IPsec IKEv2 Configuration and VPN initiation from a Apple iOS 8.x client

harbord

I updated my Internet Router / Firewall to pfSense Release Candidate 2.2 during this weekend. My primary purpose for was to use my pfSense instance as a VPN termination point for an Apple iOS 8 IPsec IKEv2 VPN.

I have successfully been able to initiate a IPsec IKEv2 VPN using mutual authentication with X.509 Machine Certificates using RSA signatures. So far I have successfully performed limited traffic testing using ping commands. I intend to perform more extensive traffic testing in due course.

My environment is as follows:

• PC Engines APU with pfSense Release Candidate 2.2
• OS X Yosemite with OS X Server App 4.x and Profile Manager to push iOS Configuration Profiles to test iPad
• iPad with iOS 8.x to test the VPN initialisation
• Xcode to view the console log of my test iPad
• Cloud based syslog server for easier viewing of the pfSense IPsec syslog

StrongSwan Wiki - IKEv2 Configuration Profile for Apple iOS 8 and newer

• The StrongSwan wiki provided the critical information that “Distinguished Names are currently not handled correctly"
• Within my pfSense configuration for Mutual RSA authentication, I utilised:
      - Local Identifier = IP Address
      - Remote / Peer Identifier = User distinguished name i.e. email address

IKEv2 Security Association Parameters used

• Encryption Algorithm
      - AES-128, AES-256
• Integrity Algorithm
      -SHA2-256, SHA2-384, SHA2-512
• Diffie Hellman Group
      - 2 (Default) - 1024

Configurations Steps

1 - Within pfSense > System > Cert Manager
    - Create self-signed Certificate Authority
          - Common Name = Example.com CA
    - Create a Server Certificate
          - Common = vpn.example.com
          - Subject alternative name - DNS - vpn.example.com
          - Subject alternative name - IP -  xx.xx.xx.xx - i.e. VPN public IP Address
    - Create a User Certificate
          - Common name = users.example.com
          - Subject alternative name - email - users@example.com
    - Export certificates for later creation of iOS Configuration Profiles
          - Use pfsense diagnostic command line to:
              - Upload user cert and key files
              - Utilise openssl to create encrypted PKCS#12 certificate identity for use later within iOS configuration profiles
              - openssl pkcs12 -passout pass:'<my-p12-file-password>' -export -in /tmp/<user-certificate>.crt -inkey /tmp/<user-key>.key -out /tmp/user-cert.p12

2 - Within pfSense > VPN > IPsec > Mobile Clients
    - Enable IPsec Mobile Client Support
    - Virtual Address Pool - 172.16.16.0/24
    - DNS Default Domain - example.com
    - DNS Server - 192.168.1.1

3 - Phase 1 Configuration
    - Key Exchange Version = 2
    - Internet Protocol = IPv4
    - Interface = WAN
    - Authentication Method = Mutual RSA
    - My Identifier = My IP Address
    - Peer Identifier = User distinguished name - users@example.com
    - My Certificate = vpn.example.com
    - My Certificate Authority = Example.com CA
    - Phase 1 proposal
          - Encryption - AES 256bits
          - Hash = SHA256
          - DH Key Group - 2 (1024 bit)

4 - Phase 2 Configuration
    - Protocol = ESP
    - Encryption = AES auto
    - Hash = SHA256, SHA384, SHA512

5 - Within pfSense > VPN > IPsec  > Advanced Settings
    - Enable diag logging as required

6 - Within pfSense > Status > System Logs > Settings
    - Enable syslog server as required

7 - Within OS X Server App - Profile Manager
    - Create Certificate payload
          - Example.com CA certificate
          - vpn.example.com certificate
          - users@example.com certificate identity
    - VPN Payload
          - Hostname - vpn.example.com
          - Local Identifier = users@example.com
          - Remote Identifier = xx.xx.xx.xx - i.e. VPN public IP Address
          - Credential =  users@example.com certificate identity
          - Server Certificate Issuer Common Name - Example.com CA
          - Server Certificate Common Name - vpn.example.com
          - IKE SA Params - As above IKEv2 Security Association Parameters
          - Child SA Params - As above IKEv2 Security Association Parameters
    - Push Configuration Profile to test iOS device

8 - Initiate VPN on test iOS device and debug as required.</user-key></user-certificate></my-p12-file-password>

catfish99

I've tried setting up IKEv2 the way described, and it doesn't seem to work.

Any possibility you could include screenshots from the  iOS configurator side of things and PfSense setup. That way I could check my setup. Alternatively I could share my setup and ask for feedback.

