Android 12 IKEv2 & RRAS

Crash The Great 6

Hello, collegues!

Unfortunately, in Android 12+ (depend by manufacturer, but in my phone so) has been cut out support for all VPN protocols expect IKEv2/Ipsec.
What's may be better than use IKEv2/Ipsec MSCHAPv2 and have no trouble? But here is a requeried parameter "IPSec identifier", it can't be blank or null.
Anything I try to use for it not working (fqdn, $null, ip, ikev2, etc). For example, others hardware routers just ignore this parameter and connected succesfully, but not RRAS. Also there is no errors or warnings in logs.

Maybe anyone know how to setup this parameter in RRAS (or maybe in NPS)?

Thanks!

Matthew Bowe 5 Reputation points

2023-03-08T15:19:18.72+00:00

18 months later and this is still a problem.
Gary Nebbett 5,721 Reputation points

2023-03-08T19:12:50.67+00:00

Hello Matthew,

I suspect that the IPsec identifier is not the problem but rather some security parameter, such as the offered/acceptable Diffie-Hellman groups, is causing the problem. Which DH group is your RRAS expecting?

If you are prepared to share trace data (collected on the RRAS) then I would be happy to analyse it.

Gary
Alisson Nunes 0 Reputation points

2023-03-20T19:52:31.7733333+00:00

Same here
Matthew Bowe 5 Reputation points

2023-03-20T20:33:44.9266667+00:00

Hello, Gary!
Thank you for your interest and your support in this. I have absolutely no idea where I would locate this information. It's not presented in any obvious way in Windows Server 2022, Server Manager, Remote Access, RRAS, or NPS.

I'm not a super-experienced Windows administrator here. I'm much more at home in Linux.
Gary Nebbett 5,721 Reputation points

2023-03-20T21:03:08.3733333+00:00

Hello Matthew,

This link to Richard Hicks' site should help you: https://directaccess.richardhicks.com/2018/12/10/always-on-vpn-ikev2-security-configuration/

Gary
Matthew Bowe 5 Reputation points

2023-03-20T21:34:21.06+00:00

Well... that didn't work.
The command Get-NetIPsecMainModeSA | Select-Object -First 1 returns nothing. Totally silent output.

3 answers

Gary Nebbett 5,721 Reputation points

2023-03-21T08:37:00.9+00:00
Hello All,

Which Key Exchange Method Transform ID (formerly known as DH (Diffie-Hellman) group) is your server configured to accept? By default, a Windows VPN server expects the "1024-bit MODP Group" (Group 2) but Android only offers the following:

2048-bit MODP Group with 256-bit Prime Order Subgroup (Group24)

384-bit random ECP group (ECP384)

256-bit random ECP group (ECP256)

2048-bit MODP Group (Group14)

1536-bit MODP Group (Group5)

Unless the VPN server has been configured to expect one of the above, the connection will fail.

The Microsoft article https://learn.microsoft.com/en-us/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections explains how to change the setting and Richard Hicks' article https://directaccess.richardhicks.com/2018/12/10/always-on-vpn-ikev2-security-configuration/ also discusses the topic.

Both of the articles use PowerShell cmdlets to change the settings; unfortunately, there is not a simple PowerShell command to show the current settings. Richard Hicks suggests using the command Get-NetIPsecMainModeSA, but this only works when Main Mode security associations are present (i.e. when VPN clients are connected). In the quiescent state (no active Main Mode security associations) it may be necessary to examine the stored settings in the registry (see section 2.2.3.4.2.8 IKEv2 Custom Policy Configuration of [MS-RRASM]) or the active Windows Filtering Platform state on the VPN server (use "netsh wfp show state" to obtain the state and then search that for the IkeV2MmPolicy elements).

Gary
Please sign in to rate this answer.

1 person found this answer helpful.
Alisson Nunes 0 Reputation points

2023-03-21T16:34:38.3433333+00:00

Ok, here i already set a 2048-bit MODP Group (Group14) as Key Exchange Method Transform ID. But still not working. Thanks for all the help so far

Gary Nebbett 5,721 Reputation points

2023-03-21T17:11:18.4766667+00:00

Hello Alisson,

You don't need to set/bind any value to that field - once you set a suitable "IPsec CA certificate" then you should be able to "Save" and use the VPN connection.

I have an Android version 13 device and have tested this type of configuration.

Gary

Alisson Nunes 0 Reputation points

2023-03-21T17:33:35.2633333+00:00

Oh... Thank you very much! So I must have some problem related to this certificate. I'll research about.

EDIT:

Actually, here in android 12, even selecting a IPsec CA certificate, the "save" button is not available. Just when i fill IPSec identifier with anything.

I read that in fact this field can be filled randomly. Maybe my problem is even in the certificate then. Since in your android 13 device it's not even a required field.

Ty again!

Gary Nebbett 5,721 Reputation points

2023-03-21T17:43:06.2366667+00:00

Hello Alisson,

I did not research the "minimum" configuration and there are more items in my "IPsec CA certificate" file than I think necessary.

I created a PKCS#12 (.pfx, .p12) file that contains a usable "client" certificate and private key and also contains the certificate of the root certification authority.

EDIT

Your observed behaviour corresponds to my experience. There was a "IPsec CA certificate" already installed on the newly delivered device (related to Samsung "Find My Mobile") and when that was chosen, I could only save the configuration after setting some value in the IPsec identifier field. As soon as I had added a "suitable" IPsec CA certificate file then I could save configurations without specifying the IPsec identifier.

