Monday 28 October 2019

Establishing a VPN connection from iOS to Windows 10

After experimenting with the built-in VPN functionality on a “hand-me-down” iPad running the latest/last iOS version for the hardware (12.4.2), there were enough things that were not immediately obvious to warrant a short note.

 The iPad offers 3 “types” of VPN:

  1. L2TP
  2. IPSec
  3. IKEv2
The first difficulty is the nomenclature of the types. “L2TP” (Layer 2 Tunneling Protocol, RFC 2661) can be used standalone, but is normally used in conjunction with IPsec and referred to as “L2TP/IPsec”. Indeed, the first option is actually L2TP/IPsec (with pre-shared key phase 1 authentication) and not plain L2TP. That naming brevity alone would not be so confusing if it were not for the fact that another option is “IPsec”.

 The “IPsec” configuration shows a Cisco banner and allows a Cisco IPsec with XAUTH VPN (XAUTHInitPreShared or XAUTHInitRSA, https://tools.ietf.org/html/draft-beaulieu-ike-xauth-02) to be configured. Windows 10 does not natively support Cisco XAUTH VPNs.

Using L2TP over IPsec


The iPad L2TP/IPsec client sends 14 phase 1 transform proposals, at least one of which is acceptable to Windows 10. The authentication method is always “pre-shared key”, the encryption algorithms are AES-CBC-256, AES-CBC-128 and 3DES-CBC, the hash algorithms are SHA2-512, SHA2-256, SHA and MD5 and the group descriptions are 2048-bit MODP group, 1536-bit MODP group and alternate 1024-bit MODP group.

 By default, Windows 10 chooses 3DES-CBC, SHA, and alternate 1024-bit MODP group. Windows 10 can be configured such that it chooses a more secure transform (via RasMan service parameters such as NegotiateDH2048 and NegotiateDH2048_AES256).

 The iPad L2TP/IPsec client sends 6 phase 2 transform proposals, at least one of which is acceptable to Windows 10. The encryption algorithms are AES-CBC-256, AES-CBC-128 and 3DES-CBC, the HMAC algorithms are HMAC-SHA1-96 and HMAC-MD5-96.
By default, Windows 10 chooses AES-CBC-256 and HMAC-SHA1-96.

Shared Secret


As mentioned in an earlier article on the Windows 10 and macOS VPN combination, there is no straightforward user interface in Windows 10 that enables an L2TP/IPsec pre-shared key to be set. There is a “trick” that works or a short program can be written that calls the RRAS (Routing and Remote Access Service) API routine MprAdminInterfaceSetCredentialsEx to set the value.

Using IKEv2


When first viewing the iPad IKEv2 configuration dialog, the (required) “Remote ID” and (optional) “Local ID” are the first two items whose meaning and implication are not totally clear.

 The “Remote ID” setting is used in two ways: it is used to verify that the identity asserted by the VPN server matches expectations and it is sent to the server (as an IDr Identification payload) to help the server select an identity (in case it has more than one, using redirection). A weakness of the iOS implementation is that it always seems to send the “Remote ID” with a type of “ID_FQDN” and represented as an ASCII string, although other values might be more appropriate (e.g. a type of ID_DER_ASN1_DN and a DER (Distinguished Encoding Rules) encoding of the value).

 The “Local ID”, if set, is sent as the IDi Identification payload, with the same encoding problems as the “Remote ID”. If “Local ID” is not set, the local IP address is sent with the correct binary encoding and a type of ID_IPV4_ADDR or ID_IPV6_ADDR, as appropriate.

 No Vendor ID payloads are sent and the following Notify payloads are sent:

 First message → NAT_DETECTION_SOURCE_IP, NAT_DETECTION_DESTINATION_IP, IKEV2_FRAGMENTATION_SUPPORTED and REDIRECT_SUPPORTED

 Second message → INITIAL_CONTACT, MOBIKE_SUPPORTED, ESP_TFC_PADDING_NOT_SUPPORTED, NON_FIRST_FRAGMENTS_ALSO

Authentication


Similar to macOS, iOS offers 3 options: None (IKEv2 non-EAP authentication), Username (EAP-MSCHAPv2) and certificate (EAP-TLS).

