Valid configuration for IKEv2 VPN for iOS and OSX
-
I have one thing, I'm using DynDNS resolution for the public IP address of the PfSense Boxes.
In your tutorial, it's mandatory to put the public IP address as quoted here, what should I put ??Thanks a lot for sharing this how-to !!!
Make the server cert
System | Cert Manager | CertificatesClick the + to add a new certificate, set the following:
Method: Create an internal certificate
Descriptive name: Anything you like, I picked "serverCert"
Certificate Authority: internalCA (or whatever name you used)
Key Length: 2048
Digest Algorithm: SHA256
Certificate Type: Server Certificate
Lifetime: 3650 days
Country Code: as required
State: as required
City: as required
Organisation: as required
Email address: as required (seems to be unimportant)
Common Name: [External DNS name of the pfSense box]
ADD AN ALTERNATIVE NAME
Type: DNS (case sensitive)
Value: [External DNS name of the pfSense box (yes, the same as the CN above)]
ADD ANOTHER ALTERNATIVE NAME
Type: IP (case sensitive)
Value: [External IP address of pfSense box] -
Good question.
I don't know. :)
Some of this was worked out with pfSense support, who insisted that the certificates be set up this way. We did initially have them with just domain names I think. To be fair, I've deleted and recreated the certs so many times I can no longer be sure!Given that the connections are established by DNS name, I would think it would work, but the log files seem to talk DNS and IP, so it may be a quirk or StrongSwan or Charon or whatever.
My only suggestion would be to try it, following every step carefully with the exception of the IP SAN's and see what happens. Worst case is it won't connect!
-
Is the Diffie-Hellman group in phase 2 meaningful? DH group 2 has been in the "no longer recommended" category for some time. Given that it's covered by the phase 1, it's not particularly important that it's a weak DH group, but it's not particularly helpful either.
Perhaps someone with deeper IPSEC knowledge can comment…
-
denny, it is not. In fact, I did have it working set to 20.
I'm no authority on this stuff by a long shot. My concern was that there seemed to be no set of instructions that would produce a working link. These values 'work' and they're pretty good, but yes, setting the P2 to DH20 is a good idea.As I have already tested this and I know it works with the rest of the values, I'll edit the post to use DH20 for both the P1 and the P2.
Cheers!
-
Hi,
I want to configure my pfSense as an VPN "dial-in-server" to access my home network via IPsec VPN from my mobile clients (smartphone, tablet, Mac).
I have the following problem when configuring it with your documentation:
when creating the phase 1 entry I have to enter a remote gateway address and this is a mandatory field, so I have to fill in anything.
But in my usecase my mobile phone has no known official IP adress… So what I have to fill in there?
Thanks,
paulchen
-
Not too sure I follow you, only the pfSense box needs a fixed IP, the mobile device does not.
Your message means that the instructions are not clear enough, as it would seem that you have made a mistake in them, could you please tell me which step you are looking at and I'll enhance it.
Thanks.when creating the phase 1 entry I have to enter a remote gateway address and this is a mandatory field, so I have to fill in anything.
But in my usecase my mobile phone has no known official IP adress… So what I have to fill in there?
-
I think what he means is that the pfSense does not have a static IPv4 WAN address. Can a DNS name e.g. a dynamic-dns entry be substituted in place?
-
Maybe the wording in the pfSense GUI is a little bit missleading. I have to enter the "Remote Gateway: Enter the public IP address or host name of the remote gateway". See attached screenshot.
So in my point of view this would be the other end of the IPsec tunnel, so not my pfSense box but the mobile device (which has a dynamic IP address that is unkown).
So which IP address or hostname I have to enter in this field?
 -
Ah, now it makes sense.
First, you're setting up an IKEv1 connection, and these instructions are for IKEv2
Second, in the screenshot you are configuring a P1 for a static site-to-site link, not a mobile one, which is why you are being asked for a remote address.
You want to be configuring the Mobile Client phase 1.Recheck the instructions from the 'Configure the VPN' section and try again.
-
Yes, that was the problem: I didn't realize, that there is a difference how to create the phase 1 entry. I did it via the "tunnel" tab and not via the button "create mobile phase 1". With this button there is no "Remote gateway" field and that makes sense now.
Thanks!
Best regards
paulchen
-
does dns resolution work from the ios device in this configuration? with the current ipsec config ios 9 doesn't do name resolution through tunnel. running shrewsoft on windows works. so i'm looking for a solution that will allow dns through tunnel from any ios 9 device.
-
Useful ideas.. Great information Thanks..
-
It does, but only if you route all traffic over the link. I do mention this in the post.
I've been unable to find a resolution to this.Sadly, paid support responded with a "works for me" answer, which wasn't much help.
@bahsig:
does dns resolution work from the ios device in this configuration? with the current ipsec config ios 9 doesn't do name resolution through tunnel. running shrewsoft on windows works. so i'm looking for a solution that will allow dns through tunnel from any ios 9 device.
-
@bahsig:
does dns resolution work from the ios device in this configuration? with the current ipsec config ios 9 doesn't do name resolution through tunnel. running shrewsoft on windows works. so i'm looking for a solution that will allow dns through tunnel from any ios 9 device.
This hint worked for me, on both IOS and OS X.
https://lists.strongswan.org/pipermail/users/2015-October/008842.htmlFor details on my setup, please see https://forum.pfsense.org/index.php?topic=106694.0
-
Thanks shpokas!
Very interesting hack. I'm not using signed profiles, so I was able to try this. I didn't have any success with it but I'll try again soon. Quite odd that this may be fixable at the client side, despite dns settings being provided in the pfsense config. It still screams 'bug' to me.(Plus, the paid support team said it worked just fine in their tests without doing this)
This hint worked for me, on both IOS and OS X.
https://lists.strongswan.org/pipermail/users/2015-October/008842.htmlFor details on my setup, please see https://forum.pfsense.org/index.php?topic=106694.0
-
Have you tried installing/using the strongswan client for the MAC?
https://download.strongswan.org/osx/strongswan-5.3.2-1.app.zip
-
nope, DNS still does not work for me and there's no way to configure it - in contrary to OS X built-in client.
-
I had a look at that strong swan client, don't like it.
It didnt seem to do anything with the certificates, and the advantage of using the native configurator profile is that we can deploy and modify the settings via the MDM enrolment, which helps.We're still simply routing all traffic to work around the DNS issue, its good enough for now.
-
I'm not sure what's causing this but my windows 10 was able to route all traffic through VPN (with one phase 2 config of 0.0.0.0/0). While my IOS (iphone 5s w IOS 9.2.1) is not routing any traffic through the VPN, even though the VPN icon is showing.
I also noticed that on the iphone the IP seems to remain the same after the VPN is connected.
I followed this guide, and the only thing that's different than what is outlined is the profile setup through app configurator 2, which I don't have access to
https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2
Thoughts?
-
Actually, found the problem… I followed the document and didn't have a local domain set, once I did, the ios devices are able to route all traffics through the VPN now!