As far as I know, the IPsec identifier value is not used by the Windows VPN server. The IKEv2 RFC says:

When the initiator authentication uses EAP, it is possible that the contents of the IDi payload is used only for Authentication, Authorization, and Accounting (AAA) routing purposes and selecting which EAP method to use. This value may be different from the identity authenticated by the EAP method.

The IPsec identifier value in the configuration corresponds to IDi.

Gary

Matthew Bowe 5 Reputation points

2023-03-21T19:21:25+00:00

I'm going to need a step-by-step walkthrough once we've figured this out.

Alisson Nunes 0 Reputation points

2023-03-22T13:44:21.93+00:00

Gary, Do u know how i generate a correct cert for android O.S.? Some link, maybe

edit

using ikev2/ipsec mschapv2
Sign in to comment
Alisson Nunes 0 Reputation points

2023-03-27T18:39:41.1433333+00:00
I haven't found any way to bind ipsec identifier on windows server.

The only way I could make it work was using an alternative VPN client: strongSwang. Available on play store

https://play.google.com/store/apps/details?id=org.strongswan.android

In it, the ipsec identifier field does not even exist, when choosing the option equivalent to IKEV2 MSCHAPV2,which is IKEV2 EAP (username/password).

However, with it you need to select the root CA certificate, which can be imported through it.

To import the root CA certificate, simply uncheck the option "CA CERTIFICATE select automatically", "click" on the area just below, click on the options button (3 dots), and choose import certificate. The certificate file MUST be a root CA certificate file (.cer in windows server case), which needs to be copied to a file via certrv (in AD CS server) or downloaded via http://ipofaadcsserver/certsrv.

Also the VPN server needs one more different thing compared to L2TP/PPTP:

1- As explained by our esteemed friend Gary, is mandatory the change of Key Exchange Method Transform ID for android compatible one as windows server default is not. One of the commands could be this:

Set-VpnServerConfiguration -CustomPolicy -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PFSgroup PFS2048 -SALifeTimeSeconds 28800 -MMSALifeTimeSeconds 86400 -SADataSizeForRenegotiationKilobytes 1024000

Restart-Service RemoteAccess -PassThru

Beware, this command does not work for all versions of windows server. I tested it on 2019 and it worked, but in 2012 it didn't. In 2016 i dont know.

And that's it.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Gary Nebbett 5,721 Reputation points

2023-03-22T19:54:41.6066667+00:00
Hello All,

I am not sure that I am a "qualified" person to answer a question like "Do u know how i generate a correct cert for android O.S." - a good answer would need knowledge of how the Android VPN client is implemented.

As I understand the situation, there are 3 types of IKEv2 authentication (quoting from IKEv2 RFC):

In addition to authentication using public key signatures and shared secrets, IKE supports authentication using methods defined in RFC 3748 [EAP].

public key signatures

shared secrets

EAP

An Android 13 IKEv2/IPsec PSK (Pre-Shared Key = shared secret) connection is easy to define - it just requires a server name/address and the "secret". This option is not available when configuring a VPN client under Windows 11.

An Android 13 IKEv2/IPsec RSA connection possibly corresponds to the Windows 11 "Use machine certificates" (but could also be EAP-TLS - not tested/confirmed). This authentication method requires a private key and (optionally but preferred) corresponding certificate; the IKEv2 RFC says:

Optionally, messages 3 and 4 MAY include a certificate, or certificate chain providing evidence that the key used to compute a digital signature belongs to the name in the ID payload.

An Android 13 IKEv2/IPsec MSCHAPv2 connection corresponds to a Windows 11 "Use Extensible Authentication Protocol (EAP)" connection with a method of "Microsoft: Secured password (EAP-MSCHAP v2)". This method requires a root authority certificate of the issuer of the VPN server certificate.

I wanted to use MSCHAPv2, but when I made .cer (DER encoded X.509) or .p7b (PKCS#7) files available containing the root authority certificate, I could not load them (they did not appear) in the Android "Other security settings>Install from device storage>VPN and app user certificate" list.

I therefore created a PKCS#12 (.p12, .pfx) file that contained the root authority certificate and a plausible/usable private key and certificate for the client(s) (I used a generic name of "VPN Guest"). This file could be loaded via "Other security settings>Install from device storage>VPN and app user certificate".

Hopefully the above explains why I said that: there are more items in my "IPsec CA certificate" file than I think necessary. With that file, I can connect with both "IKEv2/IPsec RSA" and "IKEv2/IPsec MSCHAPv2".

The title of this thread is "Android 12 IKEv2 & RRAS" - I assume that readers of this topic are familiar with (and possibly manage) RRAS (Routing and Remote Access Service), NPS (Network Policy Server) and Windows Certificate Services. If that is not the case then please expand on which topics you are unfamiliar with.

Gary
Please sign in to rate this answer.

1 person found this answer helpful.
Alisson Nunes 0 Reputation points

2023-03-22T22:01:21.4066667+00:00

All these topics are familiar to me. Can you get access without the certificate? Cause i read in https://directaccess.richardhicks.com/2018/04/30/always-on-vpn-certificate-requirements-for-ikev2/, that client side certificate is not required when we use IKEv2 MSCHAPv2... How did you create this "PKCS#12 (.p12, .pfx) file that contained the root authority certificate and a plausible/usable private key and certificate for the client(s)"?

Alisson Nunes 0 Reputation points

2023-03-23T00:45:58.5633333+00:00

Another thing... Which of these

Android only offers the following: 2048-bit MODP Group with 256-bit Prime Order Subgroup (Group24) 384-bit random ECP group (ECP384) 256-bit random ECP group (ECP256) 2048-bit MODP Group (Group14) 1536-bit MODP Group (Group5)

Did you set it up on your windows server?

