supported".

I've never been so happy to see an error. After a week with the same error and same behavior, it's a relief. The behavior has also changed in the android client. Now the error (unsuccessful) no longer appears, but it stays there forever on "connecting".

Googling about this new error, I saw that the standard solution is to manually start the service "Remote Access Auto Connection Manager". But I already did and the error remains. I also ran the sfc /scannow command , but the result was that everything was fine. Also suggest running DSMI commands but these always hang in process and never finish. I keep looking for other causes/solutions...Would you have any idea what it is? Thank you so much for all your attention and help so far!

Hello Alisson,

Create a new trace with this behaviour - that should help identify when/where the problem is occurring. Once I have seen that data I can then think about the next step.

Gary

Here in https://drive.google.com/file/d/16ecuk--3KFpWF6fMTO1aELqDJ3k1NkJy/view?usp=drivesdkTy again!

Hello Alisson,

I am afraid that you have taken a step backwards rather than forwards. In the previous trace, packets were exchanged, a group negotiated and the connection failed because of mismatched authentication policies.

Now there does not seem to be a valid IKEv2 policy loaded (into WFP - Windows Filtering Platform). The first packet from Android is arriving and no policy for how to handle that packet is found. No packets (even failure packets) are sent in response - that is why the Android client just waits.

Can you send some screen snapshots of any settings that you have changed and where you are not sure if the new choices are correct?

Gary

Oh... Basically I removed the EAP related settings. Keeping enabled only MSCHAPV2 options.I thought they (EAP) weren't needed for android mode IKEV2 MSCHAPV2 authentication ( But, is required?):

and:

What should I select to work with IKEV2 MSCHAPV2 or IKEV2 RSA?

Hello Alisson,

Some protocols (including L2TP) can use MSCHAPv2 "standalone" (i.e. without EAP), but IKEv2 can only use MSCHAPv2 with EAP.

The Android MSCHAPv2 option means IKEv2 + EAP + MSCHAPv2.

The Android RSA option means IKEv2 + client certificates.

Gary

I understood. I always had this doubt (android omitted the term EAP in MSCHAPV2). Thanks for fixing it. OK then. So I'll focus on trying to make it work in the simplest and most minimalist way possible: IKEV2 RSA. With client certificate. These are the settings I need, correct?:

and

But still unsuccessful. VPN android client also stuck in "connecting". Do you the trace data? Also. In this cenario (ikev2 rsa) How should I create the user certificate? CN subject must bind to any user primary key? Or does it serve any random string, like in your case "vpn guest"?

Hello Alisson,

It might be best to get a VPN client/server set-up working where both client and server are from Windows (RRAS plus Windows VPN client). As far as I know, the only complexities added by Android 12/13 are .pfx/.p12 files to share/install certificate related configuration information and the difference in the groups proposed/accepted. Once a Windows VPN client can connect, it should be simple to make Android 12/13 work.

There is no "clear cut" simplest configuration: pre-shared keys (PSK), client certificates (RSA) and MSCHAPv2 all have their own differences/difficulties.

For the IKEv2 RSA method, there are no special requirements on the certificates - one just needs to possess the private key. This is in contrast to other certificate-based authentication methods, such as EAP-TLS, where there are additional constraints on the certificate.

You can send a new trace any time that you think that it might be helpful. Analysing the first trace is normally the most difficult (understanding the environment); subsequent traces can be analysed more quickly.

Gary

Unfortunately I don't have a windows client machine available at the moment. Now i just select the IKEv2 certificate settings and remove others all. Androids client stucks in connecting. Trace: https://drive.google.com/file/d/1IT4VoOaWV6Uez2ImDI-ucVEcH9O7d-Hs/view?usp=drivesdk

Are you sure that the server you authenticate to on your Samsung android 13 is, in fact, a windows server?