Please advise.

thanks in advance.

dstroot

I have been trying for a while now to connect my families iOS devices (iOS 8.1.2) to pfsense 2.2.

My goals are:

1. ideally no additional software needed - sorry all you fans, OpenVPN is just clunky.  I want to just flip "VPN" on in general settings…
2. as securely as possible send ALL traffic into my pfsense box and either:
       a) back out to the Internet.
       b) or, interact with internal LAN resources
3. relatively simple setup.  Certs, OX server/profile manager seems to be overkill for my needs.  An account with a really long pswd is OK with me.

Does anyone have something like this working?  I'd be happy to document it for everyone else.  I think I am basically looking for the above without the profile/cert if that is possible.

catfish99

dstroot -

You might want to take a look at André Gasser's Blog. He has an posting on -  How To Configure IPSec VPN on pfSense For Use With iPhone, iPad, Android, Windows and Linux - It's quite helpful to setup IPSEC using IKEv1

https://blog.andregasser.net/how-to-configure-ipsec-vpn-on-pfsense-for-use-with-iphone-ipad-android-windows-and-linux/

catfish99

Further to my earlier message, let me share the settings I am using.

I ask that folks on here to review and let me know what to adjust (if anything) to get it to work..

Thanks in advance.

PFSENSE - IPsec IKEv2 Configuration

VPN: IPsec: Edit Phase 1: Mobile Client

Tunnels
---------

General information
Disabled	 [not selected]
Key Exchange version	 [v2]

Internet Protocol	 [IPv4]
Interface	 [WAN]

Description	 [IPSec Phase 1]

Phase 1 proposal (Authentication)
----------------------------------
Authentication method	[Mutual RSA]

My Identifier [My IP address]

Peer identifier [User distinguished name] - vpn@privaterra.info

My Certificate [IPSec Server Cert] (Server Certificate created in the Certificate Manager)

My Certificate  Authority [PrivaterraCA] ( certificate authority previously configured in the Certificate Manager)

Phase 1 proposal (Algorithms)
----------------------------------

Encryption algorithm	[AES] [256 bits]
Hash algorithm [SHA256]
DH key group [2 (1024 bit)]

Lifetime [1440]

Advanced Options
----------------------------------

Disable Rekey [not selected]
Disable Reauth	[not selected]

NAT Traversal [Force]

Dead Peer Detection [Enabled]
Delay between requesting peer acknowledgement.  [10] seconds
Number of consecutive failures allowed before disconnect. [5] retries

Phase-2 entries

Disabled [not selected]
Mode [Tunnel IPv4]

Local Network 
 - Type [LAN Subnet]
 -  In case you need NAT/BINAT on this network specify the address to be translated 
     - Type [None]

Phase 2 proposal (SA/Key Exchange)
----------------------------------

Protocol [ESP]

Encryption algorithms [AES] [AUTO]

Hash algorithms 
- MD5 [not selected]
- SHA1 [not selected]
- SHA256 [selected]
- SHA384 [selected]
- SHA512 [selected]

PFS key group [2 (1024 bit)]

Lifetime	[1440] seconds

MOBILE CLIENTS

IKE Extensions	
 - Enable IPsec Mobile Client Support [Selected]

Extended Authentication (Xauth)

- User Authentication [local database]
- Group  Authentication [system]

Client Configuration (mode-cfg)

Virtual Address Pool
- Provide a virtual IP address to clients [enabled]
- Network: 192.168.78.0/24
- Network List [not selected]
- Save Xauth Password [selected]
- DNS Default Domain [selected] - vpn.pvt
- Split DNS [not selected]
- DNS Servers [selected]
 	Server #1 - 75.75.75.75
 	Server #2 - 75.75.76.76	

Apple Configurator - VPN Configuration

Connection Name [IPsec IKEv2]
Connection type [IKEv2 (iOS only)]

Server [vpn.xxx.xxx]
Local identifier [vpn@privaterra.info]
Remote identifier [vpn.xxx.xxx]

Machine Authentication [Certificate]
Identify Certificate [user x509 certificate]

Server certificate Issuer Common Name [blank]
Server certificate Common Name [blank]

Enable EAP [not selected]

Dead Pear Selection Rate [Medium]

IKE SA Params
-----------------

Encryption Algorithm [AES - 256]
Integrity Algorithm [SHA2 - 256]

Diffie Hellman Group [2]

Lifetime in Minutes [1440]

Proxy Setup [none]

Child SA Params
-----------------

Encryption Algorithm [AES - 256]
Integrity Algorithm [SHA2 - 256]

Diffie Hellman Group [2]

Lifetime in Minutes [1440]

