IKEv2 and iOS 9
-
mod1536 is broken on the iPhone:
https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)
Ugh, SHA1 it is, I guess. Thanks for the link.
-
Of note that wiki article has updated for OS X El Capitan which apparently is sending 3DES by default. Only tried iOS so far.
-
It's only broken for manually configured VPNs. If you use Apple Configurator, you can use higher groups, including groups 14-21. Configurator is kind of a pain, but it's necessary if you want access to better encryption settings.
One word of caution however: Using AES-256-GCM will eventually crash both iOS 9.1 and OS X 10.11.1. I haven't tested AES-128-GCM, but I'm guessing that will crash as well.
-
Has anyone managed to route all traffic from iOS 9.1 through the tunnel using the manual configuration?
I can only get it to route to the LAN subnet if I specify it directly on the router, but if I specify something like 0.0.0.0/0 nothing goes through the tunnel.
-
Has anyone managed to route all traffic from iOS 9.1 through the tunnel using the manual configuration?
I can only get it to route to the LAN subnet if I specify it directly on the router, but if I specify something like 0.0.0.0/0 nothing goes through the tunnel.
Uncheck "Provide a list of accessible networks to clients" on the mobile clients tab
Add a P2 for 0.0.0.0/0If it doesn't work for whatever reason, try adding a P2 for just mobile clients to LAN first, and put the 0.0.0.0/0 P2 below it. I didn't need that, but I saw someone else mention they couldn't route properly without it.
-
It's only broken for manually configured VPNs. If you use Apple Configurator, you can use higher groups, including groups 14-21. Configurator is kind of a pain, but it's necessary if you want access to better encryption settings.
I don't agree that Configurator is the only way. Anything that can produce the profile should get the same result.
One word of caution however: Using AES-256-GCM will eventually crash both iOS 9.1 and OS X 10.11.1. I haven't tested AES-128-GCM, but I'm guessing that will crash as well.
Have you reported this to Apple?
-
Sorry, I didn't mean to imply that the configurator is the only way you could create an Apple config. You could always create one by hand editing a plist file, but that's even more painful than Configurator and rather error prone. Configurator is the only tool I know of that that actually generates Apple VPN configs. Is there another tool that I don't know of?
The point of the original post was communicate the limitations of creating the VPN via Network Preferences.
@jwt:
It's only broken for manually configured VPNs. If you use Apple Configurator, you can use higher groups, including groups 14-21. Configurator is kind of a pain, but it's necessary if you want access to better encryption settings.
I don't agree that Configurator is the only way. Anything that can produce the profile should get the same result.
-
I upgraded our router to 2.2.5 today, iOS is now able to connect and routes all traffic through the tunnel.
Problem is that without resorting to 3DES, we cannot support both Windows and iOS while still using AES. Windows requires AES256 while iOS requires AES128 for SHA1 and DH 1024 in Phase 1. There is no way to configure this in pfSense even though strongSwan supports multiple Phase 1 proposals.
https://forum.pfsense.org/index.php?topic=101889.0At this point I am considering adding a few lines into vpn.inc to check for my Mobile VPN identifier and hard code the ike line to what I need into ipsec.conf.
-
If you configure via iOS' built-in UI, you are severely limited in what you can achieve. However, if you use a profile you can configure AES256/SHA2 and reasonable DH groups.
Problem is that without resorting to 3DES, we cannot support both Windows and iOS while still using AES. Windows requires AES256 while iOS requires AES128 for SHA1 and DH 1024 in Phase 1.
-
Thanks for the info.
I just used the Apple configurator to use AES256/SHA2…but it seems my Windows 10 VPN wants to use DH group2 (1024).
Is there an easy way I can change win10 VPN client to use group 21 DH?
