IPsec IKEv2 Configuration and VPN initiation from a Apple iOS 8.x client

dstroot · Jan 18, 2015, 2:06 AM

I have been trying for a while now to connect my families iOS devices (iOS 8.1.2) to pfsense 2.2.

My goals are:

ideally no additional software needed - sorry all you fans, OpenVPN is just clunky. I want to just flip "VPN" on in general settings…
as securely as possible send ALL traffic into my pfsense box and either:
a) back out to the Internet.
b) or, interact with internal LAN resources
relatively simple setup. Certs, OX server/profile manager seems to be overkill for my needs. An account with a really long pswd is OK with me.

Does anyone have something like this working? I'd be happy to document it for everyone else. I think I am basically looking for the above without the profile/cert if that is possible.

catfish99 · Jan 18, 2015, 2:44 AM

dstroot -

You might want to take a look at André Gasser's Blog. He has an posting on - How To Configure IPSec VPN on pfSense For Use With iPhone, iPad, Android, Windows and Linux - It's quite helpful to setup IPSEC using IKEv1

https://blog.andregasser.net/how-to-configure-ipsec-vpn-on-pfsense-for-use-with-iphone-ipad-android-windows-and-linux/

catfish99 · Jan 18, 2015, 5:28 PM

Further to my earlier message, let me share the settings I am using.

I ask that folks on here to review and let me know what to adjust (if anything) to get it to work..

Thanks in advance.

PFSENSE - IPsec IKEv2 Configuration


VPN: IPsec: Edit Phase 1: Mobile Client

Tunnels
---------

General information
Disabled	 [not selected]
Key Exchange version	 [v2]

Internet Protocol	 [IPv4]
Interface	 [WAN]

Description	 [IPSec Phase 1]

Phase 1 proposal (Authentication)
----------------------------------
Authentication method	[Mutual RSA]

My Identifier [My IP address]

Peer identifier [User distinguished name] - vpn@privaterra.info

My Certificate [IPSec Server Cert] (Server Certificate created in the Certificate Manager)

My Certificate  Authority [PrivaterraCA] ( certificate authority previously configured in the Certificate Manager)

Phase 1 proposal (Algorithms)
----------------------------------

Encryption algorithm	[AES] [256 bits]
Hash algorithm [SHA256]
DH key group [2 (1024 bit)]

Lifetime [1440]

Advanced Options
----------------------------------

Disable Rekey [not selected]
Disable Reauth	[not selected]

NAT Traversal [Force]

Dead Peer Detection [Enabled]
Delay between requesting peer acknowledgement.  [10] seconds
Number of consecutive failures allowed before disconnect. [5] retries

Phase-2 entries

Disabled [not selected]
Mode [Tunnel IPv4]

Local Network 
 - Type [LAN Subnet]
 -  In case you need NAT/BINAT on this network specify the address to be translated 
     - Type [None]

Phase 2 proposal (SA/Key Exchange)
----------------------------------

Protocol [ESP]

Encryption algorithms [AES] [AUTO]

Hash algorithms 
- MD5 [not selected]
- SHA1 [not selected]
- SHA256 [selected]
- SHA384 [selected]
- SHA512 [selected]

PFS key group [2 (1024 bit)]

Lifetime	[1440] seconds

MOBILE CLIENTS

IKE Extensions	
 - Enable IPsec Mobile Client Support [Selected]

Extended Authentication (Xauth)

- User Authentication [local database]
- Group  Authentication [system]

Client Configuration (mode-cfg)

Virtual Address Pool
- Provide a virtual IP address to clients [enabled]
- Network: 192.168.78.0/24
- Network List [not selected]
- Save Xauth Password [selected]
- DNS Default Domain [selected] - vpn.pvt
- Split DNS [not selected]
- DNS Servers [selected]
 	Server #1 - 75.75.75.75
 	Server #2 - 75.75.76.76

Apple Configurator - VPN Configuration


Connection Name [IPsec IKEv2]
Connection type [IKEv2 (iOS only)]

Server [vpn.xxx.xxx]
Local identifier [vpn@privaterra.info]
Remote identifier [vpn.xxx.xxx]

Machine Authentication [Certificate]
Identify Certificate [user x509 certificate]

Server certificate Issuer Common Name [blank]
Server certificate Common Name [blank]

Enable EAP [not selected]

Dead Pear Selection Rate [Medium]

IKE SA Params
-----------------

Encryption Algorithm [AES - 256]
Integrity Algorithm [SHA2 - 256]

Diffie Hellman Group [2]

Lifetime in Minutes [1440]

Proxy Setup [none]

Child SA Params
-----------------

Encryption Algorithm [AES - 256]
Integrity Algorithm [SHA2 - 256]

Diffie Hellman Group [2]

