Unable to fix iOS 14 issue #475
Comments
|
are you using certificates? It looks like the ios device does not authenticate the vpn server. Usually that is because it is missing something on the certifiate of the vpn server, like a SAN entry for the FQDN. If you think the certificate is properly generated, then you can try libreswan to see if if is just old behaviour of openswan versus the much more modern libreswan |
|
No certificate, I use L2TP with secret. Everything works smoothly on Windows and Apple systems <iOS 14, the problem only occurs on iOS> 14 |
|
On Wed, 2 Jun 2021, totoventi wrote:
No certificate, I use L2TP with secret.
Everything works smoothly on Windows and Apple systems <iOS 14, the problem only occurs on iOS> 14
well, the logs show that iOS>14 device sends a delete. So they are
unhappy. Check their logs to see why.
|
|
I cannot find any solution to that effect. https://support.apple.com/en-us/HT211840 the problem is that in Openswan I can't change the configuration so that it doesn't happen... I have tried several strings but evidently on Openswan they do not go, because at the reboot of the service I always get syntax errors with any of them. |
|
On Wed, 2 Jun 2021, totoventi wrote:
I cannot find any solution to that effect.
The problem has been documented for months and it should be this:
https://support.apple.com/en-us/HT211840
That relates to sha2-truncbug=yes|no
I don't remember if this was added to openswan or libreswan.
If you need to support a mix of android and iphone, then you
have a problem because old android's require sha2-truncbug=yes
and your ios14 now requires sha2-truncbug=no.
The only way out is to not use sha2_256 for esp= but use sha2_512
or sha1, where this issue does not exist.
the problem is that in Openswan I can't change the configuration so that it doesn't happen... I have tried several strings but
evidently on Openswan they do not go, because at the reboot of the service I always get syntax errors with any of them.
It's been 9 years since the forced rename to libreswan due to legal reasons.
Openswan has been in a vegetative state since then. You should upgrade to
libreswan, every modern distro has done that almost a decade ago. For more
background:
https://nohats.ca/wordpress/blog/2021/04/23/please-stop-using-openswan/
https://nohats.ca/wordpress/openswan/
|
|
Yes, I have tried several times with sha2=truncbug=no but it is one of the strings that gives me a syntax error. |
|
Try using an underscore, sha2_truncbug=no
Sent using a virtual keyboard on a phone
… On Jun 2, 2021, at 09:36, totoventi ***@***.***> wrote:
Yes, I have tried several times with sha2=truncbug=no but it is one of the strings that gives me a syntax error.
At the moment I can't migrate to Libreswan, I don't need to use Android but only Windows / MacOS and iOS ... how can I correct my configuration (which I attach) to change in SHA512?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
|
You need: esp=aes256-sha2_512
Sent using a virtual keyboard on a phone
… On Jun 2, 2021, at 09:36, totoventi ***@***.***> wrote:
Yes, I have tried several times with sha2=truncbug=no but it is one of the strings that gives me a syntax error.
At the moment I can't migrate to Libreswan, I don't need to use Android but only Windows / MacOS and iOS ... how can I correct my configuration (which I attach) to change in SHA512?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
unexpected string... |
nothing, i have this: Jun 02 16:54:25 raspberrypi pluto[1729]: "L2TP-PSK-NAT"[2] 151.37.217.182 #2: Dead Peer Detection (RFC 3706): enabled |
|
Please try libreswan, shoukd be a drop in replacement.
I don’t know why openswan is ignoring your config. Maybe you didn’t restart ? But obviously I haven’t looked at openswan code in 10 years.
Sent using a virtual keyboard on a phone
… On Jun 2, 2021, at 11:56, totoventi ***@***.***> wrote:
Try using an underscore, sha2_truncbug=no Sent using a virtual keyboard on a phone
…
unexpected string...
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
Since the arrival of ios 14 I have no longer been able to use the vpn with devices that use this system.
I don't know how to intervene in the configurations to make Openswan compatible even with Apple devices using BigSur or iOS> 14.
I use Openswan 2.6.37 on Raspberry (obligatory, because with the higher versions there are other problems).
On Windows it worked.
How can I intervene?
Follow an example of what i get with an iOS device and a MacOS device.
The text was updated successfully, but these errors were encountered: