[Swan] Dropping AUTH message containing INITIAL_CONTACT on OSX and Win10

Fri Dec 21 19:21:53 UTC 2018

Hi there,
I have been trying to get both Windows 10 and OSX Mojave to connect to an Ubuntu Libreswan server in AWS. After trying xl2tpd and IKEv1 and not getting very far I figured I'd try IKEv2, following the configs in the Wiki, including generating the pk12 certificates.
The Ubuntu DEB seemed to have issues, so I thought I'd pull the latest release from github (yes, remembered to check out the release tag) and try it.
I am probably missing something really obvious, so I figured I'd post here.
OSX:
Dec 21 16:58:54 ip-10-0-0-194 pluto[29330]: packet from xx.xx.xx.xx:500: constructed local IKE proposals for ikev2-cp (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;INTEG=HMAC_SHA2_512_256;DH=MODP2048 2:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;INTEG=HMAC_SHA2_512_256;DH=MODP2048 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024Dec 21 16:58:54 ip-10-0-0-194 pluto[29330]: packet from xx.xx.xx.xx:500: proposal 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 2:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=ECP_256 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP1536 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024[first-match] 5:IKE:ENCR=3DES;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024Dec 21 16:58:54 ip-10-0-0-194 pluto[29330]: packet from xx.xx.xx.xx:500: initiator guessed wrong keying material group (MODP2048); responding with INVALID_KE_PAYLOAD requesting MODP1024Dec 21 16:58:54 ip-10-0-0-194 pluto[29330]: packet from xx.xx.xx.xx:500: responding to SA_INIT message (ID 0) from 96.255.61.46:500 with unencrypted notification INVALID_KE_PAYLOADDec 21 16:58:54 ip-10-0-0-194 pluto[29330]: packet from xx.xx.xx.xx:500: proposal 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 2:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=ECP_256 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP1536 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024[first-match] 5:IKE:ENCR=3DES;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024Dec 21 16:58:54 ip-10-0-0-194 pluto[29330]: "ikev2-cp"[1] xx.xx.xx.xx  #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_CBC_128 integ=HMAC_SHA1_96 prf=HMAC_SHA1 group=MODP1024}Dec 21 16:58:54 ip-10-0-0-194 pluto[29330]: "ikev2-cp"[1] xx.xx.xx.xx  #1: dropping unexpected AUTH message containing INITIAL_CONTACT... notification; message payloads: SK; encrypted payloads: SA,IDi,IDr,N,TSi,TSr,CP; missing payloads: AUTHDec 21 16:58:54 ip-10-0-0-194 pluto[29330]: "ikev2-cp"[1] xx.xx.xx.xx  #1: responding to AUTH message (ID 1) from xx.xx.xx.xx:500 with encrypted notification INVALID_SYNTAXDec 21 17:02:14 ip-10-0-0-194 pluto[29330]: "ikev2-cp"[1] xx.xx.xx.xx  #1: deleting state (STATE_PARENT_R1) and NOT sending notificationDec 21 17:02:14 ip-10-0-0-194 pluto[29330]: deleting connection "ikev2-cp"[1] xx.xx.xx.xx  instance with peer xx.xx.xx.xx  {isakmp=#0/ipsec=#0}Dec 21 17:36:57 ip-10-0-0-194 pluto[29330]: packet from xx.xx.xx.xx:500: constructed local IKE proposals for ikev2-cp (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;INTEG=HMAC_SHA2_512_256;DH=MODP2048 2:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;INTEG=HMAC_SHA2_512_256;DH=MODP2048 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024Dec 21 17:36:57 ip-10-0-0-194 pluto[29330]: packet from xx.xx.xx.xx:500: proposal 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 2:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=ECP_256 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP1536 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024[first-match] 5:IKE:ENCR=3DES;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024Dec 21 17:36:57 ip-10-0-0-194 pluto[29330]: packet from xx.xx.xx.xx:500: initiator guessed wrong keying material group (MODP2048); responding with INVALID_KE_PAYLOAD requesting MODP1024Dec 21 17:36:57 ip-10-0-0-194 pluto[29330]: packet from xx.xx.xx.xx:500: responding to SA_INIT message (ID 0) from xx.xx.xx.xx:500 with unencrypted notification INVALID_KE_PAYLOADDec 21 17:36:57 ip-10-0-0-194 pluto[29330]: packet from xx.xx.xx.xx:500: proposal 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 2:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=ECP_256 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP1536 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024[first-match] 5:IKE:ENCR=3DES;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024Dec 21 17:36:57 ip-10-0-0-194 pluto[29330]: "ikev2-cp"[2] xx.xx.xx.xx  #2: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_CBC_128 integ=HMAC_SHA1_96 prf=HMAC_SHA1 group=MODP1024}Dec 21 17:36:57 ip-10-0-0-194 pluto[29330]: "ikev2-cp"[2] xx.xx.xx.xx  #2: dropping unexpected AUTH message containing INITIAL_CONTACT... notification; message payloads: SK; encrypted payloads: SA,IDi,IDr,N,TSi,TSr,CP; missing payloads: AUTHDec 21 17:36:57 ip-10-0-0-194 pluto[29330]: "ikev2-cp"[2] xx.xx.xx.xx  #2: responding to AUTH message (ID 1) from xx.xx.xx.xx:500 with encrypted notification INVALID_SYNTAX
Win10:Dec 21 19:17:44 ip-10-0-0-194 pluto[29330]: packet from xx.xx.xx.xx:500: constructed local IKE proposals for ikev2-cp (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;INTEG=HMAC_SHA2_512_256;DH=MODP2048 2:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;INTEG=HMAC_SHA2_512_256;DH=MODP2048 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024Dec 21 19:17:44 ip-10-0-0-194 pluto[29330]: packet from xx.xx.xx.xx:500: proposal 10:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 chosen from remote proposals 1:IKE:ENCR=3DES;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP1024 2:IKE:ENCR=3DES;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP1024 3:IKE:ENCR=3DES;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP1024 4:IKE:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP1024[first-match] 5:IKE:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP1024 6:IKE:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP1024 7:IKE:ENCR=AES_CBC_192;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP1024 8:IKE:ENCR=AES_CBC_192;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP1024 9:IKE:ENCR=AES_CBC_192;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP1024 10:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP1024[better-match] 11:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP1024 12:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_3...Dec 21 19:17:44 ip-10-0-0-194 pluto[29330]: "ikev2-cp"[3] xx.xx.xx.xx  #3: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA1_96 prf=HMAC_SHA1 group=MODP1024}Dec 21 19:17:44 ip-10-0-0-194 pluto[29330]: "ikev2-cp"[3] xx.xx.xx.xx  #3: dropping unexpected AUTH message containing MOBIKE_SUPPORTED notification; message payloads: SKF; encrypted payloads: SA,IDi,CERTREQ,N,TSi,TSr,CP; missing payloads: AUTHDec 21 19:17:44 ip-10-0-0-194 pluto[29330]: "ikev2-cp"[3] xx.xx.xx.xx  #3: responding to AUTH message (ID 1) from xx.xx.xx.xx:500 with encrypted notification INVALID_SYNTAX