Proxy Setup [none]

Apple Configurator - VPN Configuration - Certificates

Included 3 certificates in payload:

1. IPSEC server (Certificate, .crt)
2. Certificate Authority (used to create #1, .crt)
3. User certificate (.p12)

MikeV7896

@catfish99:

dstroot -

You might want to take a look at André Gasser's Blog. He has an posting on -  How To Configure IPSec VPN on pfSense For Use With iPhone, iPad, Android, Windows and Linux - It's quite helpful to setup IPSEC using IKEv1

https://blog.andregasser.net/how-to-configure-ipsec-vpn-on-pfsense-for-use-with-iphone-ipad-android-windows-and-linux/

I actually went through his settings as a base (they're for an earlier version so a couple don't match 2.2 exactly) and found something that might work… except for one minor issue...

Jan 18 09:31:36	charon: 06[IKE] <33> 70.xxx.xxx.xxx is initiating a Aggressive Mode IKE_SA
Jan 18 09:31:36	charon: 06[IKE] 70.xxx.xxx.xxx is initiating a Aggressive Mode IKE_SA
Jan 18 09:23:46	charon: 15[IKE] <32> Aggressive Mode PSK disabled for security reasons
Jan 18 09:23:46	charon: 15[IKE] Aggressive Mode PSK disabled for security reasons

That appears in my IPSec log when I try to connect. This is rather unfortunate, as like dstroot, I don't want to deal with certificates and the like, but it seems that PSK is disabled as an option.

BTW… here are the Phase 1 proposals that iOS will accept, at least for a non-certificate setup directly on the device:

• Encryption: AES-256, AES-128, 3DES, or DES
• Hash: SHA1 or MD5
• DH Key Group: 2 (1024 bit)

I would assume Phase 2 is similar, but since I can't get past phase 1 authentication, I don't know that for certain.

EDIT: Oh also... I'm using IKEv1, not V2. V2 does not appear to work with the on-device settings like it does with the Apple Configurator.

catfish99

Having issues connecting - seem to get no matching peer config found error.

Let me share below the following:

1. IPSEC server log entries that correspond to the configuration/setup I detailed in an earlier post.
2. /var/etc/ipsec/ipsec.conf

IPSEC server log

Last 300 IPsec log entries
Jan 18 11:07:52 charon: 12[NET] sending packet: from server.IP-address.com[4500] to ios-device.IP-address.com[10082] (80 bytes)
Jan 18 11:07:52 charon: 12[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jan 18 11:07:52 charon: 12[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jan 18 11:07:52 charon: 12[IKE] <3> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jan 18 11:07:52 charon: 12[CFG] no matching peer config found
Jan 18 11:07:52 charon: 12[CFG] looking for peer configs matching server.IP-address.com[server.domain-name.com]…ios-device.IP-address.com[vpn@privaterra.org]
Jan 18 11:07:52 charon: 12[IKE] received end entity cert "C=CA, ST=Ontario, L=Toronto, O=Privaterra, E=rguerra@privaterra.org, CN=rguerraPVT"
Jan 18 11:07:52 charon: 12[IKE] <3> received end entity cert "C=CA, ST=Ontario, L=Toronto, O=Privaterra, E=rguerra@privaterra.org, CN=rguerraPVT"
Jan 18 11:07:52 charon: 12[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CERT CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Jan 18 11:07:52 charon: 12[NET] received packet: from ios-device.IP-address.com[10082] to server.IP-address.com[4500] (2576 bytes)
Jan 18 11:07:51 charon: 12[NET] sending packet: from server.IP-address.com[500] to ios-device.IP-address.com[10094] (337 bytes)
Jan 18 11:07:51 charon: 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jan 18 11:07:51 charon: 12[IKE] sending cert request for "C=CA, ST=Ontario, L=Toronto, O=Privaterra, E=admin@privaterra.ca, CN=internal-ca"
Jan 18 11:07:51 charon: 12[IKE] <3> sending cert request for "C=CA, ST=Ontario, L=Toronto, O=Privaterra, E=admin@privaterra.ca, CN=internal-ca"
Jan 18 11:07:51 charon: 12[IKE] remote host is behind NAT
Jan 18 11:07:51 charon: 12[IKE] <3> remote host is behind NAT
Jan 18 11:07:51 charon: 12[IKE] ios-device.IP-address.com is initiating an IKE_SA
Jan 18 11:07:51 charon: 12[IKE] <3> ios-device.IP-address.com is initiating an IKE_SA
Jan 18 11:07:51 charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jan 18 11:07:51 charon: 12[NET] received packet: from ios-device.IP-address.com[10094] to server.IP-address.com[500] (288 bytes)