 The EAP mechanisms require a replacement for missing functionality on Windows 10 (as discussed in the macOS VPN blog entry) but otherwise work – with one quirk. If one chooses Username authentication and leaves the Password field blank in the configuration (implying “Ask Every Time”) then the VPN connection attempt always fails; a dialog enabling entry of a password does pop up, but the entered password does not seem to be used (the connection just times out, without ever sending the MSCHAPv2 response and the iPad console log just reports “Failed to process IKE Auth (EAP) packet (connect)”).

 The non-EAP IKEv2 authentication methods include RSA Digital Signature, Shared Key Message Integrity Code and ECDSA with SHA-256 on the P-256 curve (plus 384 and 512 bit equivalents). Via the configuration user interface, one can choose between certificate and pre-shared key methods. However, if the certificate method is chosen, the iOS client always indicates that the RSA Digital Signature method has been chosen, regardless of the type of certificate. The iOS Security Guide explicitly states: “IKEv2/IPSec with authentication by shared secret, RSA Certificates, ECDSA Certificates, EAP-MSCHAPv2, or EAP-TLS”.

 For unknown reasons, iOS does not use the type of the configured certificate to set the authentication method, but instead uses a configuration setting that is not visible in the user interface (and which defaults to RSA). If one is prepared to create and install a Device Management Profile (a “.mobileconfig” file), one can set CertificateType to one of RSA, ECDSA256, ECDSA384, ECDSA512, or Ed25519 (https://developer.apple.com/documentation/devicemanagement/vpn/ikev2).

Security Association Proposals


By default, the iPad IKEv2 client sends 5 phase 1 transform proposals. The encryption algorithms include AES-CBC-256, AES-CBC-128 and 3DES-CBC, the hash algorithms include SHA2-256 and SHA and the Diffie-Hellman groups are 2048-bit MODP group, 256-bit random ECP group, 1536-bit MODP group and 1024-bit MODP group.

 The iPad IKEv2 client sends 5 phase 2 transform proposals. The encryption algorithms include AES-CBC-256, AES-CBC-128 and 3DES-CBC, the hash algorithms include SHA2-256 and SHA.

 It is possible to specify transforms via a Device Management Profile. The documentation claims support for the following:

 Encryption algorithms: DES, 3DES, AES-128, AES-256, AES-128-GCM, AES-256-GCM, ChaCha20Poly1305

 Integrity algorithms: SHA1-96, SHA1-160, SHA2-256, SHA2-384, SHA2-512

 Diffie-Hellman groups: 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 31

 In common with the built-in Windows IKEv2 client, if one specifies a transform to be used (rather than just using the defaults), then only that one transform is sent (so one needs to be sure that the VPN server accepts it, since there are no alternative proposals).
Posted by at

3 comments:

  1. Elvira Rowse29 June 2021 at 13:53

    This is a appealing post by the way. I am going to go ahead and save this article for my brother to check out later on tomorrow. Keep up the high-quality work. More Info

    ReplyDelete
  2. sebus4 February 2022 at 21:49

    Sadly this post is almost like a taster only. One little bite, but nothing more. It simply does not explain anything in terms of actual config!

    I only get on NPS server (when trying to connect from iOS with Apple Configurator 2 created IKEv2 VPN profile with certificate) to Windows Server RRAS AlwaysonVPN:

    Authentication Type: EAP
    EAP Type: -
    Account Session Identifier: 313333
    Logging Results: Accounting information was written to the local log file.
    Reason Code: 22
    Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

    ReplyDelete
  3. Susu18 July 2023 at 03:16

    The IOS VPN I use works on Windows, but it doesn’t work on ios. I don’t know why, so should I choose more VPNs?

    ReplyDelete

Subscribe to: Post Comments (Atom)