Lifetime in Minutes [1440]

Proxy Setup [none]

Apple Configurator - VPN Configuration - Certificates

Included 3 certificates in payload:

1. IPSEC server (Certificate, .crt)
2. Certificate Authority (used to create #1, .crt)
3. User certificate (.p12)

MikeV7896 · Jan 18, 2015, 2:58 PM

@catfish99:

dstroot -

You might want to take a look at André Gasser's Blog. He has an posting on - How To Configure IPSec VPN on pfSense For Use With iPhone, iPad, Android, Windows and Linux - It's quite helpful to setup IPSEC using IKEv1

https://blog.andregasser.net/how-to-configure-ipsec-vpn-on-pfsense-for-use-with-iphone-ipad-android-windows-and-linux/

I actually went through his settings as a base (they're for an earlier version so a couple don't match 2.2 exactly) and found something that might work… except for one minor issue...

Jan 18 09:31:36	charon: 06[IKE] <33> 70.xxx.xxx.xxx is initiating a Aggressive Mode IKE_SA
Jan 18 09:31:36	charon: 06[IKE] 70.xxx.xxx.xxx is initiating a Aggressive Mode IKE_SA
Jan 18 09:23:46	charon: 15[IKE] <32> Aggressive Mode PSK disabled for security reasons
Jan 18 09:23:46	charon: 15[IKE] Aggressive Mode PSK disabled for security reasons

That appears in my IPSec log when I try to connect. This is rather unfortunate, as like dstroot, I don't want to deal with certificates and the like, but it seems that PSK is disabled as an option.

BTW… here are the Phase 1 proposals that iOS will accept, at least for a non-certificate setup directly on the device:

Encryption: AES-256, AES-128, 3DES, or DES
Hash: SHA1 or MD5
DH Key Group: 2 (1024 bit)

I would assume Phase 2 is similar, but since I can't get past phase 1 authentication, I don't know that for certain.

EDIT: Oh also... I'm using IKEv1, not V2. V2 does not appear to work with the on-device settings like it does with the Apple Configurator.

catfish99 · Jan 18, 2015, 4:22 PM

Having issues connecting - seem to get no matching peer config found error.

Let me share below the following:

1. IPSEC server log entries that correspond to the configuration/setup I detailed in an earlier post.
2. /var/etc/ipsec/ipsec.conf

IPSEC server log

Last 300 IPsec log entries
Jan 18 11:07:52 charon: 12[NET] sending packet: from server.IP-address.com[4500] to ios-device.IP-address.com[10082] (80 bytes)
Jan 18 11:07:52 charon: 12[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jan 18 11:07:52 charon: 12[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jan 18 11:07:52 charon: 12[IKE] <3> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jan 18 11:07:52 charon: 12[CFG] no matching peer config found
Jan 18 11:07:52 charon: 12[CFG] looking for peer configs matching server.IP-address.com[server.domain-name.com]…ios-device.IP-address.com[vpn@privaterra.org]
Jan 18 11:07:52 charon: 12[IKE] received end entity cert "C=CA, ST=Ontario, L=Toronto, O=Privaterra, E=rguerra@privaterra.org, CN=rguerraPVT"
Jan 18 11:07:52 charon: 12[IKE] <3> received end entity cert "C=CA, ST=Ontario, L=Toronto, O=Privaterra, E=rguerra@privaterra.org, CN=rguerraPVT"
Jan 18 11:07:52 charon: 12[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CERT CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Jan 18 11:07:52 charon: 12[NET] received packet: from ios-device.IP-address.com[10082] to server.IP-address.com[4500] (2576 bytes)
Jan 18 11:07:51 charon: 12[NET] sending packet: from server.IP-address.com[500] to ios-device.IP-address.com[10094] (337 bytes)
Jan 18 11:07:51 charon: 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jan 18 11:07:51 charon: 12[IKE] sending cert request for "C=CA, ST=Ontario, L=Toronto, O=Privaterra, E=admin@privaterra.ca, CN=internal-ca"
Jan 18 11:07:51 charon: 12[IKE] <3> sending cert request for "C=CA, ST=Ontario, L=Toronto, O=Privaterra, E=admin@privaterra.ca, CN=internal-ca"
Jan 18 11:07:51 charon: 12[IKE] remote host is behind NAT
Jan 18 11:07:51 charon: 12[IKE] <3> remote host is behind NAT
Jan 18 11:07:51 charon: 12[IKE] ios-device.IP-address.com is initiating an IKE_SA
Jan 18 11:07:51 charon: 12[IKE] <3> ios-device.IP-address.com is initiating an IKE_SA
Jan 18 11:07:51 charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jan 18 11:07:51 charon: 12[NET] received packet: from ios-device.IP-address.com[10094] to server.IP-address.com[500] (288 bytes)