Gary Nebbett 5,721 Reputation points

2023-03-23T10:38:07.7+00:00

Hello Alisson,

I will tackle your two questions in separate comments, due to usability issues with Microsoft Q&A.

The choice of group depends on the capabilities of all of your potential VPN clients - it needs to be supported by all of them.

Some groups are more "secure" than others but all of them are more than secure enough for most practical purposes.

A VPN client will always "use" a group in its first IKEv2 message and may "propose" other groups that it could use.

If the group used by the client matches the group configured on the server then all is well.

If the group used by the client does not match the group configured on the server but the client's list of proposed groups does include the server's group then the server will indicate ("notify") the client that it should retry connecting using that group.

If the group used by the client does not match the group configured on the server and the client's list of proposed groups does not include the server's group then the server will fail the connection.

Windows supports all of the groups that Android proposes, so if you have a "green field" situation (no existing clients) then you can choose any of the groups.

Gary

Gary Nebbett 5,721 Reputation points

2023-03-23T11:06:27.3866667+00:00

Hello Alisson,

A client certificate is not needed/used when EAP MSCHAPv2 is used. However a CA (root) certificate of the authority that issued the server certificate is still necessary.

The Android user interface for adding certificates seems to expect that the certificate will be packed in a PKCS#12 (.p12, .pfx) file. When trying to load a certificate from a list of files with various file extensions (.cer, .crt, .p7b, .pfx, .p12), only files with .pfx or .p12 extensions are shown in the user interface.

PKCS#12 files can contain just certificates (without private keys) but there does not seem to be any command built into Windows that can create such files.

The easiest course of action under Windows to create a .pfx file containing a CA cert is to export a certificate plus private key of something that chains back to that CA. The certificate and private key will not be used if EAP MSCHAPv2 is used for authentication - they just make adding a CA cert easier.

I just created my .pfx file by exporting a certificate plus key that could be chained back to the same CA certificate as that at the root of the server's certificate chain.

Gary

Alisson Nunes 0 Reputation points

2023-03-23T16:54:20.7833333+00:00

How do I do this export/.pfx create? I've tried several ways but still not working

Gary Nebbett 5,721 Reputation points

2023-03-23T17:41:51.9933333+00:00

Hello Alisson,

Any method should work - I just use the certmgr Certificate Export Wizard:

Since, for the MSCHAPv2 option, all that we are actually interested in is the root CA certificate, you should make sure that this option is set:

Gary

Alisson Nunes 0 Reputation points

2023-03-23T19:04:31.8333333+00:00

Oh, But that's exactly what I've been doing and it doesn't work:

Even on my android 12 I can install only the root CA certificate (.cer file):

But both fail when I try to connect:

the log The error log is always the same: unauthenticated user. Through PPTP or L2TP works perfectly with the same user. I also tested it on a macbook, same error: unauthenticated user. funny that this error, both on android and macbook, is instantaneous, without even 1 second of processing time. Because of that I was thinking that it could be something related to DHgroup...

Gary Nebbett 5,721 Reputation points

2023-03-23T19:27:44.8666667+00:00

Hello Alisson,

That all looks good, so further investigation is needed.

What I would do would be to trace the IKEv2 protocol, using ETW (Event Tracing for Windows) on the VPN server; however, it is unlikely that you would be able to interpret the trace data - I would be happy to analyse the data but you might have security/confidentiality concerns about sharing such data.

Another option would be to just trace the network traffic at the packet level. This would give less information, since most of the data is encrypted, but the size and number of packets would help identify at which protocol step the error was occurring.

The commands that I would use to start and stop a trace are: pktmon start --capture --comp nics --flags 0x10 --pkt-size 0 --trace --provider Microsoft-Windows-WFP --keywords 0x3FFFFFFFFFFF --provider Microsoft-Windows-RRAS --provider "IKEEXT Trace Provider" --keywords 0x10 --level 4 --provider {e7ba355a-ec20-5993-dd3b-9215e4d8a23c} --file-name why.etl and pktmon stop.

Gary

Alisson Nunes 0 Reputation points

2023-03-23T19:50:10.6633333+00:00

Get the error: Error: Parameter '--provider' requires a value.

As it did not recognize one of the parameters passed to the provider...

Gary Nebbett 5,721 Reputation points

2023-03-23T20:18:01.9266667+00:00

Hello Alisson,

You could try replacing "IKEEXT Trace Provider" with {106B464D-8043-46B1-8CB8-E92A0CD7A560} (the GUID for that provider). The string may be localized (different text in Portuguese),

Gary

Alisson Nunes 0 Reputation points

2023-03-23T20:32:47.4566667+00:00

Gary Nebbett 5,721 Reputation points

2023-03-23T20:47:18.1766667+00:00

Hello Alisson,

Try pasting the command into a "Command" window rather than a PowerShell window.

EDIT

In a PowerShell window, the GUID string needs to be quoted:

pktmon start --capture --comp nics --flags 0x10 --pkt-size 0 --trace --provider Microsoft-Windows-WFP --keywords 0x3FFFFFFFFFFF --provider Microsoft-Windows-RRAS --provider "IKEEXT Trace Provider" --keywords 0x10 --level 4 --provider "{e7ba355a-ec20-5993-dd3b-9215e4d8a23c}" --file-name why.etl

Gary

Alisson Nunes 0 Reputation points

2023-03-23T21:07:49.8733333+00:00

Here in https://drive.google.com/file/d/1kcENGj7jmF4zXKh6aLSSB2OgwxxMRpCo/view?usp=drivesdk

Gary Nebbett 5,721 Reputation points

2023-03-23T21:45:20.83+00:00

Hello Alisson,

The group negotiation is working well. The connection is failing because the VPN server is expecting PSK (pre-shared key, shared secret) authentication. There is still some more information to be gleaned from the trace data, but it is now getting late in the evening here in Switzerland (22:45).