Hello Alisson,

I am sure that the "VPN server" to which I authenticate/connect is a Windows 10 client system; I am equally sure that the VPN relevant DLLs are identical to those on server versions of Windows. The Windows 10 client is just missing some tools (e.g. full RRAS UI) and has tight limits on the number of concurrent connections. It would be very unusual if the "VPN server" on a Windows client version were to be more capable than a Windows server.

In the most recent trace, the data is better than the earlier traces; however there does not seem to be a suitable certificate available to the VPN server - are you sure that you have added a client certificate to the VPN server's Personal store? Such a certificate is only needed if you want to perform "RSA" authentication - it would not be needed for MSCHAPv2 authentication.

Gary

Hello Alisson,

The trace also casts doubts about whether you selected "RSA" authentication on the Android client...

Gary

The trace also casts doubts about whether you selected "RSA" authentication on the Android client

This part makes me think that MAYBE windows 10 is more compatible with android than windows server, at least in terms of IKEv2 authentication. Because I'm absolutely sure that i chose the RSA option in the last trace. Just as I'm sure the same certificate I'm using on the android VPN client is on VPN server's Personal store. Do you know any good tutorial to run RRAS in windows 10? I was almost giving up on windows and creating a new Linux server, but now I'm really curious about RRAS on windows 10.

Hello Alisson,

I am sure that that is not the case. I wrote a couple of articles on using Windows 10 as a VPN server: https://gary-nebbett.blogspot.com/2018/10/establishing-vpn-connection-from-macos.html and https://gary-nebbett.blogspot.com/2019/10/establishing-vpn-connection-from-ios-to.html

Gary

Nice! Thank you! I was thinking... Here in my organization there was (more than once) the exchange of AD CS(certificate services) role between different servers. Could this be influencing some mismatched data in certs? Indeed it's hard to believe that something like this works on windows 10 and not on the server version.

Another point: to all this, im using a Server with no related dns entry. So, im using the IP in the CN of the certificate as well as the hostname of the vpn client. Could this affect something?

Hello Alisson,

Let me once again reassure you that Windows Server can do everything (and more) than a Windows 10 client can do with respect to acting as a VPN server.

Yes, not using a name in the certificate that can't be confused with an IP address could account for all of the missing certificate information in the IKEv2 exchanges - you need to sort that out. If you enter something that looks like an IP address in a field that can accept an IP address or a name, it will be treated as an IP address and not as a name.

Gary

Unfortunately DNS is the only role I don't have access to (until now). But in the server certificate I just put the CN with the IP, which is the same I use in the VPN client connection... Anyway, I'll try to resolve this as soon as possible.

Hello Alisson,

You don't need DNS - you could use etc/hosts for name to IP address mapping.

As I said, using an IP address as the CN of a certificate is "allowed" - it is just not useful in most situations. The reason for saying this is that most network "applications" examine the "name" that they are given and then behave differently depending on whether the "name" can be parsed as an "address".

Gary

1- Does the VPN server need to have the NPAS role enabled? 2- What should I use as "login" in case of IKEV2 MSCHAPV2? UPN? Like alisson@example.com? I'm convinced who the problem is or how I'm trying to authenticate, or something related to NPS.

It worked on a windows 11 machine. With MSCHAPV2. Even without DNS entry (I will need to ask a responsible sector on Monday). But it still doesn't work on android. Cloud it possibly be the ipsec identifier? Here in my android 12 is a required field even with the CA certificate installed and selected...

Hello Alisson,

Can you make a new trace with the Android client, now that you have had success with a different (Windows) client?

Gary

A friend just tested it and got it through an android 13. WITHOUT filling in the ipsec identifier and WITHOUT selecting a certificate in the vpn client configuration. Only with the CA certificate installed. In mine mind can only be because of that field (ipsec identifier) is not required in android 13.

I found this

on https://campus.barracuda.com/product/nextgenfirewallx/doc/41091322/how-to-configure-a-client-to-site-vpn-with-shared-key-authentication/ But I don't know what would be the correspondence of this (access policy) on the Windows server. I tried the network policy name in NPS but to no success.

