Posted: Thu Apr 04, 2019 9:23 Post subject: IPSec Issues
hello there,
anyone has IPSec and iOS 12.2 working?
on my R7000 (still running 35550M), IPSec always worked, now iPhone cannot connect.
on R7000P, running 39345M, iOS 12.2 cannot connect as well.
Edit:
rolling back to older builds like 37985M or 35550M, iPhone on iOS 12.2 can connect just fine. so there are two problems:
- on newer builds (tested on 39345M), iOS cannot connect
- for R7000P, builds that IPSec is working (35550M for example), if IPSec is enabled, after a reboot there is no wireless (even WL temperature is not shown).
- R7000 on 35550M worked fine after vpn resetup on iPhone (downloading certs again etc)
Last edited by nolimitz on Mon May 06, 2019 7:17; edited 2 times in total
Posted: Fri Apr 05, 2019 5:30 Post subject: Re: IPSec and iOS 12.2 = Not Working
<Kong> wrote:
nolimitz wrote:
hello there,
anyone has IPSec and iOS 12.2 working?
on my R7000 (still running 35550M), IPSec always worked, now iPhone cannot connect.
on R7000P, running 39345M, iOS 12.2 cannot connect as well.
I know that it works on my ipq builds where I already updated strongswan, did you check the log file?
thanks Kong. i reset and configured from scratch, even formatted JFFS (USB)
here is the log from R7000P:
Code:
Apr 5 08:21:31 R7000P daemon.info : 13[IKE] authentication of 'home' with EAP successful
Apr 5 08:21:31 R7000P daemon.info : 13[IKE] authentication of '******' (myself) with EAP
Apr 5 08:21:31 R7000P daemon.info : 13[IKE] IKE_SA ikev2[3] established between 192.168.1.2[*****]...*******[home]
Apr 5 08:21:31 R7000P authpriv.info : 13[IKE] IKE_SA ikev2[3] established between 192.168.1.2[****]...******[home]
Apr 5 08:21:31 R7000P daemon.info : 13[IKE] scheduling reauthentication in 9999s
Apr 5 08:21:31 R7000P daemon.info : 13[IKE] maximum IKE_SA lifetime 10539s
Apr 5 08:21:31 R7000P daemon.info : 13[IKE] peer requested virtual IP %any
Apr 5 08:21:31 R7000P daemon.info : 13[CFG] sending DHCP DISCOVER to 255.255.255.255
Apr 5 08:21:31 R7000P daemon.info : 05[CFG] received DHCP OFFER 192.168.1.110 from 192.168.1.1
Apr 5 08:21:31 R7000P daemon.info : 13[CFG] sending DHCP REQUEST for 192.168.1.110 to 192.168.1.1
Apr 5 08:21:31 R7000P daemon.info : 13[CFG] sending DHCP REQUEST for 192.168.1.110 to 192.168.1.1
Apr 5 08:21:31 R7000P daemon.info : 13[CFG] sending DHCP REQUEST for 192.168.1.110 to 192.168.1.1
Apr 5 08:21:31 R7000P daemon.info : 10[CFG] received DHCP ACK for 192.168.1.110
Apr 5 08:21:31 R7000P daemon.info : 13[IKE] assigning virtual IP 192.168.1.110 to peer 'home'
Apr 5 08:21:31 R7000P daemon.info : 13[IKE] peer requested virtual IP %any6
Apr 5 08:21:31 R7000P daemon.info : 13[IKE] no virtual IP found for %any6 requested by 'home'
Apr 5 08:21:31 R7000P daemon.info : 13[KNL] received netlink error: No such file or directory (2)
Apr 5 08:21:31 R7000P daemon.info : 13[KNL] unable to add SAD entry with SPI c6ba27ff (FAILED)
Apr 5 08:21:31 R7000P daemon.info : 13[KNL] received netlink error: No such file or directory (2)
Apr 5 08:21:31 R7000P daemon.info : 13[KNL] unable to add SAD entry with SPI 09ad2ed3 (FAILED)
Apr 5 08:21:31 R7000P daemon.info : 13[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
Apr 5 08:21:31 R7000P daemon.info : 13[IKE] failed to establish CHILD_SA, keeping IKE_SA
Apr 5 08:21:31 R7000P daemon.info : 13[KNL] deleting policy 192.168.1.110/32 === 0.0.0.0/0 in failed, not found
Apr 5 08:21:31 R7000P daemon.info : 13[KNL] deleting policy 192.168.1.110/32 === 0.0.0.0/0 fwd failed, not found
Apr 5 08:21:31 R7000P daemon.info : 13[ENC] generating IKE_AUTH response 9 [ AUTH CPRP(ADDR DNS DNS DNS) N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) N(NO_PROP) ]
