IPsec vpn for OCX 10.10.3 and any IOS
-
Okaenrique's instructions are correct, but he left out a small detail about the pfSense group privilege as I described in my previous post. The group I am talking about has nothing to do with the User Distinguished Name or Group Name.
If it still doesn't work for you, then post screenshots of your settings and I'll try to help you.
-
Here are the complete list of my current settings, which are slightly different than above.
–-
IPsec Phase 1
Key Exchange version: Auto
Internet Protocol: IPv4
Interface: WANAuthentication method: Mutual PSK + Xauth
Negotiation mode: main
My Identifier: Distinguished name myfirewall.mydomain.org
Peer Identifier: mydomain.org
Pre-Shared Key: xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxxEncrytption algorithm: AES 256
Hash algorithm: SHA1
DH key group: 2 (1024 bit)
Lifetime: 28800NAT Traversal: Auto
Deed Peer Detection: disabled
IPsec Phase 2
Mode: Tunnel IPv4
Local Network: LAN subnetProtocol: ESP
Encryption algorithms: AES 256, AES256-GCM/auto
Hash algorithms: SHA1, SHA256, SHA384
PFS key group: off
Lifetime: 3600
iOS settings
Server: IP address of firewall
Account: myiosuser
Password: xxxxxxxxxxxxxx
Use Certificate: off
Group Name: <empty>Secret: xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx
OS X settings
Server Address: IP address of firewall
Account Name: myosxuser
Password: xxxxxxxxxxxxxx
Shared Secret: xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx
Group Name: <empty>---Note that user "myiosuser" and "myosxuser" must exist in System -> User Manager, and they must have the "User - VPN - IPsec auth Dialin" privilege.
Hope this helps.</empty></empty>
-
See my remarks in red:
@dennypage:Here are the complete list of my current settings, which are slightly different than above.
–-
IPsec Phase 1
Key Exchange version:
AutoV1
Internet Protocol: IPv4
Interface: WANAuthentication method: Mutual PSK + Xauth
Negotiation mode:mainAggressive
My Identifier: Distinguished name myfirewall.mydomain.org
Peer Identifier: mydomain.org
Pre-Shared Key: xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxxEncrytption algorithm: AES 256
Hash algorithm: SHA1
DH key group: 2 (1024 bit)
Lifetime: 28800NAT Traversal: Auto
Deed Peer Detection: disabled–-
IPsec Phase 2
Mode: Tunnel IPv4
Local Network: LAN subnetProtocol: ESP
Encryption algorithms: AES 256, AES256-GCM/auto
Hash algorithms: SHA1, SHA256, SHA384
PFS key group: off
Lifetime: 3600
iOS settings
Server: IP address of firewall
Account: myiosuser
Password: xxxxxxxxxxxxxx
Use Certificate: off
Group Name: you can fill in anything, but don't leave empty
Secret: xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx–-
OS X settings
Server Address: IP address of firewall
Account Name: myosxuser
Password: xxxxxxxxxxxxxx
Shared Secret: xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx
Group Name: you can fill in anything, but don't leave empty–-
Note that user "myiosuser" and "myosxuser" must exist in System -> User Manager, and they must have the "User - VPN - IPsec auth Dialin" privilege.
Hope this helps.
-
Richardd, I wasn't asking a question, I was posting a known working configuration. The configuration I posted works correctly with pfSense 2.2.2, iOS 8.3, and OS X 10.10.3.
You need to leave the Group Name empty in order to use Auto Key Exchange. The reason for doing this is to allow mixed use of IKEv1 and IKEv2 by mobile clients.
IKEv2 on iOS is supported, but requires a custom profile. On my todo list, but not implemented yet.
I have yet to find credible mention of IKEv2 being supported in OS X. :(
-
Hi,
thanks for the replies, I will test a similar configuration and will be back to you for the results. -
@dennypage: I stand corrected, I can confirm that your settings are working too on these platforms!
Nice work with the auto IKEv1 / IKEv2, thanks!
-
https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile
Check this one for reference.
-
Hi,
Sorry for the delay was quite busy at work.. :-\
Question in Okaenrique settings:
- why mobile client setting as NONE for DATABASE? (by the way change this setting make reboot the PFsense firewall)
To test DennyPage settings, I need some more informations:
IPsec Phase 1
Key Exchange version: Auto
Internet Protocol: IPv4
Interface: WANAuthentication method: Mutual PSK + Xauth
Negotiation mode: main
My Identifier: Distinguished name myfirewall.mydomain.org <–-- it is distinguished name or user distinguisghed name ? I can use fake domain?
Peer Identifier: mydomain.org <–-- what is the peer identifer option you choosen distinguished name ?
Pre-Shared Key: xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx -
Richardd, I wasn't asking a question, I was posting a known working configuration. The configuration I posted works correctly with pfSense 2.2.2, iOS 8.3, and OS X 10.10.3.
You need to leave the Group Name empty in order to use Auto Key Exchange. The reason for doing this is to allow mixed use of IKEv1 and IKEv2 by mobile clients.
IKEv2 on iOS is supported, but requires a custom profile. On my todo list, but not implemented yet.
I have yet to find credible mention of IKEv2 being supported in OS X. :(
dennypage: I have tried unsuccessfully to replicate your setup. Any possibility of screen shots? I just can't seem to get it to work.
-
I have moved from PSK to certificates so I can't easily do screen shots for PSK. However if you post shots of your current config, I will be happy to try and help you. Alternatively, I can provide XML fragments for PSK if you are comfortable with that approach.
I'm currently traveling, so it may be a day or two before I can respond.
dennypage: I have tried unsuccessfully to replicate your setup. Any possibility of screen shots? I just can't seem to get it to work.
