Valid configuration for IKEv2 VPN for iOS and OSX

luckman212

I think what he means is that the pfSense does not have a static IPv4 WAN address. Can a DNS name e.g. a dynamic-dns entry be substituted in place?

paulchen0815

Maybe the wording in the pfSense GUI is a little bit missleading. I have to enter the "Remote Gateway: Enter the public IP address or host name of the remote gateway". See attached screenshot.

So in my point of view this would be the other end of the IPsec tunnel, so not my pfSense box but the mobile device (which has a dynamic IP address that is unkown).

So which IP address or hostname I have to enter in this field?


matp

Ah, now it makes sense.
First, you're setting up an IKEv1 connection, and these instructions are for IKEv2
Second, in the screenshot you are configuring a P1 for a static site-to-site link, not a mobile one, which is why you are being asked for a remote address.
You want to be configuring the Mobile Client phase 1.

Recheck the instructions from the 'Configure the VPN' section and try again.

paulchen0815

Yes, that was the problem: I didn't realize, that there is a difference how to create the phase 1 entry. I did it via the "tunnel" tab and not via the button "create mobile phase 1". With this button there is no "Remote gateway" field and that makes sense now.

Thanks!

Best regards

paulchen

nodau

does dns resolution work from the ios device in this configuration? with the current ipsec config ios 9 doesn't do name resolution through tunnel. running shrewsoft on windows works. so i'm looking for a solution that will allow dns through tunnel from any ios 9 device.

jeevajii

Useful ideas.. Great information Thanks..

matp

It does, but only if you route all traffic over the link. I do mention this in the post.
I've been unable to find a resolution to this.

Sadly, paid support responded with a "works for me" answer, which wasn't much help.

@bahsig:

does dns resolution work from the ios device in this configuration? with the current ipsec config ios 9 doesn't do name resolution through tunnel. running shrewsoft on windows works. so i'm looking for a solution that will allow dns through tunnel from any ios 9 device.

shpokas

@bahsig:

does dns resolution work from the ios device in this configuration? with the current ipsec config ios 9 doesn't do name resolution through tunnel. running shrewsoft on windows works. so i'm looking for a solution that will allow dns through tunnel from any ios 9 device.

This hint worked for me, on both IOS and OS X.
https://lists.strongswan.org/pipermail/users/2015-October/008842.html

For details on my setup, please see https://forum.pfsense.org/index.php?topic=106694.0

matp

Thanks shpokas!
Very interesting hack. I'm not using signed profiles, so I was able to try this. I didn't have any success with it but I'll try again soon. Quite odd that this may be fixable at the client side, despite dns settings being provided in the pfsense config. It still screams 'bug' to me.

(Plus, the paid support team said it worked just fine in their tests without doing this)

@shpokas:

This hint worked for me, on both IOS and OS X.
https://lists.strongswan.org/pipermail/users/2015-October/008842.html

For details on my setup, please see https://forum.pfsense.org/index.php?topic=106694.0

kapara

Have you tried installing/using the strongswan client for the MAC?

https://download.strongswan.org/osx/strongswan-5.3.2-1.app.zip

shpokas

nope, DNS still does not work for me and there's no way to configure it -  in contrary to OS X built-in client.

matp

I had a look at that strong swan client, don't like it.
It didnt seem to do anything with the certificates, and the advantage of using the native configurator profile is that we can deploy and modify the settings via the MDM enrolment, which helps.

We're still simply routing all traffic to work around the DNS issue, its good enough for now.

bluefoxreg

I'm not sure what's causing this but my windows 10 was able to route all traffic through VPN (with one phase 2 config of 0.0.0.0/0). While my IOS (iphone 5s w IOS 9.2.1) is not routing any traffic through the VPN, even though the VPN icon is showing.

I also noticed that on the iphone the IP seems to remain the same after the VPN is connected.

I followed this guide, and the only thing that's different than what is outlined is the profile setup through app configurator 2, which I don't have access to

https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

Thoughts?

bluefoxreg

Actually, found the problem… I followed the document and didn't have a local domain set, once I did, the ios devices are able to route all traffics through the VPN now!

hidalgo

First, thank you for these instructions. With these I could finally connect my iPhone to my pfSense 2.3. But I cannot figure out how to resolve my local dns names through the tunnel.
If I leave phase 2 “Local Network” to “LAN subnet” I reach my local devices with IP address and the internet outside the tunnel.
If I put phase 2  “Local Network” to “Network” and “Address 0.0.0.0/0” I reach my local devices with IP address but no internet. Do I have to change my firewall settings?

But how can I resolve my devices with names? This

https://lists.strongswan.org/pipermail/users/2015-October/008842.html

doesn’t work for me. Or I don’t understand exactly how to do it?

matp

Yeah, I was hoping 2.3 fixed/changed this. Only way seems to be to route all traffic, as mentioned. This means internet access goes out from the other end of the VPN, and domain name resolution is handled by the LAN dns server, it could be that you've not got access to them?

dennypage

I'm not sure it's something that pfSense can fix. Best that I can tell, the correct options are being set for StrongSwan, and StrongSwan is pushing the options correctly. The fix would need to be on the iOS/MacOS side.

I did see someone who said that they had fixed it by introducing options in the profile that could not be set in Configurator. I dug into this a bit, but was not able to reproduce their success with MacOS. I didn't try with iOS though.

matp

Yeah, I'm not sure either, but my thinking runs that if it were an iOS/OSX issue, then it would affect all VPN providers and that does not seem to be the case. I've not actually tested it with a Cisco or Juniper unit but I'd expect that something not based on strong swan wouldn't have this problem.

bpawlak

Hi,

Does this setup work for pfSense in version 2.3.2-RELEASE?
Can anyone confirm that?

Cheers!

tcw

@bpawlak:

Hi,

Does this setup work for pfSense in version 2.3.2-RELEASE?
Can anyone confirm that?

Cheers!

Yes, I just set this up today. To address an earlier question about Dynamic DNS, I have this working also but I had to set everything up on a subdomain (vpn.myname.com, versus just myname.com), including setting a dynamic DNS A record for vpn on my nameserver.

Thanks OP for such a detailed post! Your instructions are the first I got working. If you're still following this thread, what was your rationale for making the cipher selections you did? I'm wondering if this will work with ciphers that take advantage of AES-NI hardware acceleration.