Gary

Alisson Nunes 0 Reputation points

2023-03-23T21:55:46.1933333+00:00

OK. I'm going to test removing this option from the PSK. Then post if it worked. Ty so much for all your help so far. Good night! Sorry for the inconvenience!

Alisson Nunes 0 Reputation points

2023-03-24T04:25:51.8033333+00:00

Still does not work. Which options should i mark in the security tab and in the authentication methods window ? I've tried several combinations without success.

Same (multiples combinations) for the "constrains" tab in network policy. How i set this part?

Also, Connection request policies need to be configured on the NPS server too?

Gary Nebbett 5,721 Reputation points

2023-03-24T10:27:13.4966667+00:00

Hello Alisson,

I don't have access to a Windows Server at the moment (I have been retired for many years) and just use the Windows client "Incoming Connections" for VPN:

I configure policies either via the registry (see [MS-RRASM]) or editing %SystemRoot%\System32\IAS\IAS.xml.

I know which settings are appropriate but I can't guide you through interactions with the RRAS user interface.

You don't need a custom IPsec policy (especially no Preshared Key) and you do need MS-CHAP v2 as an authentication method; I would enable "Allow machine certificate authentication for IKEv2" too. The server needs a suitable certificate (plus private key) in its Personal store.

Once you have set things up, perform another test/trace and send me the results.

Gary

Alisson Nunes 0 Reputation points

2023-03-24T13:36:29.8066667+00:00

FINALLY FINALLY it looks like we are now close to solving it. I removed as many non-MSCHAPv2 settings as possible and the unauthenticated user error is gone! But giving way to a new one: "20063 Remote Access Connection Manager Failed to start because the protocol engine [IKEv2] failed to initialize. The request is no supported".

I've never been so happy to see an error. After a week with the same error and same behavior, it's a relief. The behavior has also changed in the android client. Now the error (unsuccessful) no longer appears, but it stays there forever on "connecting".

Googling about this new error, I saw that the standard solution is to manually start the service "Remote Access Auto Connection Manager". But I already did and the error remains. I also ran the sfc /scannow command , but the result was that everything was fine. Also suggest running DSMI commands but these always hang in process and never finish. I keep looking for other causes/solutions...Would you have any idea what it is? Thank you so much for all your attention and help so far!

Gary Nebbett 5,721 Reputation points

2023-03-24T14:02:00.05+00:00

Hello Alisson,

Create a new trace with this behaviour - that should help identify when/where the problem is occurring. Once I have seen that data I can then think about the next step.

Gary

Alisson Nunes 0 Reputation points

2023-03-24T15:11:17.0333333+00:00

Here in https://drive.google.com/file/d/16ecuk--3KFpWF6fMTO1aELqDJ3k1NkJy/view?usp=drivesdkTy again!

Gary Nebbett 5,721 Reputation points

2023-03-24T16:14:41.3766667+00:00

Hello Alisson,

I am afraid that you have taken a step backwards rather than forwards. In the previous trace, packets were exchanged, a group negotiated and the connection failed because of mismatched authentication policies.

Now there does not seem to be a valid IKEv2 policy loaded (into WFP - Windows Filtering Platform). The first packet from Android is arriving and no policy for how to handle that packet is found. No packets (even failure packets) are sent in response - that is why the Android client just waits.

Can you send some screen snapshots of any settings that you have changed and where you are not sure if the new choices are correct?

Gary

Alisson Nunes 0 Reputation points

2023-03-24T16:37:27.28+00:00

Oh... Basically I removed the EAP related settings. Keeping enabled only MSCHAPV2 options.I thought they (EAP) weren't needed for android mode IKEV2 MSCHAPV2 authentication ( But, is required?):

and:

What should I select to work with IKEV2 MSCHAPV2 or IKEV2 RSA?

Gary Nebbett 5,721 Reputation points

2023-03-24T16:50:38.1266667+00:00

Hello Alisson,

Some protocols (including L2TP) can use MSCHAPv2 "standalone" (i.e. without EAP), but IKEv2 can only use MSCHAPv2 with EAP.

The Android MSCHAPv2 option means IKEv2 + EAP + MSCHAPv2.

The Android RSA option means IKEv2 + client certificates.

Gary

Alisson Nunes 0 Reputation points

2023-03-24T17:26:25.05+00:00

I understood. I always had this doubt (android omitted the term EAP in MSCHAPV2). Thanks for fixing it. OK then. So I'll focus on trying to make it work in the simplest and most minimalist way possible: IKEV2 RSA. With client certificate. These are the settings I need, correct?:

and

But still unsuccessful. VPN android client also stuck in "connecting". Do you the trace data? Also. In this cenario (ikev2 rsa) How should I create the user certificate? CN subject must bind to any user primary key? Or does it serve any random string, like in your case "vpn guest"?

Gary Nebbett 5,721 Reputation points

2023-03-24T18:01:04.6666667+00:00

Hello Alisson,

It might be best to get a VPN client/server set-up working where both client and server are from Windows (RRAS plus Windows VPN client). As far as I know, the only complexities added by Android 12/13 are .pfx/.p12 files to share/install certificate related configuration information and the difference in the groups proposed/accepted. Once a Windows VPN client can connect, it should be simple to make Android 12/13 work.

