[Swan] Dropping AUTH message containing INITIAL_CONTACT on OSX and Win10

Paul Wouters paul at nohats.ca
Sun Dec 23 18:36:13 UTC 2018

On Fri, 21 Dec 2018, Mr. Jan Walter wrote:

> I have been trying to get both Windows 10 and OSX Mojave to connect to an Ubuntu Libreswan server in AWS. After trying xl2tpd and IKEv1 and not getting very
> far I figured I'd try IKEv2, following the configs in the Wiki, including generating the pk12 certificates.

> Dec 21 16:58:54 ip-10-0-0-194 pluto[29330]: packet from xx.xx.xx.xx:500: responding to SA_INIT message (ID 0) from with unencrypted
> notification INVALID_KE_PAYLOAD

Note this is causing an etra round trip, so it is better to agree on the
first DH group used in client and server.

> Dec 21 16:58:54 ip-10-0-0-194 pluto[29330]: "ikev2-cp"[1] xx.xx.xx.xx  #1: dropping unexpected AUTH message containing INITIAL_CONTACT... notification;
> message payloads: SK; encrypted payloads: SA,IDi,IDr,N,TSi,TSr,CP; missing payloads: AUTH

I could not reproduce this in test cases, and then used OSX to verify
this. While initially I had the same problem I suddently realised this
is an old confusing OSX UI bug. If you import a .mobileconfig with
Machine Certificate, you MUST NOT set the Authentication Settings to
anything other then "None" or else it will ignore the .mobileconfig
and try to use EAP.


> Win10:

> Dec 21 19:17:44 ip-10-0-0-194 pluto[29330]: "ikev2-cp"[3] xx.xx.xx.xx  #3: dropping unexpected AUTH message containing MOBIKE_SUPPORTED notification; message
> payloads: SKF; encrypted payloads: SA,IDi,CERTREQ,N,TSi,TSr,CP; missing payloads: AUTH

It looks like you are attempting EAP there too, instead of Machine


More information about the Swan mailing list