question

tn-57-gs-7096 avatar image
0 Votes"
tn-57-gs-7096 asked tn-57-gs-7096 commented

[MAC-RRAS(VPN)] - "Negotiation Timed Out" for Always-On VPN (IKEv2)

Error: "CoId={}: The following error occurred in the Point to Point Protocol module on port: VPN2-127, UserName: <Unauthenticated User>. Negotiation timed out

164944-vpn-2.png


VPN Server: MS 2019 Server RRAS
NPS Server: MS 2019 Server NPS
Windows Clients: works flawlessly EAP-PEAP with Smartcard certificate (user cert)
Mac Client: Fails.

I have already raised a support case

2110040040003804

with MS and they denied to support macOS clients still I have not seen an article that states RRAS does not support macOS.

As you can see in the below screenshot, IKE_SA_INIT initiates a request from mac client and it even gets response back from the RRAS VPN server with SPI responder cookie and client sends IKE_AUTH request to the VPN server and server responds back but no further continuation in the flow, it breaks right there with the EvenID shared & screenshot above.

164945-macclient-packets.jpg



Apart from the VPN server event log and the packet trace I am not able to figure out what could be the reason behind. I have done all my research, changes to both client & server still no luck. please share your thoughts if you have experienced such issues.


windows-server
vpn-2.png (144.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GaryNebbett avatar image
0 Votes"
GaryNebbett answered tn-57-gs-7096 commented

Hello @tn-57-gs-7096,

I wrote a blog entry on a related problem a few years ago: https://gary-nebbett.blogspot.com/2018/10/establishing-vpn-connection-from-macos.html

Since the "next" packet should come from macOS, the best place to start would be to examine the "racoon" log entries on the Mac.

From the Windows side, one could trace the IKE exchanges, using ETW (Event Tracing for Windows) and the "IKEEXT Trace Provider"; knowing the contents of the IKE_AUTH packet from Windows to Mac might give a hint about the problem. The "IKEEXT Trace Provider" is a WPP provider, so you probably won't be able to understand the trace data by yourself; if you are happy to share it then I would take a look.

Gary

· 20
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.


Hi Gary

Thanks for your response.

I have attached the "IKEEXT Trace" from VPN server and also Wireshark logs from mac. please let me know how I can get the racoon logs and I tried with console app by filtering "Racoon" but there was no entries.

Hope attached logs helps.

Sujith

165340-ikeext-trc00.log165278-msforumsupport.log


0 Votes 0 ·
ikeext-trc00.log (2.5 MiB)
msforumsupport.log (218.3 KiB)

Hello Sujith,

The IKEEXT trace was probably started with a "keywords" value of 0; since it is a WPP provider, this means that no IKEEXT events were traced (it should be started with a keywords value of 0xFFFFFFFF and a level of 4). The events in the trace file are just equivalent of a Wireshark trace (Microsoft-Windows-NDIS-PacketCapture events).

I don't currently have access to a Mac; from my old notes, I used a commands like log show --debug --predicate 'process == "racoon"' and view /var/log/racoon.log to view the racoon events; I may have modified the racoon.conf file to increase the level of debug output.

The IKE_AUTH (MID=01) response in the traces is larger than that shown in your first image - its new size (1840 bytes) seems more reasonable to me.

It is just a guess, but you might find that racoon is logging the error: “Trust evaluate failure: [root AnchorTrusted BasicConstraints]” - the link in my first post discusses this potential problem.

Gary

0 Votes 0 ·


Thanks for sharing the command line to get the logs,

I can only see old logs and i tried to connect VPN and re-ran the command still it shows yesterday's one but not the one. I guess it may take some time.

Anyway, according to the old logs, PH1 initiated by the client but it fails with the below error, really not sure why.


none message must be encrypted, status 0x1461, side 0
racoon: [com.apple.networkextension:] CHKPH1THERE: no established ph1 handler found

since attach option isn't working in this post, I have shared it using onedrive, please use the below link to download the racoon logs.

https://1drv.ms/u/s!AkVuXnM-kirQkPorAorQgJ4vTOCRyQ?e=JbycRD

please let me know if you need more details from me.

0 Votes 0 ·
Show more comments
LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered tn-57-gs-7096 commented

Hi @tn-57-gs-7096

Some quick points to check out.

  • Check VPN server certificate has "server authentication" EKU

  • Check certificates are valid on the client, VPN server, and NPS server

  • Check the client, VPN server, and NPS server all have trusted root certificate from the DC (CA administrator)

  • Check the VPN server name on the client matches the VPN server certificate's subject name

  • Check appropriate port (1812, for RADIUS authentication) is open on VPN server and NPS server

  • Check the NPS server is reachable (ping-able) from the VPN server.

Here is a thread as well which discusses the same issue and you can try out some troubleshooting steps from this and see if that helps you to sort the Issue.

https://social.technet.microsoft.com/Forums/ie/en-US/0c81d9d6-19ff-407f-9206-26a17ecec532/quotnegotiation-timed-outquot-for-alwayson-vpn-ikev2?forum=ws2016

Please try the following articles to see if they could be of help.

https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/

https://social.technet.microsoft.com/Forums/ie/en-US/771bf5ec-7017-4fd3-9496-52137dfa616a/error-description-13801-ike-authentication-credentials-are-unacceptable?forum=winservergen

Hope this resolves your Query!!


--If the reply is helpful, please Upvote and Accept it as an answer--

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi

Like I have mentioned already in this post, with the same configuration works very well on windows client and the issue is happening only on mac clients. clueless what could be the problem. besides, i have also cross-checked all of the checklist you have mentioned still the issue remains the same. already raised a MS support case and they also gave up with this issue.

0 Votes 0 ·