/var/etc/ipsec/ipsec.conf

This file is automatically generated. Do not edit

config setup
uniqueids = yes
charondebug="dmn 2,mgr 2,ike 2,chd 2,job 2,cfg 2,knl 2,net 2,asn 2,enc 2,imc 2,imv 2,pts 2,tls 2,esp 2,lib 2"

conn con1
fragmentation = yes
keyexchange = ikev2
reauth = yes
forceencaps = yes
rekey = yes
installpolicy = yes
type = tunnel
dpdaction = clear
dpddelay = 10s
dpdtimeout = 60s
auto = add
left = server-ip-address
right = %any
leftid = server-ip-address
ikelifetime = 86400s
lifetime = 1440s
rightsourceip = 192.168.78.0/24
ike = aes256-sha256-modp1024!
esp = aes256-sha256-modp1024,aes256-sha384-modp1024,aes256-sha512-modp1024,aes192-sha256-modp1024,aes192-sha384-modp1024,aes192-sha512-modp1024,aes128-sha256-modp1024,aes128-sha384-modp1024,aes128-sha512-modp1024!
leftauth = pubkey
rightauth = pubkey
leftcert=/var/etc/ipsec/ipsec.d/certs/cert-1.crt
rightsubnet = 192.168.78.0/24
leftsubnet = 192.168.3.0/24

eri-- · Jan 18, 2015, 4:53 PM

@virgiliomi:

I actually went through his settings as a base (they're for an earlier version so a couple don't match 2.2 exactly) and found something that might work… except for one minor issue...

Jan 18 09:31:36	charon: 06[IKE] <33> 70.xxx.xxx.xxx is initiating a Aggressive Mode IKE_SA
Jan 18 09:31:36	charon: 06[IKE] 70.xxx.xxx.xxx is initiating a Aggressive Mode IKE_SA
Jan 18 09:23:46	charon: 15[IKE] <32> Aggressive Mode PSK disabled for security reasons
Jan 18 09:23:46	charon: 15[IKE] Aggressive Mode PSK disabled for security reasons

You have an advanced setting to allow that since Agreesive mode + PSK is a security risk in general which can be exploited.

eri-- · Jan 18, 2015, 4:54 PM

@catfish99:

Having issues connecting - seem to get no matching peer config found error.

Let me share below the following:

1. IPSEC server log entries that correspond to the configuration/setup I detailed in an earlier post.
2. /var/etc/ipsec/ipsec.conf

IPSEC server log

Last 300 IPsec log entries
Jan 18 11:07:52 charon: 12[NET] sending packet: from server.IP-address.com[4500] to ios-device.IP-address.com[10082] (80 bytes)
Jan 18 11:07:52 charon: 12[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jan 18 11:07:52 charon: 12[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jan 18 11:07:52 charon: 12[IKE] <3> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jan 18 11:07:52 charon: 12[CFG] no matching peer config found
Jan 18 11:07:52 charon: 12[CFG] looking for peer configs matching server.IP-address.com[server.domain-name.com]…ios-device.IP-address.com[vpn@privaterra.org]
Jan 18 11:07:52 charon: 12[IKE] received end entity cert "C=CA, ST=Ontario, L=Toronto, O=Privaterra, E=rguerra@privaterra.org, CN=rguerraPVT"
Jan 18 11:07:52 charon: 12[IKE] <3> received end entity cert "C=CA, ST=Ontario, L=Toronto, O=Privaterra, E=rguerra@privaterra.org, CN=rguerraPVT"
Jan 18 11:07:52 charon: 12[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CERT CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Jan 18 11:07:52 charon: 12[NET] received packet: from ios-device.IP-address.com[10082] to server.IP-address.com[4500] (2576 bytes)
Jan 18 11:07:51 charon: 12[NET] sending packet: from server.IP-address.com[500] to ios-device.IP-address.com[10094] (337 bytes)
Jan 18 11:07:51 charon: 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jan 18 11:07:51 charon: 12[IKE] sending cert request for "C=CA, ST=Ontario, L=Toronto, O=Privaterra, E=admin@privaterra.ca, CN=internal-ca"
Jan 18 11:07:51 charon: 12[IKE] <3> sending cert request for "C=CA, ST=Ontario, L=Toronto, O=Privaterra, E=admin@privaterra.ca, CN=internal-ca"
Jan 18 11:07:51 charon: 12[IKE] remote host is behind NAT
Jan 18 11:07:51 charon: 12[IKE] <3> remote host is behind NAT
Jan 18 11:07:51 charon: 12[IKE] ios-device.IP-address.com is initiating an IKE_SA
Jan 18 11:07:51 charon: 12[IKE] <3> ios-device.IP-address.com is initiating an IKE_SA
Jan 18 11:07:51 charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jan 18 11:07:51 charon: 12[NET] received packet: from ios-device.IP-address.com[10094] to server.IP-address.com[500] (288 bytes)