Apr 5 08:21:31 R7000P daemon.info : 07[NET] received packet: from ******[5157] to 192.168.1.2[4500] (80 bytes)
Apr 5 08:21:31 R7000P daemon.info : 07[ENC] parsed INFORMATIONAL request 10 [ D ]
Apr 5 08:21:31 R7000P daemon.info : 07[IKE] received DELETE for IKE_SA ikev2[3]
Apr 5 08:21:31 R7000P daemon.info : 07[IKE] deleting IKE_SA ikev2[3] between 192.168.1.2[******]...*******[home]
Apr 5 08:21:31 R7000P authpriv.info : 07[IKE] deleting IKE_SA ikev2[3] between 192.168.1.2[*****]...******[home]
Apr 5 08:21:31 R7000P daemon.info : 07[IKE] IKE_SA deleted
Apr 5 08:21:31 R7000P authpriv.info : 07[IKE] IKE_SA deleted
Apr 5 08:21:31 R7000P daemon.info : 07[ENC] generating INFORMATIONAL response 10 [ ]
Apr 5 08:21:31 R7000P daemon.info : 07[NET] sending packet: from 192.168.1.2[4500] to *******[5157] (80 bytes)
Apr 5 08:21:31 R7000P daemon.info : 07[CFG] sending DHCP RELEASE for 192.168.1.110 to 192.168.1.1
this is where it fails it seems:
Code:
Apr 5 08:21:31 R7000P daemon.info : 13[IKE] peer requested virtual IP %any6
Apr 5 08:21:31 R7000P daemon.info : 13[IKE] no virtual IP found for %any6 requested by 'home'
Apr 5 08:21:31 R7000P daemon.info : 13[KNL] received netlink error: No such file or directory (2)
Apr 5 08:21:31 R7000P daemon.info : 13[KNL] unable to add SAD entry with SPI c6ba27ff (FAILED)
Apr 5 08:21:31 R7000P daemon.info : 13[KNL] received netlink error: No such file or directory (2)
Apr 5 08:21:31 R7000P daemon.info : 13[KNL] unable to add SAD entry with SPI 09ad2ed3 (FAILED)
Apr 5 08:21:31 R7000P daemon.info : 13[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
Apr 5 08:21:31 R7000P daemon.info : 13[IKE] failed to establish CHILD_SA, keeping IKE_SA
i cannot check the R7000 now but will do tomorrow. i will re-download the certs and try. re-downloading the certs on R7000P doesn't help.
I just checked it, on both dd-wrt and openwrt, only lan access works, wan access through ipsec does not work, ios does not even send any request through the tunnel in case of a wan access, thus very sure this is an ios bug. _________________ KONG PB's: http://www.desipro.de/ddwrt/
KONG Info: http://tips.desipro.de/
Try disabling SFE and see if IPSec traffic starts routing over WAN. I have the same issue with IPSec routing over my VPN tunnels with SFE turned on. I had to patch the SFE code to bypass accelerating IPSec traffic to make it to work.
Try disabling SFE and see if IPSec traffic starts routing over WAN. I have the same issue with IPSec routing over my VPN tunnels with SFE turned on. I had to patch the SFE code to bypass accelerating IPSec traffic to make it to work.
Nothing to do with SFE, config is still the same and it has been working all the time, just now ios is not using the correct route. _________________ KONG PB's: http://www.desipro.de/ddwrt/
KONG Info: http://tips.desipro.de/
Joined: 08 Jun 2010 Posts: 109 Location: New Zealand
Posted: Wed Apr 24, 2019 19:47 Post subject:
<Kong> wrote:
I just checked it, on both dd-wrt and openwrt, only lan access works, wan access through ipsec does not work, ios does not even send any request through the tunnel in case of a wan access, thus very sure this is an ios bug.
I'm a bit confused here. My iOS won't even initiate a VPN connection on current Kong builds. But I have no problem whatsoever on 37985?
Can someone who knows more than me explain these log entries I see when my attempt to get the VPN up and running in current Kong builds fails? This seems to be where the problem is where I can't even get a VPN session initiated.
