[Openswan Users] OpenSWAN and iPhone IPSec only VPN

Eric Shubert ejs at shubes.net
Tue Jun 26 13:31:47 EDT 2012 

On 05/05/2012 07:59 PM, John A. Sullivan III wrote:
>
> We then tried to disable XAUTH since the iOS docs state that IPSec
> without XAUTH is supported when using certificates so we restarted
> OpenSWAN, deleted the iPhone and Android connections, removed the user
> and password from the iPhone VPN connection definition and tried again.
> We assumed that not entering a name and password and not having the
> server advertise itself as an XAUTH server was the way to disable XAUTH
> and lots of Internet research yielded no firm instructions on how to do
> so.  We got:
>
> 3798]: packet from 192.168.223.208:500: received Vendor ID payload [RFC 3947] method set to=109
> 3798]: packet from 192.168.223.208:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110
> 3798]: packet from 192.168.223.208:500: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
> 3798]: packet from 192.168.223.208:500: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
> 3798]: packet from 192.168.223.208:500: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
> 3798]: packet from 192.168.223.208:500: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
> 3798]: packet from 192.168.223.208:500: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
> 3798]: packet from 192.168.223.208:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
> 3798]: packet from 192.168.223.208:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
> 3798]: packet from 192.168.223.208:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
> 3798]: packet from 192.168.223.208:500: received Vendor ID payload [XAUTH]
> 3798]: packet from 192.168.223.208:500: received Vendor ID payload [Cisco-Unity]
> 3798]: packet from 192.168.223.208:500: received Vendor ID payload [Dead Peer Detection]
> 3798]: "RWNAT"[1] 192.168.223.208 #4: responding to Main Mode from unknown peer 192.168.223.208
> 3798]: "RWNAT"[1] 192.168.223.208 #4: policy does not allow Extended Authentication (XAUTH) with RSA of initiator (we are responder).  Attribute OAKLEY_AUTHENTICATION_METHOD
> 3798]: "RWNAT"[1] 192.168.223.208 #4: policy does not allow Extended Authentication (XAUTH) with RSA of initiator (we are responder).  Attribute OAKLEY_AUTHENTICATION_METHOD
> 3798]: "RWNAT"[1] 192.168.223.208 #4: policy does not allow Extended Authentication (XAUTH) with RSA of initiator (we are responder).  Attribute OAKLEY_AUTHENTICATION_METHOD
> 3798]: "RWNAT"[1] 192.168.223.208 #4: policy does not allow Extended Authentication (XAUTH) with RSA of initiator (we are responder).  Attribute OAKLEY_AUTHENTICATION_METHOD
> 3798]: "RWNAT"[1] 192.168.223.208 #4: policy does not allow Extended Authentication (XAUTH) with RSA of initiator (we are responder).  Attribute OAKLEY_AUTHENTICATION_METHOD
> 3798]: "RWNAT"[1] 192.168.223.208 #4: policy does not allow Extended Authentication (XAUTH) with RSA of initiator (we are responder).  Attribute OAKLEY_AUTHENTICATION_METHOD
> 3798]: "RWNAT"[1] 192.168.223.208 #4: policy does not allow Extended Authentication (XAUTH) with RSA of initiator (we are responder).  Attribute OAKLEY_AUTHENTICATION_METHOD
> 3798]: "RWNAT"[1] 192.168.223.208 #4: policy does not allow Extended Authentication (XAUTH) with RSA of initiator (we are responder).  Attribute OAKLEY_AUTHENTICATION_METHOD
> 3798]: "RWNAT"[1] 192.168.223.208 #4: OAKLEY_DES_CBC is not supported.  Attribute OAKLEY_ENCRYPTION_ALGORITHM
> 3798]: "RWNAT"[1] 192.168.223.208 #4: OAKLEY_DES_CBC is not supported.  Attribute OAKLEY_ENCRYPTION_ALGORITHM
> 3798]: "RWNAT"[1] 192.168.223.208 #4: no acceptable Oakley Transform
> 3798]: "RWNAT"[1] 192.168.223.208 #4: sending notification NO_PROPOSAL_CHOSEN to 192.168.223.208:500
> 3798]: "RWNAT"[1] 192.168.223.208: deleting connection "RWNAT" instance with peer 192.168.223.208 {isakmp=#0/ipsec=#0}
>
> So it appears it is trying to use XAUTH anyway.  We commenting out the
> iPhone and Android sessions and then restarting OpenSWAN in case just
> having the connections defined loaded some XAUTH listener that remained
> listening even after the connections were deleted.
>
> So how do we get certs working with iPhone IPSec only and particularly,
> how do we do so with XAUTH disabled? Thanks.  My apologies for the
> length.  Hopefully the detail is helpful - John
>
> _______________________________________________

Hey John. I've recently been trying to do the same iPhone to IPSec 
server connection (with IPCop), and my experience is similar, although I 
did not try PSK or XAUTH.

Once I managed to get certs installed on the iPhone, I do get:
policy does not allow Extended Authentication ( XAUTH). Attribute 
OAKLEY_AUTHENTICATION_METHOD
but I'm hoping that this would simply be ignored.

I believe the crux of the problem here is:
OAKLEY_DES_CBC is not supported.
This algorithm is known to be insecure and is thus not supported by 
Openswan.

There is a way to build Openswan with a USE_WEAKSUFF? flag, but it's not 
clear whether that would work entirely, and would be insecure if it did. 
See http://article.gmane.org/gmane.network.openswan.user/17635/

So the BL to me here is that at least 2 of the 3 stock VPN 
implementations in the iPhone (PPTP, IPSec) are inherently insecure. I 
don't know for sure whether the 3rd (L2TP/IPSec) is really secure or 
not, but I have my doubts.

I'm beginning to believe that the best chance of having a secure VPN 
with iDevices is to use one of the handful of VPN apps along with the 
vendor's VPN Server device (costing hundreds of $). This is likely why 
many companies are choosing to use android devices in favor of iDevices.

-- 
-Eric 'shubes'

More information about the Users mailing list