Valid configuration for IKEv2 VPN for iOS and OSX
-
@bahsig:
does dns resolution work from the ios device in this configuration? with the current ipsec config ios 9 doesn't do name resolution through tunnel. running shrewsoft on windows works. so i'm looking for a solution that will allow dns through tunnel from any ios 9 device.
This hint worked for me, on both IOS and OS X.
https://lists.strongswan.org/pipermail/users/2015-October/008842.htmlFor details on my setup, please see https://forum.pfsense.org/index.php?topic=106694.0
-
Thanks shpokas!
Very interesting hack. I'm not using signed profiles, so I was able to try this. I didn't have any success with it but I'll try again soon. Quite odd that this may be fixable at the client side, despite dns settings being provided in the pfsense config. It still screams 'bug' to me.(Plus, the paid support team said it worked just fine in their tests without doing this)
This hint worked for me, on both IOS and OS X.
https://lists.strongswan.org/pipermail/users/2015-October/008842.htmlFor details on my setup, please see https://forum.pfsense.org/index.php?topic=106694.0
-
Have you tried installing/using the strongswan client for the MAC?
https://download.strongswan.org/osx/strongswan-5.3.2-1.app.zip
-
nope, DNS still does not work for me and there's no way to configure it - in contrary to OS X built-in client.
-
I had a look at that strong swan client, don't like it.
It didnt seem to do anything with the certificates, and the advantage of using the native configurator profile is that we can deploy and modify the settings via the MDM enrolment, which helps.We're still simply routing all traffic to work around the DNS issue, its good enough for now.
-
I'm not sure what's causing this but my windows 10 was able to route all traffic through VPN (with one phase 2 config of 0.0.0.0/0). While my IOS (iphone 5s w IOS 9.2.1) is not routing any traffic through the VPN, even though the VPN icon is showing.
I also noticed that on the iphone the IP seems to remain the same after the VPN is connected.
I followed this guide, and the only thing that's different than what is outlined is the profile setup through app configurator 2, which I don't have access to
https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2
Thoughts?
-
Actually, found the problem… I followed the document and didn't have a local domain set, once I did, the ios devices are able to route all traffics through the VPN now!
-
First, thank you for these instructions. With these I could finally connect my iPhone to my pfSense 2.3. But I cannot figure out how to resolve my local dns names through the tunnel.
If I leave phase 2 “Local Network” to “LAN subnet” I reach my local devices with IP address and the internet outside the tunnel.
If I put phase 2 “Local Network” to “Network” and “Address 0.0.0.0/0” I reach my local devices with IP address but no internet. Do I have to change my firewall settings?But how can I resolve my devices with names? This
https://lists.strongswan.org/pipermail/users/2015-October/008842.html
doesn’t work for me. Or I don’t understand exactly how to do it?
-
Yeah, I was hoping 2.3 fixed/changed this. Only way seems to be to route all traffic, as mentioned. This means internet access goes out from the other end of the VPN, and domain name resolution is handled by the LAN dns server, it could be that you've not got access to them?
-
I'm not sure it's something that pfSense can fix. Best that I can tell, the correct options are being set for StrongSwan, and StrongSwan is pushing the options correctly. The fix would need to be on the iOS/MacOS side.
I did see someone who said that they had fixed it by introducing options in the profile that could not be set in Configurator. I dug into this a bit, but was not able to reproduce their success with MacOS. I didn't try with iOS though.
-
Yeah, I'm not sure either, but my thinking runs that if it were an iOS/OSX issue, then it would affect all VPN providers and that does not seem to be the case. I've not actually tested it with a Cisco or Juniper unit but I'd expect that something not based on strong swan wouldn't have this problem.
-
Hi,
Does this setup work for pfSense in version 2.3.2-RELEASE?
Can anyone confirm that?Cheers!
-
Hi,
Does this setup work for pfSense in version 2.3.2-RELEASE?
Can anyone confirm that?Cheers!
Yes, I just set this up today. To address an earlier question about Dynamic DNS, I have this working also but I had to set everything up on a subdomain (vpn.myname.com, versus just myname.com), including setting a dynamic DNS A record for vpn on my nameserver.
Thanks OP for such a detailed post! Your instructions are the first I got working. If you're still following this thread, what was your rationale for making the cipher selections you did? I'm wondering if this will work with ciphers that take advantage of AES-NI hardware acceleration.
-
Where or how do I key in this command?? In the web interface somewhere?? From the physical console??
sudo openssl pkcs12 -export -in userCert.crt -inkey userCert.key -out userCert.p12I'm going through the steps and hope to make a connection between my iphone IOS 9.3.5 and pfSense 2.3.2…
Thanks.
-
you have downloaded command line tools for Xcode..
this is a little tutorial… hope it helps you...
http://railsapps.github.io/xcode-command-line-tools.html
-
Ok, so copy the 3 certificates and 1 user key to a folder on my mac, then modify the command to the correct paths and run through xcode?
-
You have to run it in through /Applications/Utilities/Terminal.app
-
I was able to run the command. Thank you.
-
I went through all the steps in the first post. I am not getting a connection. What am I missing? Here's what the logs say:
Sep 2 15:22:34 charon 05[ENC] <bypasslan|7> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Sep 2 15:22:34 charon 05[IKE] <bypasslan|7> peer supports MOBIKE Sep 2 15:22:34 charon 05[IKE] <bypasslan|7> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Sep 2 15:22:34 charon 05[CFG] <bypasslan|7> no alternative config found Sep 2 15:22:34 charon 05[IKE] <bypasslan|7> peer requested EAP, config inacceptable Sep 2 15:22:34 charon 05[CFG] <bypasslan|7> selected peer config 'bypasslan'</bypasslan|7></bypasslan|7></bypasslan|7></bypasslan|7></bypasslan|7></bypasslan|7> -
This doesn't work??
https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2