Hello Alisson,

A new trace might help turn speculation into evidence.

Gary

But what would appear different from the other traces? I still can't access it through an android 12 for the same reason as always.

But, if you think you might find something new: https://drive.google.com/file/d/1gpTrPEvX1qB4CzVPF4EqL25L4x8dygDl/view?usp=drivesdk

Hello Alisson,

There are two connection attempts in that trace, 10 seconds apart:

Each connection attempt uses 6 packets, 3 in each direction.

The first packet from the client uses a different group to that expected by the server, so the server responds with a "hint" about which group to use.

The second packet from the client uses the expected group and the server then sends a valid response.

The connection now changes from the IKE__SA__INIT mode to IKE__AUTH mode.

The client sends its first IKE__AUTH mode packet and the server responds with a positive response.

No further packets are received from the client - it probably did not like something in that last response.

The final packet from the server contains the following IKEv2 payloads:

Identification: vpnhomolog[...]

Certificate: for vpnhomolog[...]

Authentication: RSA signature blob

EAP: request identity message

The Android client probably did not like the certificate for vpnhomolog - is its root CA authority certificate installed on the Android client?

Gary

Yes:

About the difference between attempts, one of them I didn't select any certificate in VPN configuration profile, The other one, I selected CA certificate option. EDIT: But honestly I don't remember what their order was (attempts).

"- it probably did not like something in that last response". I still think the ipsec identifier has to do with it. I've been researching and I saw that there are 2 modes key exchange: main and agressive:

https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH_with_PSK So, since android 12 vpn client requires ipsec identifier it always works in aggressive mode, a mode that apparently Windows is not prepared to deal with... Make sense?

Hello Alisson,

On my Android, the USER certificate list (under the "View security certificates" page) is empty.

I also have a separate "User certificates" page and that is where the entries derived from the .pfx/.p12 file(s) that I loaded (via "Install from device storage", "VPN and app user certificate") can be found.

Gary

Hello Alisson,

Regarding "aggressive" mode - that is a mode of IKEv1 but we are using IKEv2.

Gary

On my Android, the USER certificate list (under the "View security certificates" page) is empty.

So that's why my friend at work can connect via MSCHAPV2 without selecting any certificate. But it has the trusted CA cert installed just like the image I sent. It remains to be seen whether even this is necessary. Then I ask him to remove and test.

I have also some "user certificates". all with key, user certificate and CA certificate. None of them work. It seems to me a android 12 vpn client bug. Related or not to ipsec identifier.

On my Android, the USER certificate list (under the "View security certificates" page) is empty.

Are you able to connect to your VPN without selecting any certificates in your Android 13 client profile?

Hello Alisson,

I can't even save a MSCHAPv2 VPN configuration without selecting a "certificate", so I can't test connecting without a certificate. Are you sure that you have a VPN certificate looking like this:

Is the CA certificate in the file for the RISTRETTO-CA root?

Gary

Interesting these differences between android 13 (and12) vpn clients...

Yes, my "user certificates" have these 3 entries:

s

But, from what I understand, the way my version of the android 12 client works, I wouldn't even need to select a certificate in the vpn client profile, Since on my android 12 I can install CA certificates (.cer file, The one from the user's trusted credentials image).

In your case, your vpn client forces you to select it, because it is not possible to install directly/only the CA certificate...

What's left is just the ipsec identifier variable. Or some other client bug. Are you able to authenticate with the certificate but entering any string in the ipsec identifier field?

Hello Alisson,

It is difficult to be certain what is in those user credentials. Have you tried connecting with all of those user credentials that might possibly contain the RISTRETTO-CA certificate?

This is what my VPN configuration looks like:

Gary

It is difficult to be certain what is in those user credentials. Have you tried connecting with all of those user credentials that might possibly contain the RISTRETTO-CA certificate?