There is no "clear cut" simplest configuration: pre-shared keys (PSK), client certificates (RSA) and MSCHAPv2 all have their own differences/difficulties.

For the IKEv2 RSA method, there are no special requirements on the certificates - one just needs to possess the private key. This is in contrast to other certificate-based authentication methods, such as EAP-TLS, where there are additional constraints on the certificate.

You can send a new trace any time that you think that it might be helpful. Analysing the first trace is normally the most difficult (understanding the environment); subsequent traces can be analysed more quickly.

Gary

Alisson Nunes 0 Reputation points

2023-03-24T18:17:27.1533333+00:00

Unfortunately I don't have a windows client machine available at the moment. Now i just select the IKEv2 certificate settings and remove others all. Androids client stucks in connecting. Trace: https://drive.google.com/file/d/1IT4VoOaWV6Uez2ImDI-ucVEcH9O7d-Hs/view?usp=drivesdk

Alisson Nunes 0 Reputation points

2023-03-24T18:19:19.8033333+00:00

Are you sure that the server you authenticate to on your Samsung android 13 is, in fact, a windows server?

Gary Nebbett 5,721 Reputation points

2023-03-24T18:46:04.4566667+00:00

Hello Alisson,

I am sure that the "VPN server" to which I authenticate/connect is a Windows 10 client system; I am equally sure that the VPN relevant DLLs are identical to those on server versions of Windows. The Windows 10 client is just missing some tools (e.g. full RRAS UI) and has tight limits on the number of concurrent connections. It would be very unusual if the "VPN server" on a Windows client version were to be more capable than a Windows server.

In the most recent trace, the data is better than the earlier traces; however there does not seem to be a suitable certificate available to the VPN server - are you sure that you have added a client certificate to the VPN server's Personal store? Such a certificate is only needed if you want to perform "RSA" authentication - it would not be needed for MSCHAPv2 authentication.

Gary

Gary Nebbett 5,721 Reputation points

2023-03-24T18:57:55.49+00:00

Hello Alisson,

The trace also casts doubts about whether you selected "RSA" authentication on the Android client...

Gary

Alisson Nunes 0 Reputation points

2023-03-24T19:26:32.6166667+00:00

The trace also casts doubts about whether you selected "RSA" authentication on the Android client

This part makes me think that MAYBE windows 10 is more compatible with android than windows server, at least in terms of IKEv2 authentication. Because I'm absolutely sure that i chose the RSA option in the last trace. Just as I'm sure the same certificate I'm using on the android VPN client is on VPN server's Personal store. Do you know any good tutorial to run RRAS in windows 10? I was almost giving up on windows and creating a new Linux server, but now I'm really curious about RRAS on windows 10.

Gary Nebbett 5,721 Reputation points

2023-03-24T20:11:33.09+00:00

Hello Alisson,

I am sure that that is not the case. I wrote a couple of articles on using Windows 10 as a VPN server: https://gary-nebbett.blogspot.com/2018/10/establishing-vpn-connection-from-macos.html and https://gary-nebbett.blogspot.com/2019/10/establishing-vpn-connection-from-ios-to.html

Gary

Alisson Nunes 0 Reputation points

2023-03-24T20:40:48.09+00:00

Nice! Thank you! I was thinking... Here in my organization there was (more than once) the exchange of AD CS(certificate services) role between different servers. Could this be influencing some mismatched data in certs? Indeed it's hard to believe that something like this works on windows 10 and not on the server version.

Alisson Nunes 0 Reputation points

2023-03-24T20:48:19.1233333+00:00

Another point: to all this, im using a Server with no related dns entry. So, im using the IP in the CN of the certificate as well as the hostname of the vpn client. Could this affect something?

Gary Nebbett 5,721 Reputation points

2023-03-24T21:02:05.9466667+00:00

Hello Alisson,

Let me once again reassure you that Windows Server can do everything (and more) than a Windows 10 client can do with respect to acting as a VPN server.

Yes, not using a name in the certificate that can't be confused with an IP address could account for all of the missing certificate information in the IKEv2 exchanges - you need to sort that out. If you enter something that looks like an IP address in a field that can accept an IP address or a name, it will be treated as an IP address and not as a name.

Gary

Alisson Nunes 0 Reputation points

2023-03-24T21:29:13.0633333+00:00

Unfortunately DNS is the only role I don't have access to (until now). But in the server certificate I just put the CN with the IP, which is the same I use in the VPN client connection... Anyway, I'll try to resolve this as soon as possible.

Gary Nebbett 5,721 Reputation points

2023-03-24T21:43:35.4366667+00:00

Hello Alisson,

You don't need DNS - you could use etc/hosts for name to IP address mapping.

As I said, using an IP address as the CN of a certificate is "allowed" - it is just not useful in most situations. The reason for saying this is that most network "applications" examine the "name" that they are given and then behave differently depending on whether the "name" can be parsed as an "address".

Gary

Alisson Nunes 0 Reputation points

2023-03-25T12:52:03.3833333+00:00

1- Does the VPN server need to have the NPAS role enabled? 2- What should I use as "login" in case of IKEV2 MSCHAPV2? UPN? Like alisson@example.com? I'm convinced who the problem is or how I'm trying to authenticate, or something related to NPS.

Alisson Nunes 0 Reputation points

2023-03-25T16:23:52.1866667+00:00

It worked on a windows 11 machine. With MSCHAPV2. Even without DNS entry (I will need to ask a responsible sector on Monday). But it still doesn't work on android. Cloud it possibly be the ipsec identifier? Here in my android 12 is a required field even with the CA certificate installed and selected...

