Ike V2 VPN with Certificate auth stopped work after upgrade "User Authentication Failed"

[genakrikadil]

Hi, I have client to site IKEv2 IPsec VPN to cisco router with authentication via certificate. It was working before upgrade to Catalina. I'm 100% positive no changes made on the router. Now it says "User Authentication Failed". Debug on the router side looks good, router verified certificate, assign IP from the pool, creates virtual interface etc. Authentication Settings on Mac set to <none> Certificate. I tried to delete VPN account on MAC and re-create again- same thing.

I do not believe anything encryption related, just to be consistent
Router settings:
I have this for Ikev2
crypto ikev2 proposal macos
encryption aes-cbc-256
integrity sha256
group 14
crypto ikev2 proposal win7
encryption aes-cbc-256
integrity sha1
group 2

This for IPSec
crypto ipsec transform-set aes256-sha1 esp-aes 256 esp-sha256-hmac
crypto ipsec transform-set aes256-sha1-win7 esp-aes 256 esp-sha-hmac

Error message on Mac side "User Authentication Failed" Can you please tell me what is the right way to debug IPsec (Ikev2) on Mac? I tried to find any logs related to the subj without success.

Thanks a lot!

 

[gaaronk]

Hello!

You need add some permissions to the private key of the certificate.

ne* binaries located in the /usr/libexec
and NEIKEv2Provider.appex in the /System/Library/Frameworks/NetworkExtension.framework/PlugIns

 

[genakrikadil]

Thank you Sir for your answer. I done this:
I opened keychain, found the certificate I use for VPN, expand it, inside I see private key, I right click on it, select "Get Info", Click on Tab "Access Control" and add files as per the list above. The only file I miss is "com.apple.identity.support"- it is not in the folders you mentioned. After that I save changes, logout/login back- same thing - "User Authentication Failed" Is it because I need to add "com.apple.identity.support" ? Where can I find this file? Thank you so much for your help.

 

[gaaronk]

I don't known. It' was added automatically when I was add my certificate.

You can try to export and re-import certificate, or, only for tests, set "Allow all applications..."

 

[genakrikadil]

"Allow any applications"- this is what was there from the beginning. I tried this: delete Server CA, User cert and user private key from keychain, remove VPN connection, reboot, re-import back server CA, user cert, user private key, in keychain for all the above: Trust CA, allow everything for the cert and private key. Re-create VPN connection. First time it was doing something for about 10 seconds and said "timeout accessing of the server" or something like that and next time it immediately gave "user authentication error" as it was before. I guess Apple broke something fundamentally related to security and certificate/private key handling here.... Thanks a lot for trying!