You can be sure that all of them were installed by me and issued by the same CA: ufpe-RISTRETTO-CA. For example, the clienteoclient (last image I uploaded):

Anyway, if my friend manages it through an android 13 and with the same CA certificate (user trust), the problem is not in the certificate, but in the android client. But what, i have no idea. I asked him to fill in anything in the ipsec identifier and it worked for him.

I don't understand much about cryptography, but I found this:

OK, I found the problem. They don't pad the MSK like all other implementations do. According to the EAP-MSCHAPv2 draft, the keys are derived according to RFC 3079 (MPPE). This results in two 128-bit keys, MasterSendKey and MasterReceiveKey (i.e. 32 octets in total). However, the MSK for EAP methods MUST be at least 64 octets according to RFC 5247, so these keys have to be padded somehow. The first beta versions of Window 7 back in 2009 (which is what we used to test with when we implemented EAP-MSCHAPv2) did it like this: MasterReceiveKey|16 zero bytes|MasterReceiveKey|16 zero bytes. But this was changed with the release candidate of Windows 7 to: MasterReceiveKey|MasterReceiveKey|32 zero bytes, which is what we and other implementations use ever since. So until Google fixes their client accordingly, you won't be able to connect.

In https://wiki.strongswan.org/issues/3673

Maybe that the same case? I know this case is about android 11, but... who knows

And look that: https://support.google.com/android/thread/191111863/problem-saving-ikev2-ipsec-psk-without-ipsec-identifier-save-button-inactive?hl=en

The "fake not use" ipsec identifier field makes a GOOGLE PIXEL phone REBOOT!

Hello Alisson,

In the MSCHAPv2 authentication scenario, they keys are derived from the MSCHAPv2 authentication process, and we have not got that far (key derivation) yet.

The certificate that we need to be included in the .pfx/.p12 file is the root CA (RISTRETTO-CA) certificate, not just a certificate issued by the RISTRETTO-CA authority.

I don't think that the "contents" of the "user certificates" can be examined once inside Android. I also don't think that there any any built-in tools in Windows to just display the contents of such files (one could just import the .p12/.pfx file into an empty store to view the contents). I think that there are some openssl tools that can just display such files.

It feels odd to suggest it, but if you are sure that some of the .p12/.pfx files that you imported contain the correct certificate and that this is just a test/play environment, then you could send me the .p12/.pfx file plus its password so that I can verify that.

Gary

There's no way the problem is in the certificate. Since the same root certificate (copied from ristretto) that I am using is exactly the one my friend is using. Sent by whatsapp, as welll. Sorry but i can't share any access, cause the environment it's not entirely a test/play environment. I'm pretty convinced it's a bug in the android 12 client. The more I search for "ikev2 android 12 vpn", the more I find bug-related results.

Hello Alisson,

I am convinced of the opposite - the problem is with the certificate.

When I debug the IKEv2 server, I see the following payloads in the third packet from the client:

Identification: (11 = ID_KEY_ID) gary
CertificateRequest: 1 certificate hash (of root CA)
Configuration: (CFG_REQUEST) INTERNAL_IP4_ADDRESS INTERNAL_IP4_DNS
SecurityAssociation: [...]
TrafficSelector: (TSi) 07-00-00-10-00-00-FF-FF-00-00-00-00-FF-FF-FF-FF
TrafficSelector: (TSr) 07-00-00-10-00-00-FF-FF-00-00-00-00-FF-FF-FF-FF
Notify: MOBIKE_SUPPORTED
Notify: ADDITIONAL_IP6_ADDRESS
Notify: ADDITIONAL_IP6_ADDRESS
Notify: EAP_ONLY_AUTHENTICATION
Notify: IKEV2_MESSAGE_ID_SYNC_SUPPORTED

My "why.etl" trace looks like this:

The (defaulted) IPsec ID of "gary" is processed seemingly without error and the certificate request is processed.