Gary Nebbett 5,721 Reputation points

2023-03-25T16:31:48.9233333+00:00

Hello Alisson,

Can you make a new trace with the Android client, now that you have had success with a different (Windows) client?

Gary

Alisson Nunes 0 Reputation points

2023-03-25T16:58:41.8133333+00:00

A friend just tested it and got it through an android 13. WITHOUT filling in the ipsec identifier and WITHOUT selecting a certificate in the vpn client configuration. Only with the CA certificate installed. In mine mind can only be because of that field (ipsec identifier) is not required in android 13.

Alisson Nunes 0 Reputation points

2023-03-25T18:46:15.5766667+00:00

I found this

on https://campus.barracuda.com/product/nextgenfirewallx/doc/41091322/how-to-configure-a-client-to-site-vpn-with-shared-key-authentication/ But I don't know what would be the correspondence of this (access policy) on the Windows server. I tried the network policy name in NPS but to no success.

Gary Nebbett 5,721 Reputation points

2023-03-25T19:41:30.45+00:00

Hello Alisson,

A new trace might help turn speculation into evidence.

Gary

Alisson Nunes 0 Reputation points

2023-03-25T20:42:08.0966667+00:00

But what would appear different from the other traces? I still can't access it through an android 12 for the same reason as always.

Alisson Nunes 0 Reputation points

2023-03-26T10:39:44.6333333+00:00

But, if you think you might find something new: https://drive.google.com/file/d/1gpTrPEvX1qB4CzVPF4EqL25L4x8dygDl/view?usp=drivesdk

Gary Nebbett 5,721 Reputation points

2023-03-26T11:25:11.3333333+00:00

Hello Alisson,

There are two connection attempts in that trace, 10 seconds apart:

Each connection attempt uses 6 packets, 3 in each direction.

The first packet from the client uses a different group to that expected by the server, so the server responds with a "hint" about which group to use.

The second packet from the client uses the expected group and the server then sends a valid response.

The connection now changes from the IKE__SA__INIT mode to IKE__AUTH mode.

The client sends its first IKE__AUTH mode packet and the server responds with a positive response.

No further packets are received from the client - it probably did not like something in that last response.

The final packet from the server contains the following IKEv2 payloads:

Identification: vpnhomolog[...]

Certificate: for vpnhomolog[...]

Authentication: RSA signature blob

EAP: request identity message

The Android client probably did not like the certificate for vpnhomolog - is its root CA authority certificate installed on the Android client?

Gary

Alisson Nunes 0 Reputation points

2023-03-26T11:55:57.4233333+00:00

Yes:

About the difference between attempts, one of them I didn't select any certificate in VPN configuration profile, The other one, I selected CA certificate option. EDIT: But honestly I don't remember what their order was (attempts).

Alisson Nunes 0 Reputation points

2023-03-26T12:12:19.5233333+00:00

"- it probably did not like something in that last response". I still think the ipsec identifier has to do with it. I've been researching and I saw that there are 2 modes key exchange: main and agressive:

https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH_with_PSK So, since android 12 vpn client requires ipsec identifier it always works in aggressive mode, a mode that apparently Windows is not prepared to deal with... Make sense?

Gary Nebbett 5,721 Reputation points

2023-03-26T12:22:16.65+00:00

Hello Alisson,

On my Android, the USER certificate list (under the "View security certificates" page) is empty.

I also have a separate "User certificates" page and that is where the entries derived from the .pfx/.p12 file(s) that I loaded (via "Install from device storage", "VPN and app user certificate") can be found.

Gary

Gary Nebbett 5,721 Reputation points

2023-03-26T12:27:46.4333333+00:00

Hello Alisson,

Regarding "aggressive" mode - that is a mode of IKEv1 but we are using IKEv2.

Gary

Alisson Nunes 0 Reputation points

2023-03-26T12:55:41.8166667+00:00

On my Android, the USER certificate list (under the "View security certificates" page) is empty.

So that's why my friend at work can connect via MSCHAPV2 without selecting any certificate. But it has the trusted CA cert installed just like the image I sent. It remains to be seen whether even this is necessary. Then I ask him to remove and test.

I have also some "user certificates". all with key, user certificate and CA certificate. None of them work. It seems to me a android 12 vpn client bug. Related or not to ipsec identifier.

Alisson Nunes 0 Reputation points

2023-03-26T13:08:51.1966667+00:00

On my Android, the USER certificate list (under the "View security certificates" page) is empty.

Are you able to connect to your VPN without selecting any certificates in your Android 13 client profile?

Gary Nebbett 5,721 Reputation points

2023-03-26T13:28:18.0133333+00:00

Hello Alisson,

I can't even save a MSCHAPv2 VPN configuration without selecting a "certificate", so I can't test connecting without a certificate. Are you sure that you have a VPN certificate looking like this:

Is the CA certificate in the file for the RISTRETTO-CA root?

Gary

Alisson Nunes 0 Reputation points

2023-03-26T13:58:31.6866667+00:00

Interesting these differences between android 13 (and12) vpn clients...

Yes, my "user certificates" have these 3 entries:

s

But, from what I understand, the way my version of the android 12 client works, I wouldn't even need to select a certificate in the vpn client profile, Since on my android 12 I can install CA certificates (.cer file, The one from the user's trusted credentials image).

In your case, your vpn client forces you to select it, because it is not possible to install directly/only the CA certificate...

What's left is just the ipsec identifier variable. Or some other client bug. Are you able to authenticate with the certificate but entering any string in the ipsec identifier field?