Apr 21 16:15:03 DD-WRT daemon.info : 06[KNL] received netlink error: No such file or directory (2)
Apr 21 16:15:03 DD-WRT daemon.info : 06[KNL] unable to add SAD entry with SPI c6f7a0bb (FAILED)
Apr 21 16:15:03 DD-WRT daemon.info : 06[KNL] received netlink error: No such file or directory (2)
Apr 21 16:15:03 DD-WRT daemon.info : 06[KNL] unable to add SAD entry with SPI 0525fab7 (FAILED)
Apr 21 16:15:03 DD-WRT daemon.info : 06[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
Is it possible there is a missing module, dependency, component? The 'No such file or directory' seems like the culprit? _________________ RT-AX86U MerlinWRT & RT-AC68U DD-WRT
Joined: 08 Jun 2010 Posts: 109 Location: New Zealand
Posted: Tue Apr 30, 2019 21:17 Post subject:
<Kong> wrote:
quarkysg wrote:
Try disabling SFE and see if IPSec traffic starts routing over WAN. I have the same issue with IPSec routing over my VPN tunnels with SFE turned on. I had to patch the SFE code to bypass accelerating IPSec traffic to make it to work.
Nothing to do with SFE, config is still the same and it has been working all the time, just now ios is not using the correct route.
Any chance you can comment on my prior post. I don't think there is an iOS bug in my situation as everything works on your December build which suggests iOS is not having bugs/issues.
I would be curious to know your thoughts on the errors in the log I sited in my prior post. _________________ RT-AX86U MerlinWRT & RT-AC68U DD-WRT
Joined: 08 Jun 2010 Posts: 109 Location: New Zealand
Posted: Sun May 05, 2019 20:03 Post subject:
nolimitz wrote:
so i rolled back to 35550M, re-gen certs and re-setup iphone vpn and iOS 12.2 will connect fine.
now my only problem on R7000P is that if i enable IPSec and reboot, i have no wifi, so i have to enable manually IPSec after a completed reboot.
Try running 37985M - I was having some issues on builds earlier to that where I had to manually disable, renable IPSec after a reboot. However, on 37985M I don't have that problem.
Again this really suggests, contrary to Kong's post, that the issue is NOT iOS 12.2 related, I believe. Which kind of makes the title of this thread misleading. I am running iOS 12.1 and iOS 12.1.1 beta 3 and can't get IPSec to work on builds after 37985M
EDIT: Also, Kong, if you read this, I love your builds and all you do for the community. It just seems something is a bit twitchy with IPSec lately _________________ RT-AX86U MerlinWRT & RT-AC68U DD-WRT
Last edited by spaceghost on Mon May 06, 2019 7:26; edited 1 time in total
so i rolled back to 35550M, re-gen certs and re-setup iphone vpn and iOS 12.2 will connect fine.
now my only problem on R7000P is that if i enable IPSec and reboot, i have no wifi, so i have to enable manually IPSec after a completed reboot.
Try running 37985M - I was having some issues on builds earlier to that where I had to manually disable, renable IPSec after a reboot. However, on 37985M I don't have that problem.
Again this really suggests, contrary to Kong's post, that the issue is NOT iOS 12.2 related, I believe. Which kind of makes the title of this thread misleading. I am running iOS 12.1 and iOS 12.1.1 beta 3 and can't get IPSec to work on builds after 37985M
This is my experience also... I love the Kong builds and this is in no way a complaint about his work, but I had to revert back to 38580 as the newer builds broke IPSEC. Even though I'm on a build that works, I find that if I make any changes to the system, I have to disable and re-enable IPSEC for it to work both in IOS and Windows 10 clients.
I definitely believe the problem is in the builds as I cannot not connect from Windows on the newer builds also. That would indicate it is not an IOS issue... Again, many thanks to Kong for helping me get IPSEC up and running in the first place.
so i rolled back to 35550M, re-gen certs and re-setup iphone vpn and iOS 12.2 will connect fine.
now my only problem on R7000P is that if i enable IPSec and reboot, i have no wifi, so i have to enable manually IPSec after a completed reboot.
Try running 37985M - I was having some issues on builds earlier to that where I had to manually disable, renable IPSec after a reboot. However, on 37985M I don't have that problem.
Again this really suggests, contrary to Kong's post, that the issue is NOT iOS 12.2 related, I believe. Which kind of makes the title of this thread misleading. I am running iOS 12.1 and iOS 12.1.1 beta 3 and can't get IPSec to work on builds after 37985M
i updated thread title, i also edited first post to add a section for the actual problem, newer builds have issues connecting, older builds will connect fine with no issues on my R7000, while wireless will not work on R7000P.
i tried build 37985M and IPSec will work, but wifi will not work after reboot on R7000P, same behavior of build 35550M.