Your "why.etl" trace looks like this:

Your IPsec ID is also processed without error, but no "certificate request" was found/processed - possibly because no CA certificate had been installed in the client. This would be OK if the server nonetheless chose the right CA certificate, but I guess that this is not happening.

Gary

also processed without error, but no "certificate request" was found/processed - possibly because no CA certificate had been installed in the client.

Yes the root certificate is installed and is valid (at least for androids 13), cause in my friend's android 13 works normally.

This would be OK if the server nonetheless chose the right CA certificate, but I guess that this is not happening.

The VPN server has only 1 personal certificate, and is the right one, with server authentication and ipsec ike intermediate:

but no "certificate request" was found/processed

Ok. No certificate request was found/processed. But not for lack of available certificate. Now, why there's still no cert request, idk...

Log of when I try through strongswan client:

Hello Alisson,

I think that that error is specific to strongSwan (check of VPN server SAN). My server certificate contains a SAN but I don't use that name on the Android client (I use an IP address since the server host name is not published) and that works with the Android built-in VPN client.

Gary

I understand. In fact I saw that this strongswan error is related to SAN. But I use in my server certificate:

Anyway, have strongswan's logs and the last screenshots I sent you convinced that it's not a certificate issue?

Hello Alisson,

No, they have not convinced me.

An application, such as the Android built-in VPN client or the strongSwan, can make implementation choices such as where to look for CA certificates and how to ensure the security of the VPN connection.

The list of system CA authorities on my Android is quite large and it is my guess that the built-in client has chosen not to use that list but rather the single configured "Installed for VPN and apps" CA certificate in the user certificates.

This difference of our understanding plus, potentially, using something that can be parsed as an address or a name as a DNS name is probably where the problems lie.

Gary

The list of system CA authorities on my Android is quite large and it is my guess that the built-in client has chosen not to use that list but rather the single configured "Installed for VPN and apps" CA certificate in the user certificates.

But here I always agree. In your android version, validation takes place with the "user certificate", and in my version, directly with the root CA certificate, of which I have already shown several snapshots.

But I came up with something that might convince you that the problem is with the android 12 vpn client:

FINALLY, for the first time, I managed to make IKEV2 WORK on my android 12!

And yes, perhaps the issue on the native client is related to using IP instead of name. But I still consider it a bug, since it doesn't happen in strongswan (and not in android 13). In any case, I will answer this DNS question shortly, since the DNS entry has already been added.

Oh, and of course, android native client still doesnt work!

Hello Alisson,

Good to see a success, but it is still too early to dismiss other failures as caused by a bug.

Gary

The DNS entry was processed. I changed the vpn server certificate to just fqdn (CN and DNS). The scenario is the same. Works instantly on strongswan, and instantaneous unsuccessfully on androids native. If that doesn't set up a bug in the android client, I don't know what else would.

Gary, I have no words to thank you for ALL the teaching and help. I learned a lot from this problem and from your teachings. I would love to reward you in some way, even making a payment, but unfortunately the currency here in Brazil is so devalued in relation to the dollar and the euro, that I don't think it makes sense to spend so much to give you so little. Anyway, you can count on me if I can be of any help!

Hello Alisson,

I do this for fun - the reward is working on interesting problems.

I just started work on exporting a single certificate, without private keys, to a .pfx file. It works already but there is some more polishing to do. When it is ready, we could perhaps try once more to export the root CA to a .pfx file using this tool and then import that .pfx file to the Android user certificates; finally update the VPN definition to reference this new "user certificate" and retest.

UPDATE: The tool works and the resulting file can be imported as a .pfx file under Windows, but Android won't import the .pfx unless it contains a private key. Sorry to have raised any hopes.

Gary

Hi, Gary

Not problem at all. To tell you the truth, it's already a relief to get it via strongSwan. But in fact, the ideal would be with the native android application. Do you think then that the problem is that the android client is not using root CA? Either via .pfx (along with key and user cer) or .cer?

Look what I found: https://issuetracker.google.com/issues/238336705

I believe this is the problem.