Gary Nebbett 5,721 Reputation points

2023-03-26T14:45:35.58+00:00

Hello Alisson,

It is difficult to be certain what is in those user credentials. Have you tried connecting with all of those user credentials that might possibly contain the RISTRETTO-CA certificate?

This is what my VPN configuration looks like:

Gary

Alisson Nunes 0 Reputation points

2023-03-26T17:53:29.77+00:00

It is difficult to be certain what is in those user credentials. Have you tried connecting with all of those user credentials that might possibly contain the RISTRETTO-CA certificate?

You can be sure that all of them were installed by me and issued by the same CA: ufpe-RISTRETTO-CA. For example, the clienteoclient (last image I uploaded):

Anyway, if my friend manages it through an android 13 and with the same CA certificate (user trust), the problem is not in the certificate, but in the android client. But what, i have no idea. I asked him to fill in anything in the ipsec identifier and it worked for him.

Alisson Nunes 0 Reputation points

2023-03-26T18:35:34.6433333+00:00

I don't understand much about cryptography, but I found this:

OK, I found the problem. They don't pad the MSK like all other implementations do. According to the EAP-MSCHAPv2 draft, the keys are derived according to RFC 3079 (MPPE). This results in two 128-bit keys, MasterSendKey and MasterReceiveKey (i.e. 32 octets in total). However, the MSK for EAP methods MUST be at least 64 octets according to RFC 5247, so these keys have to be padded somehow. The first beta versions of Window 7 back in 2009 (which is what we used to test with when we implemented EAP-MSCHAPv2) did it like this: MasterReceiveKey|16 zero bytes|MasterReceiveKey|16 zero bytes. But this was changed with the release candidate of Windows 7 to: MasterReceiveKey|MasterReceiveKey|32 zero bytes, which is what we and other implementations use ever since. So until Google fixes their client accordingly, you won't be able to connect.

In https://wiki.strongswan.org/issues/3673

Maybe that the same case? I know this case is about android 11, but... who knows

Alisson Nunes 0 Reputation points

2023-03-26T18:53:46.6133333+00:00

And look that: https://support.google.com/android/thread/191111863/problem-saving-ikev2-ipsec-psk-without-ipsec-identifier-save-button-inactive?hl=en

The "fake not use" ipsec identifier field makes a GOOGLE PIXEL phone REBOOT!

Gary Nebbett 5,721 Reputation points

2023-03-26T19:02:24.89+00:00

Hello Alisson,

In the MSCHAPv2 authentication scenario, they keys are derived from the MSCHAPv2 authentication process, and we have not got that far (key derivation) yet.

The certificate that we need to be included in the .pfx/.p12 file is the root CA (RISTRETTO-CA) certificate, not just a certificate issued by the RISTRETTO-CA authority.

I don't think that the "contents" of the "user certificates" can be examined once inside Android. I also don't think that there any any built-in tools in Windows to just display the contents of such files (one could just import the .p12/.pfx file into an empty store to view the contents). I think that there are some openssl tools that can just display such files.

It feels odd to suggest it, but if you are sure that some of the .p12/.pfx files that you imported contain the correct certificate and that this is just a test/play environment, then you could send me the .p12/.pfx file plus its password so that I can verify that.

Gary

Alisson Nunes 0 Reputation points

2023-03-26T19:26:50.2066667+00:00

There's no way the problem is in the certificate. Since the same root certificate (copied from ristretto) that I am using is exactly the one my friend is using. Sent by whatsapp, as welll. Sorry but i can't share any access, cause the environment it's not entirely a test/play environment. I'm pretty convinced it's a bug in the android 12 client. The more I search for "ikev2 android 12 vpn", the more I find bug-related results.

Gary Nebbett 5,721 Reputation points

2023-03-26T21:11:32.6433333+00:00

Hello Alisson,

I am convinced of the opposite - the problem is with the certificate.

When I debug the IKEv2 server, I see the following payloads in the third packet from the client:

Identification: (11 = ID_KEY_ID) gary CertificateRequest: 1 certificate hash (of root CA) Configuration: (CFG_REQUEST) INTERNAL_IP4_ADDRESS INTERNAL_IP4_DNS SecurityAssociation: [...] TrafficSelector: (TSi) 07-00-00-10-00-00-FF-FF-00-00-00-00-FF-FF-FF-FF TrafficSelector: (TSr) 07-00-00-10-00-00-FF-FF-00-00-00-00-FF-FF-FF-FF Notify: MOBIKE_SUPPORTED Notify: ADDITIONAL_IP6_ADDRESS Notify: ADDITIONAL_IP6_ADDRESS Notify: EAP_ONLY_AUTHENTICATION Notify: IKEV2_MESSAGE_ID_SYNC_SUPPORTED

My "why.etl" trace looks like this:

The (defaulted) IPsec ID of "gary" is processed seemingly without error and the certificate request is processed.

Your "why.etl" trace looks like this:

Your IPsec ID is also processed without error, but no "certificate request" was found/processed - possibly because no CA certificate had been installed in the client. This would be OK if the server nonetheless chose the right CA certificate, but I guess that this is not happening.

Gary

Alisson Nunes 0 Reputation points

2023-03-27T02:37:44.33+00:00

also processed without error, but no "certificate request" was found/processed - possibly because no CA certificate had been installed in the client.

Yes the root certificate is installed and is valid (at least for androids 13), cause in my friend's android 13 works normally.

This would be OK if the server nonetheless chose the right CA certificate, but I guess that this is not happening.