/var/etc/ipsec/ipsec.conf

This file is automatically generated. Do not edit

config setup
uniqueids = yes
charondebug="dmn 2,mgr 2,ike 2,chd 2,job 2,cfg 2,knl 2,net 2,asn 2,enc 2,imc 2,imv 2,pts 2,tls 2,esp 2,lib 2"

conn con1
fragmentation = yes
keyexchange = ikev2
reauth = yes
forceencaps = yes
rekey = yes
installpolicy = yes
type = tunnel
dpdaction = clear
dpddelay = 10s
dpdtimeout = 60s
auto = add
left = server-ip-address
right = %any
leftid = server-ip-address
ikelifetime = 86400s
lifetime = 1440s
rightsourceip = 192.168.78.0/24
ike = aes256-sha256-modp1024!
esp = aes256-sha256-modp1024,aes256-sha384-modp1024,aes256-sha512-modp1024,aes192-sha256-modp1024,aes192-sha384-modp1024,aes192-sha512-modp1024,aes128-sha256-modp1024,aes128-sha384-modp1024,aes128-sha512-modp1024!
leftauth = pubkey
rightauth = pubkey
leftcert=/var/etc/ipsec/ipsec.d/certs/cert-1.crt
rightsubnet = 192.168.78.0/24
leftsubnet = 192.168.3.0/24

eri--

@virgiliomi:

I actually went through his settings as a base (they're for an earlier version so a couple don't match 2.2 exactly) and found something that might work… except for one minor issue...

Jan 18 09:31:36	charon: 06[IKE] <33> 70.xxx.xxx.xxx is initiating a Aggressive Mode IKE_SA
Jan 18 09:31:36	charon: 06[IKE] 70.xxx.xxx.xxx is initiating a Aggressive Mode IKE_SA
Jan 18 09:23:46	charon: 15[IKE] <32> Aggressive Mode PSK disabled for security reasons
Jan 18 09:23:46	charon: 15[IKE] Aggressive Mode PSK disabled for security reasons

You have an advanced setting to allow that since Agreesive mode + PSK is a security risk in general which can be exploited.

eri--

@catfish99:

Having issues connecting - seem to get no matching peer config found error.

Let me share below the following:

1. IPSEC server log entries that correspond to the configuration/setup I detailed in an earlier post.
2. /var/etc/ipsec/ipsec.conf

IPSEC server log

Last 300 IPsec log entries
Jan 18 11:07:52 charon: 12[NET] sending packet: from server.IP-address.com[4500] to ios-device.IP-address.com[10082] (80 bytes)
Jan 18 11:07:52 charon: 12[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jan 18 11:07:52 charon: 12[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jan 18 11:07:52 charon: 12[IKE] <3> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jan 18 11:07:52 charon: 12[CFG] no matching peer config found
Jan 18 11:07:52 charon: 12[CFG] looking for peer configs matching server.IP-address.com[server.domain-name.com]…ios-device.IP-address.com[vpn@privaterra.org]
Jan 18 11:07:52 charon: 12[IKE] received end entity cert "C=CA, ST=Ontario, L=Toronto, O=Privaterra, E=rguerra@privaterra.org, CN=rguerraPVT"
Jan 18 11:07:52 charon: 12[IKE] <3> received end entity cert "C=CA, ST=Ontario, L=Toronto, O=Privaterra, E=rguerra@privaterra.org, CN=rguerraPVT"
Jan 18 11:07:52 charon: 12[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CERT CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Jan 18 11:07:52 charon: 12[NET] received packet: from ios-device.IP-address.com[10082] to server.IP-address.com[4500] (2576 bytes)
Jan 18 11:07:51 charon: 12[NET] sending packet: from server.IP-address.com[500] to ios-device.IP-address.com[10094] (337 bytes)
Jan 18 11:07:51 charon: 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jan 18 11:07:51 charon: 12[IKE] sending cert request for "C=CA, ST=Ontario, L=Toronto, O=Privaterra, E=admin@privaterra.ca, CN=internal-ca"
Jan 18 11:07:51 charon: 12[IKE] <3> sending cert request for "C=CA, ST=Ontario, L=Toronto, O=Privaterra, E=admin@privaterra.ca, CN=internal-ca"
Jan 18 11:07:51 charon: 12[IKE] remote host is behind NAT
Jan 18 11:07:51 charon: 12[IKE] <3> remote host is behind NAT
Jan 18 11:07:51 charon: 12[IKE] ios-device.IP-address.com is initiating an IKE_SA
Jan 18 11:07:51 charon: 12[IKE] <3> ios-device.IP-address.com is initiating an IKE_SA
Jan 18 11:07:51 charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jan 18 11:07:51 charon: 12[NET] received packet: from ios-device.IP-address.com[10094] to server.IP-address.com[500] (288 bytes)

