Valid configuration for IKEv2 VPN for iOS and OSX

kapara

Have you tried installing/using the strongswan client for the MAC?

https://download.strongswan.org/osx/strongswan-5.3.2-1.app.zip

shpokas

nope, DNS still does not work for me and there's no way to configure it -  in contrary to OS X built-in client.

matp

I had a look at that strong swan client, don't like it.
It didnt seem to do anything with the certificates, and the advantage of using the native configurator profile is that we can deploy and modify the settings via the MDM enrolment, which helps.

We're still simply routing all traffic to work around the DNS issue, its good enough for now.

bluefoxreg

I'm not sure what's causing this but my windows 10 was able to route all traffic through VPN (with one phase 2 config of 0.0.0.0/0). While my IOS (iphone 5s w IOS 9.2.1) is not routing any traffic through the VPN, even though the VPN icon is showing.

I also noticed that on the iphone the IP seems to remain the same after the VPN is connected.

I followed this guide, and the only thing that's different than what is outlined is the profile setup through app configurator 2, which I don't have access to

https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

Thoughts?

bluefoxreg

Actually, found the problem… I followed the document and didn't have a local domain set, once I did, the ios devices are able to route all traffics through the VPN now!

hidalgo

First, thank you for these instructions. With these I could finally connect my iPhone to my pfSense 2.3. But I cannot figure out how to resolve my local dns names through the tunnel.
If I leave phase 2 “Local Network” to “LAN subnet” I reach my local devices with IP address and the internet outside the tunnel.
If I put phase 2  “Local Network” to “Network” and “Address 0.0.0.0/0” I reach my local devices with IP address but no internet. Do I have to change my firewall settings?

But how can I resolve my devices with names? This

https://lists.strongswan.org/pipermail/users/2015-October/008842.html

doesn’t work for me. Or I don’t understand exactly how to do it?

matp

Yeah, I was hoping 2.3 fixed/changed this. Only way seems to be to route all traffic, as mentioned. This means internet access goes out from the other end of the VPN, and domain name resolution is handled by the LAN dns server, it could be that you've not got access to them?

dennypage

I'm not sure it's something that pfSense can fix. Best that I can tell, the correct options are being set for StrongSwan, and StrongSwan is pushing the options correctly. The fix would need to be on the iOS/MacOS side.

I did see someone who said that they had fixed it by introducing options in the profile that could not be set in Configurator. I dug into this a bit, but was not able to reproduce their success with MacOS. I didn't try with iOS though.

matp

Yeah, I'm not sure either, but my thinking runs that if it were an iOS/OSX issue, then it would affect all VPN providers and that does not seem to be the case. I've not actually tested it with a Cisco or Juniper unit but I'd expect that something not based on strong swan wouldn't have this problem.

bpawlak

Hi,

Does this setup work for pfSense in version 2.3.2-RELEASE?
Can anyone confirm that?

Cheers!

tcw

@bpawlak:

Hi,

Does this setup work for pfSense in version 2.3.2-RELEASE?
Can anyone confirm that?

Cheers!

Yes, I just set this up today. To address an earlier question about Dynamic DNS, I have this working also but I had to set everything up on a subdomain (vpn.myname.com, versus just myname.com), including setting a dynamic DNS A record for vpn on my nameserver.

Thanks OP for such a detailed post! Your instructions are the first I got working. If you're still following this thread, what was your rationale for making the cipher selections you did? I'm wondering if this will work with ciphers that take advantage of AES-NI hardware acceleration.

pfsensepilot

Where or how do I key in this command?? In the web interface somewhere??  From the physical console??

sudo openssl pkcs12 -export -in userCert.crt -inkey userCert.key -out userCert.p12

I'm going through the steps and hope to make a connection between my iphone IOS 9.3.5 and pfSense 2.3.2…

Thanks.

acc4ever

you have downloaded command line tools for Xcode..

this is a little tutorial… hope it helps you...

http://railsapps.github.io/xcode-command-line-tools.html

pfsensepilot

Ok, so copy the 3 certificates and 1 user key to a folder on my mac, then modify the command to the correct paths and run through xcode?

acc4ever

You have to run it in through /Applications/Utilities/Terminal.app

pfsensepilot

I was able to run the command.  Thank you.

pfsensepilot

I went through all the steps in the first post.  I am not getting a connection.  What am I missing?  Here's what the logs say:

Sep 2 15:22:34	charon		05[ENC] <bypasslan|7> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Sep 2 15:22:34	charon		05[IKE] <bypasslan|7> peer supports MOBIKE
Sep 2 15:22:34	charon		05[IKE] <bypasslan|7> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sep 2 15:22:34	charon		05[CFG] <bypasslan|7> no alternative config found
Sep 2 15:22:34	charon		05[IKE] <bypasslan|7> peer requested EAP, config inacceptable
Sep 2 15:22:34	charon		05[CFG] <bypasslan|7> selected peer config 'bypasslan'</bypasslan|7></bypasslan|7></bypasslan|7></bypasslan|7></bypasslan|7></bypasslan|7>

Derelict

This doesn't work??

https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

pfsensepilot

Following the instructions on that link, I am getting what looks like the same errors:

Sep 5 14:36:38	charon		07[ENC] <bypasslan|10> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Sep 5 14:36:38	charon		07[IKE] <bypasslan|10> peer supports MOBIKE
Sep 5 14:36:38	charon		07[IKE] <bypasslan|10> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sep 5 14:36:38	charon		07[CFG] <bypasslan|10> no alternative config found
Sep 5 14:36:38	charon		07[IKE] <bypasslan|10> peer requested EAP, config inacceptable
Sep 5 14:36:38	charon		07[CFG] <bypasslan|10> selected peer config 'bypasslan'</bypasslan|10></bypasslan|10></bypasslan|10></bypasslan|10></bypasslan|10></bypasslan|10>

The only thing I was confused about when following the instructions was the CN.  I used my static external ip address as the common name, then added "ip address" as an alternative and rekeyed in my static external ip.  I'm not sure what the hostname for my box means and when I click alternative, I do not have the option for DNS.

Please help!  I was using PPTP before and lost that after I upgraded my box.  Now I can't get into my office remotely anymore, can't go on vacation or out of town, I have to drive to the office in the evenings and on weekends when I need access to my network.

Trying to configure ipsec to work with my macbook and iphone has cost me a lot of hours and been very frustrating.  I hope to get it configured correctly and up and running soon.

jffortier

Hi, newbie here! :o

At one point I was able to make it work but I have some issues now.

I setup OpenVPN and it's working fine, but I need the Apple configurator option "AlwaysON" and it can only be achive with IKEv2.

I can setup all those parameters, but the p12 certificate, I search online and openssl command line doesn't ask for a password, you can't set one and Apple configurator won't let you add that certificate to a profile with an empty password field and "space" is not working.

I have PFSense 2.3, iOS 10.1  and latest version of Apple configurator.

I need something simple, one user only that need to be on VPN all the time and can't get it off with configuration profile that can't be removed (supervised mode)

So how can I get it to work ? or have a self sign certificate p12 with the password.

Thank you