The VPN server has only 1 personal certificate, and is the right one, with server authentication and ipsec ike intermediate:

but no "certificate request" was found/processed

Ok. No certificate request was found/processed. But not for lack of available certificate. Now, why there's still no cert request, idk...

Alisson Nunes 0 Reputation points

2023-03-27T14:20:50.01+00:00

Log of when I try through strongswan client:

Gary Nebbett 5,721 Reputation points

2023-03-27T15:08:38.77+00:00

Hello Alisson,

I think that that error is specific to strongSwan (check of VPN server SAN). My server certificate contains a SAN but I don't use that name on the Android client (I use an IP address since the server host name is not published) and that works with the Android built-in VPN client.

Gary

Alisson Nunes 0 Reputation points

2023-03-27T15:18:49.16+00:00

I understand. In fact I saw that this strongswan error is related to SAN. But I use in my server certificate:

Anyway, have strongswan's logs and the last screenshots I sent you convinced that it's not a certificate issue?

Gary Nebbett 5,721 Reputation points

2023-03-27T16:05:26.12+00:00

Hello Alisson,

No, they have not convinced me.

An application, such as the Android built-in VPN client or the strongSwan, can make implementation choices such as where to look for CA certificates and how to ensure the security of the VPN connection.

The list of system CA authorities on my Android is quite large and it is my guess that the built-in client has chosen not to use that list but rather the single configured "Installed for VPN and apps" CA certificate in the user certificates.

This difference of our understanding plus, potentially, using something that can be parsed as an address or a name as a DNS name is probably where the problems lie.

Gary

Alisson Nunes 0 Reputation points

2023-03-27T16:43:54.86+00:00

The list of system CA authorities on my Android is quite large and it is my guess that the built-in client has chosen not to use that list but rather the single configured "Installed for VPN and apps" CA certificate in the user certificates.

But here I always agree. In your android version, validation takes place with the "user certificate", and in my version, directly with the root CA certificate, of which I have already shown several snapshots.

But I came up with something that might convince you that the problem is with the android 12 vpn client:

FINALLY, for the first time, I managed to make IKEV2 WORK on my android 12!

And yes, perhaps the issue on the native client is related to using IP instead of name. But I still consider it a bug, since it doesn't happen in strongswan (and not in android 13). In any case, I will answer this DNS question shortly, since the DNS entry has already been added.

Alisson Nunes 0 Reputation points

2023-03-27T16:46:19.2133333+00:00

Oh, and of course, android native client still doesnt work!

Gary Nebbett 5,721 Reputation points

2023-03-27T17:29:28.53+00:00

Hello Alisson,

Good to see a success, but it is still too early to dismiss other failures as caused by a bug.

Gary

Alisson Nunes 0 Reputation points

2023-03-27T17:51:41.36+00:00

The DNS entry was processed. I changed the vpn server certificate to just fqdn (CN and DNS). The scenario is the same. Works instantly on strongswan, and instantaneous unsuccessfully on androids native. If that doesn't set up a bug in the android client, I don't know what else would.

Alisson Nunes 0 Reputation points

2023-03-27T19:31:42.5933333+00:00

Gary, I have no words to thank you for ALL the teaching and help. I learned a lot from this problem and from your teachings. I would love to reward you in some way, even making a payment, but unfortunately the currency here in Brazil is so devalued in relation to the dollar and the euro, that I don't think it makes sense to spend so much to give you so little. Anyway, you can count on me if I can be of any help!

Gary Nebbett 5,721 Reputation points

2023-03-27T20:24:17.45+00:00

Hello Alisson,

I do this for fun - the reward is working on interesting problems.

I just started work on exporting a single certificate, without private keys, to a .pfx file. It works already but there is some more polishing to do. When it is ready, we could perhaps try once more to export the root CA to a .pfx file using this tool and then import that .pfx file to the Android user certificates; finally update the VPN definition to reference this new "user certificate" and retest.

UPDATE: The tool works and the resulting file can be imported as a .pfx file under Windows, but Android won't import the .pfx unless it contains a private key. Sorry to have raised any hopes.

Gary

Alisson Nunes 0 Reputation points

2023-03-27T21:07:24.6433333+00:00

Hi, Gary

Not problem at all. To tell you the truth, it's already a relief to get it via strongSwan. But in fact, the ideal would be with the native android application. Do you think then that the problem is that the android client is not using root CA? Either via .pfx (along with key and user cer) or .cer?

Alisson Nunes 0 Reputation points

2023-03-27T21:42:58.35+00:00

Look what I found: https://issuetracker.google.com/issues/238336705

I believe this is the problem.

Gary Nebbett 5,721 Reputation points

2023-03-28T08:35:15.06+00:00

Hello Alisson,

That is certainly a useful link along with the related sites (android.googlesource.com, issuetracker.google.com), but I am not sure that that is your problem.

The source code link in the message is to the "master" branch and content there has changed since the "issue" post (the source line in the message (3913) is perhaps now near line 4121).

The problem in the link that you quoted does occur at the same point in the protocol as your problem. You could try generating an Android bug report and checking whether it contains any useful/relevant information.

In my configuration, I have not selected an explicit VPN server certificate (I just select a CA certificate), which might mean that IkeSessionParams.IKE_OPTION_ACCEPT_ANY_REMOTE_ID is true for me.

The AuthResp message from my Windows VPN server contains an IDr value in ID__DER__ASN1__DN format of "CN=RAY" and a certificate with subject name of "CN=RAY" and DNS SAN of "vpn". Neither of these names ("vpn" nor "RAY") appear in the Android VPN configuration.

Gary
Sign in to comment