Настройки клиента iOS для доступа к IKEv2 серверу Keenetic

[Alexandre Bougakov]

Привет. На Keenetic Giga поднят сервер IKEv2. Если на iPhone создать простое VPN-соединение вручную, просто введя имя домена xxxx.keenetic.link, логин и пароль, то всё отлично работает из коробки:

Jul 22 11:42:01 ipsec
10[IKE] y.y.y.y is initiating an IKE_SA
Jul 22 11:42:01 ipsec
10[CFG] received proposals: IKE:AES_GCM_16=256/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_GCM_16=256/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jul 22 11:42:01 ipsec
10[CFG] configured proposals: IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256
Jul 22 11:42:01 ipsec
10[CFG] selected proposal: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jul 22 11:42:01 ipsec
10[IKE] remote host is behind NAT
Jul 22 11:42:01 ipsec
10[IKE] DH group ECP_256 unacceptable, requesting MODP_2048
Jul 22 11:42:01 ipsec
05[IKE] y.y.y.y is initiating an IKE_SA
Jul 22 11:42:01 ipsec
05[CFG] received proposals: IKE:AES_GCM_16=256/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_GCM_16=256/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jul 22 11:42:01 ipsec
05[CFG] configured proposals: IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256
Jul 22 11:42:01 ipsec
05[CFG] selected proposal: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jul 22 11:42:02 ipsec
05[IKE] remote host is behind NAT
Jul 22 11:42:02 ipsec
15[CFG] looking for peer configs matching x.x.x.x[censored.keenetic.link]...y.y.y.y[z.z.z.z]
Jul 22 11:42:02 ipsec
15[CFG] selected peer config 'VirtualIPServerIKE2'
Jul 22 11:42:02 ipsec
15[IKE] initiating EAP_IDENTITY method (id 0x00)
Jul 22 11:42:02 ipsec
15[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jul 22 11:42:02 ipsec
15[IKE] peer supports MOBIKE, but disabled in config
Jul 22 11:42:02 ipsec
15[IKE] authentication of 'censored.keenetic.link' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Jul 22 11:42:02 ipsec
15[IKE] sending end entity cert "CN=censored.keenetic.link"
Jul 22 11:42:02 ipsec
15[IKE] sending issuer cert "C=US, O=Let's Encrypt, CN=R11"
Jul 22 11:42:03 ipsec
16[IKE] received EAP identity 'username'
Jul 22 11:42:03 ipsec
16[IKE] initiating EAP_MSCHAPV2 method (id 0x21)
Jul 22 11:42:03 ipsec
05[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Jul 22 11:42:03 ipsec
08[IKE] authentication of 'z.z.z.z' with EAP successful
Jul 22 11:42:03 ipsec
08[IKE] authentication of 'censored.keenetic.link' (myself) with EAP
Jul 22 11:42:03 ipsec
08[IKE] IKE_SA VirtualIPServerIKE2[41] established between x.x.x.x[censored.keenetic.link]...y.y.y.y[z.z.z.z]
Jul 22 11:42:03 ipsec
08[IKE] peer requested virtual IP %any
Jul 22 11:42:03 ndm
Core::Server: started Session /var/run/ndm.core.socket.
Jul 22 11:42:03 ndm
IpSec::CryptoMapInfo: "VirtualIPServerIKE2": allocated address "172.20.8.1" for user "username" @ "z.z.z.z" from "y.y.y.y".

Теперь я пытаюсь создать профиль mobileconfig, чтобы его можно накатывать на устройства - и не могу подобрать комбинацию ciphers. Вот что предлагает конфигуратор для Encryption algorithm, Integrity algorithm и Diffie-Helman group. Вопрос - какую именно комбинацию клиенту IKEv2 надо предложить Кинетику, чтоб тот был счастлив? Спасибо.

