macOS built in IKEv2 VPN is not passing Child SA DH group proposal

Originator:reinis.adovics
Number:rdar://31203776 Date Originated:22-03-2017
Status:Open Resolved:
Product:Other Product Version:
Classification: Reproducible:
 
Summary:
Using Apple Configurator 2 I have created IKEv2 cert based VPN connection.

On connecting to pfSense (Strongswan) VPN server it can be logged that macOS never proposes Phase 2 as it is set in mobileconfig.

The main point here is that for
Phase 1 (IKE SA) DH group is set as DH20 (ECP_384)
Phase 2 (Child SA) DH group is set as DH20 (ECP_384)
Both on server and client.

Note that logs are "newest on top". IP addresses are in private range as the testing is sandboxed.

On connection the Strongswan/charon logs for phase 1 are

---------------
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384
configured proposals: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384
received proposals: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384 
---------------

where one can see that macOS proposes ECP_384 and proposal matches.

On connection the Strongswan/charon logs for phase 2 are

---------------
configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_384/NO_EXT_SEQ    
received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ    
---------------

thus one can see that proposal by macOS lacks ECP_384 (DH group 20).

However one can connect as "The first IKEv2 "Phase 2" is derived from the initial IKE negotiation. The other values are not used until Rekey." https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey#IPsec

In result on first rekey the connection just fails miserably, because ECP_384 still lacks in proposal

---------------
received DELETE for IKE_SA con1[12]    
parsed INFORMATIONAL request 11 [ D ]    
received packet: from 192.168.10.146[4500] to 192.168.10.100[4500] (88 bytes)    
sending packet: from 192.168.10.100[4500] to 192.168.10.146[4500] (88 bytes)    
generating CREATE_CHILD_SA response 10 [ N(NO_PROP) ]    
failed to establish CHILD_SA, keeping IKE_SA    
no acceptable proposal found    
configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_384/NO_EXT_SEQ    
received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ    
no acceptable DIFFIE_HELLMAN_GROUP found    
selecting proposal:    
---------------

I tried also DH14 and DH2 for Phase 2, they are also not included in the proposal to the server.

The DH group exists in .mobileconfig file ChildSecurityAssociationParameters dict

---------------
<key>ChildSecurityAssociationParameters</key>
<dict>
  <key>DiffieHellmanGroup</key>
  <integer>20</integer>
  <key>EncryptionAlgorithm</key>
  <string>AES-256</string>
  <key>IntegrityAlgorithm</key>
  <string>SHA2-256</string>
  <key>LifeTimeInMinutes</key>
  <integer>60</integer>
</dict>
<key>IKESecurityAssociationParameters</key>
<dict>
  <key>DiffieHellmanGroup</key>
  <integer>20</integer>
  <key>EncryptionAlgorithm</key>
  <string>AES-256</string>
  <key>IntegrityAlgorithm</key>
  <string>SHA2-384</string>
  <key>LifeTimeInMinutes</key>
  <integer>480</integer>
</dict>
---------------

Current way to make macOS work with Strongswan is to disable DH group in Strongswan Phase 2, leave whatever DH group in Apple Configurator for Child SA as it will not be sent anyways. This results in phase 2 matching in rekeying

---------------
selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
---------------

and connection is kept.

In year 2017 VPN is everyday reality.
Firstly this is security issue compromising phase 2 security gateway.
Secondly VPN is unusable as it drops connections.

I have to mention that this issue also affects iOS, the logs and everything is exactly the same after installing this profile on iPhone. I will be crossposting this in iOS bugreports, for which I apologize. 
/ranting
Or maybe not as being mac poweruser and part-time-developer myself for veeery long time I have seen the trend of how fast you address longstanding macOS vs iOS bugs. Note that Apple in year 2016 added support for DH14 https://support.apple.com/en-us/HT206154 while it was minimum recommended group years ago.

Steps to Reproduce:
Install Apple Configurator 2
Configure certificate based IKEv2 VPN profile with any(!) Phase 2 DH Group (20/14/2).

Expected Results:
DH group configured in phase 2 should be sent to the server as proposal.

Actual Results:
DH group configured in phase 2 is not sent to the server as proposal.

Version:
macOS 10.12.4 Beta (16E191a)
Apple Configurator 2.3 (3D68)
iOS 10.2.1 on iPhone SE

Notes:
My longer debugging findings related to this issue can be found here
https://forum.pfsense.org/index.php?topic=127696.0

Configuration:


Attachments:

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!