Config file:
conn ikev2-cp    authby=rsasig    ikev2=insist    cisco-unity=yes    # The server's actual IP goes here - not elastic IPs    left=10.0.0.194    leftcert=vv.mufgtsi.net    leftid=@vv.mufgtsi.net    leftsendcert=always    leftsubnet=0.0.0.0/0    leftrsasigkey=%cert    ike=aes256-sha2_512;modp2048,aes128-sha2_512;modp2048,aes256-sha1;modp1024,aes128-sha1;modp1024    esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512    # Clients    right=%any    # your addresspool to use - you might need NAT rules if providing full internet to clients    rightaddresspool=10.0.0.240-10.0.0.250    # optional rightid with restrictions    # rightid="C=CA, L=Toronto, O=Libreswan Project, OU=*, CN=*, E=*"    rightca=%same    rightrsasigkey=%cert    #    # connection configuration    # DNS servers for clients to use    #modecfgdns=8.8.8.8,193.100.157.123    # Versions up to 3.22 used modecfgdns1 and modecfgdns2    #modecfgdns1=8.8.8.8    #modecfgdns2=193.110.157.123    narrowing=yes    # recommended dpd/liveness to cleanup vanished clients    dpddelay=30    dpdtimeout=120    dpdaction=clear    auto=add    #ikev2=insist    rekey=no    # ikev2 fragmentation support requires libreswan 3.14 or newer    fragmentation=yes    # optional PAM username verification (eg to implement bandwidth quota    # pam-authorize=yes
Anyways, thoughts appreciated, and happy holidays!
Cheers,
Jan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20181221/9ed6e965/attachment.html>