[Le ecureuil]

IKE: AES-256 + SHA2-256 + 14

[Alexandre Bougakov]

3 hours ago, Le ecureuil said:

IKE: AES-256 + SHA2-256 + 14

К сожалению, не работает - "no acceptable proposal found ":

[I] Jul 23 20:45:24 ipsec: 06[IKE] a.a.a.a is initiating an IKE_SA 
[I] Jul 23 20:45:24 ipsec: 06[CFG] received proposals: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 
[I] Jul 23 20:45:24 ipsec: 06[CFG] configured proposals: IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256 
[I] Jul 23 20:45:24 ipsec: 06[CFG] selected proposal: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 
[I] Jul 23 20:45:24 ipsec: 06[IKE] remote host is behind NAT 
[I] Jul 23 20:45:24 ipsec: 05[CFG] looking for peer configs matching b.b.b.b[censored.keenetic.link]...a.a.a.a[censored.keenetic.link] 
[I] Jul 23 20:45:24 ipsec: 05[CFG] selected peer config 'VirtualIPServerIKE2' 
[I] Jul 23 20:45:24 ipsec: 05[IKE] initiating EAP_IDENTITY method (id 0x00) 
[I] Jul 23 20:45:24 ipsec: 05[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding 
[I] Jul 23 20:45:24 ipsec: 05[IKE] peer supports MOBIKE, but disabled in config 
[I] Jul 23 20:45:24 ipsec: 05[IKE] authentication of 'censored.keenetic.link' (myself) with RSA signature successful 
[I] Jul 23 20:45:24 ipsec: 05[IKE] sending end entity cert "CN=censored.keenetic.link" 
[I] Jul 23 20:45:24 ipsec: 05[IKE] sending issuer cert "C=US, O=Let's Encrypt, CN=R11" 
[I] Jul 23 20:45:24 ipsec: 04[IKE] received EAP identity 'username' 
[I] Jul 23 20:45:24 ipsec: 04[IKE] initiating EAP_MSCHAPV2 method (id 0x53) 
[I] Jul 23 20:45:25 ipsec: 15[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established 
[I] Jul 23 20:45:25 ipsec: 16[IKE] authentication of 'censored.keenetic.link' with EAP successful 
[I] Jul 23 20:45:25 ipsec: 16[IKE] authentication of 'censored.keenetic.link' (myself) with EAP 
[I] Jul 23 20:45:25 ipsec: 16[IKE] IKE_SA VirtualIPServerIKE2[108] established between b.b.b.b[censored.keenetic.link]...a.a.a.a[censored.keenetic.link] 
[I] Jul 23 20:45:25 ipsec: 16[IKE] peer requested virtual IP %any 
[I] Jul 23 20:45:25 ndm: Core::Server: started Session /var/run/ndm.core.socket. 
[I] Jul 23 20:45:25 ndm: IpSec::CryptoMapInfo: "VirtualIPServerIKE2": allocated address "172.20.8.3" for user "username" @ "censored.keenetic.link" from "a.a.a.a". 
[I] Jul 23 20:45:25 ndm: Core::Session: client disconnected. 
[I] Jul 23 20:45:25 ipsec: 16[IKE] assigning virtual IP 172.20.8.3 to peer 'username' 
[I] Jul 23 20:45:25 ipsec: 16[IKE] peer requested virtual IP %any6 
[I] Jul 23 20:45:25 ipsec: 16[IKE] no virtual IP found for %any6 requested by 'username' 
[I] Jul 23 20:45:25 ipsec: 16[CFG] received proposals: ESP:AES_GCM_16=256/NO_EXT_SEQ 
[I] Jul 23 20:45:25 ipsec: 16[CFG] configured proposals: ESP:AES_CBC=128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC=128/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC=256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC=256/HMAC_SHA2_256_128/NO_EXT_SEQ 
[I] Jul 23 20:45:25 ipsec: 16[IKE] no acceptable proposal found 
[I] Jul 23 20:45:25 ipsec: 16[IKE] closing IKE_SA due CHILD_SA setup failure 
[E] Jul 23 20:45:25 ndm: IpSec::Configurator: "VirtualIPServerIKE2": error while establishing CHILD_SA. 
[I] Jul 23 20:45:25 ipsec: 16[CFG] scheduling RADIUS Interim-Updates every 5s 
[I] Jul 23 20:45:25 ipsec: 06[IKE] deleting IKE_SA VirtualIPServerIKE2[108] between b.b.b.b[censored.keenetic.link]...a.a.a.a[censored.keenetic.link] 
[I] Jul 23 20:45:25 ipsec: 06[IKE] sending DELETE for IKE_SA VirtualIPServerIKE2[108] 

[Alexandre Bougakov]

Upd: надо было ещё продублировать в неприметной закладке Child SA params:

[Le ecureuil]

Для CHILD_SA выбирайте AES-128 / SHA1 / none, для IKE SA все как указано в посте выше.