/var/etc/ipsec/ipsec.conf

This file is automatically generated. Do not edit

config setup
uniqueids = yes
charondebug="dmn 2,mgr 2,ike 2,chd 2,job 2,cfg 2,knl 2,net 2,asn 2,enc 2,imc 2,imv 2,pts 2,tls 2,esp 2,lib 2"

conn con1
fragmentation = yes
keyexchange = ikev2
reauth = yes
forceencaps = yes
rekey = yes
installpolicy = yes
type = tunnel
dpdaction = clear
dpddelay = 10s
dpdtimeout = 60s
auto = add
left = server-ip-address
right = %any
leftid = server-ip-address
ikelifetime = 86400s
lifetime = 1440s
rightsourceip = 192.168.78.0/24
ike = aes256-sha256-modp1024!
esp = aes256-sha256-modp1024,aes256-sha384-modp1024,aes256-sha512-modp1024,aes192-sha256-modp1024,aes192-sha384-modp1024,aes192-sha512-modp1024,aes128-sha256-modp1024,aes128-sha384-modp1024,aes128-sha512-modp1024!
leftauth = pubkey
rightauth = pubkey
leftcert=/var/etc/ipsec/ipsec.d/certs/cert-1.crt
rightsubnet = 192.168.78.0/24
leftsubnet = 192.168.3.0/24

From what i can tell this comes from the fact that both sides are pubkey authentication and something is not matching the RSA/Cert keys correctly.

MikeV7896

@ermal:

You have an advanced setting to allow that since Agreesive mode + PSK is a security risk in general which can be exploited.

I don't see an advanced IPSec setting that is related to Aggressive Mode and PSK.  But I looked in the main system log and saw…

Jan 18 09:22:07	php-fpm[8492]: /vpn_ipsec.php: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.

That would tell me that a setting is being set automatically based on my configuration choices, even though it doesn't appear to have done anything since the connection is still not permitted.

EDIT: Never mind… after stopping and restarting the IPSec service, I'm able to connect. So IKEv1 PSK is no problem with iOS 8.1.2. Sorry about the slight hijack away from the IKEv2/certificate setup. :)

miken32

@virgiliomi:

@ermal:

You have an advanced setting to allow that since Agreesive mode + PSK is a security risk in general which can be exploited.

I don't see an advanced IPSec setting that is related to Aggressive Mode and PSK.  But I looked in the main system log and saw…

Jan 18 09:22:07	php-fpm[8492]: /vpn_ipsec.php: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.

That would tell me that a setting is being set automatically based on my configuration choices, even though it doesn't appear to have done anything since the connection is still not permitted.

EDIT: Never mind… after stopping and restarting the IPSec service, I'm able to connect. So IKEv1 PSK is no problem with iOS 8.1.2. Sorry about the slight hijack away from the IKEv2/certificate setup. :)

Can you confirm that you're able to reach hosts on your LAN subnet from your iOS 8.1.2 device, and also that your internet traffic is routing through the remote pfSense?

If so, can you post a detailed list of your configs? I cannot get this working on 2.2; the connection works great but internet does not route through the VPN, and the only thing on the LAN I can reach is the pfSense itself. Thanks!

MikeV7896

@miken32:

Can you confirm that you're able to reach hosts on your LAN subnet from your iOS 8.1.2 device, and also that your internet traffic is routing through the remote pfSense?

If so, can you post a detailed list of your configs? I cannot get this working on 2.2; the connection works great but internet does not route through the VPN, and the only thing on the LAN I can reach is the pfSense itself. Thanks!

I can confirm that I can reach hosts on my LAN from my iOS device. Name resolution doesn't appear to be going over the VPN connection by default; I have an app that can specify a custom DNS server and it works there just fine specifying my pfSense box. Internet traffic does not seem to be going over the VPN either.

I noticed an option on my iPhone that appears with L2TP and PPTP, but not with IPSec, that allows "Send all traffic" over the VPN connection. On the other side, it could be something related to the default domain and/or split DNS settings on pfSense. I don't have time right now to experiment, unfortunately. Maybe later tonight.

MikeV7896

I've decided to give up on IPSec IKEv1 with just the settings on my phone, and instead focus on L2TP/IPSec instead, which is also done from just the phone. At least there's an option there to send all traffic over the connection. There's already a separate thread about that.