/var/etc/ipsec/ipsec.conf

This file is automatically generated. Do not edit

config setup
uniqueids = yes
charondebug="dmn 2,mgr 2,ike 2,chd 2,job 2,cfg 2,knl 2,net 2,asn 2,enc 2,imc 2,imv 2,pts 2,tls 2,esp 2,lib 2"

conn con1
fragmentation = yes
keyexchange = ikev2
reauth = yes
forceencaps = yes
rekey = yes
installpolicy = yes
type = tunnel
dpdaction = clear
dpddelay = 10s
dpdtimeout = 60s
auto = add
left = server-ip-address
right = %any
leftid = server-ip-address
ikelifetime = 86400s
lifetime = 1440s
rightsourceip = 192.168.78.0/24
ike = aes256-sha256-modp1024!
esp = aes256-sha256-modp1024,aes256-sha384-modp1024,aes256-sha512-modp1024,aes192-sha256-modp1024,aes192-sha384-modp1024,aes192-sha512-modp1024,aes128-sha256-modp1024,aes128-sha384-modp1024,aes128-sha512-modp1024!
leftauth = pubkey
rightauth = pubkey
leftcert=/var/etc/ipsec/ipsec.d/certs/cert-1.crt
rightsubnet = 192.168.78.0/24
leftsubnet = 192.168.3.0/24

From what i can tell this comes from the fact that both sides are pubkey authentication and something is not matching the RSA/Cert keys correctly.

MikeV7896 · Jan 18, 2015, 7:52 PM

@ermal:

You have an advanced setting to allow that since Agreesive mode + PSK is a security risk in general which can be exploited.

I don't see an advanced IPSec setting that is related to Aggressive Mode and PSK. But I looked in the main system log and saw…

Jan 18 09:22:07	php-fpm[8492]: /vpn_ipsec.php: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.

That would tell me that a setting is being set automatically based on my configuration choices, even though it doesn't appear to have done anything since the connection is still not permitted.

EDIT: Never mind… after stopping and restarting the IPSec service, I'm able to connect. So IKEv1 PSK is no problem with iOS 8.1.2. Sorry about the slight hijack away from the IKEv2/certificate setup. :)

miken32 · Jan 19, 2015, 6:12 PM

@virgiliomi:

@ermal:

You have an advanced setting to allow that since Agreesive mode + PSK is a security risk in general which can be exploited.

I don't see an advanced IPSec setting that is related to Aggressive Mode and PSK. But I looked in the main system log and saw…
Jan 18 09:22:07	php-fpm[8492]: /vpn_ipsec.php: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
That would tell me that a setting is being set automatically based on my configuration choices, even though it doesn't appear to have done anything since the connection is still not permitted.

EDIT: Never mind… after stopping and restarting the IPSec service, I'm able to connect. So IKEv1 PSK is no problem with iOS 8.1.2. Sorry about the slight hijack away from the IKEv2/certificate setup. :)

Can you confirm that you're able to reach hosts on your LAN subnet from your iOS 8.1.2 device, and also that your internet traffic is routing through the remote pfSense?

If so, can you post a detailed list of your configs? I cannot get this working on 2.2; the connection works great but internet does not route through the VPN, and the only thing on the LAN I can reach is the pfSense itself. Thanks!

MikeV7896 · Jan 19, 2015, 7:38 PM

@miken32:

Can you confirm that you're able to reach hosts on your LAN subnet from your iOS 8.1.2 device, and also that your internet traffic is routing through the remote pfSense?

If so, can you post a detailed list of your configs? I cannot get this working on 2.2; the connection works great but internet does not route through the VPN, and the only thing on the LAN I can reach is the pfSense itself. Thanks!

I can confirm that I can reach hosts on my LAN from my iOS device. Name resolution doesn't appear to be going over the VPN connection by default; I have an app that can specify a custom DNS server and it works there just fine specifying my pfSense box. Internet traffic does not seem to be going over the VPN either.

I noticed an option on my iPhone that appears with L2TP and PPTP, but not with IPSec, that allows "Send all traffic" over the VPN connection. On the other side, it could be something related to the default domain and/or split DNS settings on pfSense. I don't have time right now to experiment, unfortunately. Maybe later tonight.

MikeV7896 · Jan 20, 2015, 5:03 PM

I've decided to give up on IPSec IKEv1 with just the settings on my phone, and instead focus on L2TP/IPSec instead, which is also done from just the phone. At least there's an option there to send all traffic over the connection. There's already a separate thread about that.