Valid configuration for IKEv2 VPN for iOS and OSX

matp

Yeah, I'm not sure either, but my thinking runs that if it were an iOS/OSX issue, then it would affect all VPN providers and that does not seem to be the case. I've not actually tested it with a Cisco or Juniper unit but I'd expect that something not based on strong swan wouldn't have this problem.

bpawlak

Hi,

Does this setup work for pfSense in version 2.3.2-RELEASE?
Can anyone confirm that?

Cheers!

tcw

@bpawlak:

Hi,

Does this setup work for pfSense in version 2.3.2-RELEASE?
Can anyone confirm that?

Cheers!

Yes, I just set this up today. To address an earlier question about Dynamic DNS, I have this working also but I had to set everything up on a subdomain (vpn.myname.com, versus just myname.com), including setting a dynamic DNS A record for vpn on my nameserver.

Thanks OP for such a detailed post! Your instructions are the first I got working. If you're still following this thread, what was your rationale for making the cipher selections you did? I'm wondering if this will work with ciphers that take advantage of AES-NI hardware acceleration.

pfsensepilot

Where or how do I key in this command?? In the web interface somewhere??  From the physical console??

sudo openssl pkcs12 -export -in userCert.crt -inkey userCert.key -out userCert.p12

I'm going through the steps and hope to make a connection between my iphone IOS 9.3.5 and pfSense 2.3.2…

Thanks.

acc4ever

you have downloaded command line tools for Xcode..

this is a little tutorial… hope it helps you...

http://railsapps.github.io/xcode-command-line-tools.html

pfsensepilot

Ok, so copy the 3 certificates and 1 user key to a folder on my mac, then modify the command to the correct paths and run through xcode?

acc4ever

You have to run it in through /Applications/Utilities/Terminal.app

pfsensepilot

I was able to run the command.  Thank you.

pfsensepilot

I went through all the steps in the first post.  I am not getting a connection.  What am I missing?  Here's what the logs say:

Sep 2 15:22:34	charon		05[ENC] <bypasslan|7> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Sep 2 15:22:34	charon		05[IKE] <bypasslan|7> peer supports MOBIKE
Sep 2 15:22:34	charon		05[IKE] <bypasslan|7> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sep 2 15:22:34	charon		05[CFG] <bypasslan|7> no alternative config found
Sep 2 15:22:34	charon		05[IKE] <bypasslan|7> peer requested EAP, config inacceptable
Sep 2 15:22:34	charon		05[CFG] <bypasslan|7> selected peer config 'bypasslan'</bypasslan|7></bypasslan|7></bypasslan|7></bypasslan|7></bypasslan|7></bypasslan|7>

Derelict

This doesn't work??

https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

pfsensepilot

Following the instructions on that link, I am getting what looks like the same errors:

Sep 5 14:36:38	charon		07[ENC] <bypasslan|10> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Sep 5 14:36:38	charon		07[IKE] <bypasslan|10> peer supports MOBIKE
Sep 5 14:36:38	charon		07[IKE] <bypasslan|10> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sep 5 14:36:38	charon		07[CFG] <bypasslan|10> no alternative config found
Sep 5 14:36:38	charon		07[IKE] <bypasslan|10> peer requested EAP, config inacceptable
Sep 5 14:36:38	charon		07[CFG] <bypasslan|10> selected peer config 'bypasslan'</bypasslan|10></bypasslan|10></bypasslan|10></bypasslan|10></bypasslan|10></bypasslan|10>

The only thing I was confused about when following the instructions was the CN.  I used my static external ip address as the common name, then added "ip address" as an alternative and rekeyed in my static external ip.  I'm not sure what the hostname for my box means and when I click alternative, I do not have the option for DNS.

Please help!  I was using PPTP before and lost that after I upgraded my box.  Now I can't get into my office remotely anymore, can't go on vacation or out of town, I have to drive to the office in the evenings and on weekends when I need access to my network.

Trying to configure ipsec to work with my macbook and iphone has cost me a lot of hours and been very frustrating.  I hope to get it configured correctly and up and running soon.

jffortier

Hi, newbie here! :o

At one point I was able to make it work but I have some issues now.

I setup OpenVPN and it's working fine, but I need the Apple configurator option "AlwaysON" and it can only be achive with IKEv2.

I can setup all those parameters, but the p12 certificate, I search online and openssl command line doesn't ask for a password, you can't set one and Apple configurator won't let you add that certificate to a profile with an empty password field and "space" is not working.

I have PFSense 2.3, iOS 10.1  and latest version of Apple configurator.

I need something simple, one user only that need to be on VPN all the time and can't get it off with configuration profile that can't be removed (supervised mode)

So how can I get it to work ? or have a self sign certificate p12 with the password.

Thank you

aholtzma

To make split DNS work w/o routing all traffic through the tunnel, you need to provide a second, fake, domain name to work around bug 4418:

https://redmine.pfsense.org/issues/4418

Without this work around, you will see a 'p' character appended to the domain in 'scutil –dns'. The extra 'p' is still there, it just gets appended to the fake domain name and is harmless.

flagsense

Hi,

i configured as you described in your post. And the VPN Tunnel works fast, but after 3-30 Minutes the iPhone do a panic - and restart. Sometime it happend directly if i do some network traffic.

Did somebody else have the same problem ?

best

regards

flagsense

pfguy2017

I am trying to get this set up on my pfsense box 2.3.3_1.  I am stuck on the server certificate, where the instructions say:

Click "+" to add a new Alternative Name
Enter DNS in the Type field
Enter the hostname of the firewall as it exists in DNS again in the Value field – Some clients require the value in SAN not just CN!
Click "+" to add a new Alternative Name
Enter IP in the Type field
Enter the WAN IP address of the firewall in the Value field

At my end, there does not seem to be any way to type in DNS or IP into the type field.  The type field is a drop down menu containing the following choices:
-FQDN or Hostname
-IP address
-URI
-email address

Am I missing something here?

posto587

I'm trying to get this work with EAP-MSCHAPv2.
On Windows 10 it's working great but I have problems getting this to work on macOS/iOS with AppleConfigurator profiles.

I did everything to generate the profile suggested in the first post but instead of eap-authentication: certificate I choose username/password.
When connecting with macOS/iOS with the profile installed I'm getting the exact same errors as pfsensepilot:

Apr 4 17:13:27 	charon 		07[ENC] <bypasslan|54>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Apr 4 17:13:27 	charon 		07[IKE] <bypasslan|54>peer supports MOBIKE
Apr 4 17:13:27 	charon 		07[IKE] <bypasslan|54>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Apr 4 17:13:27 	charon 		07[CFG] <bypasslan|54>no alternative config found
Apr 4 17:13:27 	charon 		07[IKE] <bypasslan|54>peer requested EAP, config inacceptable
Apr 4 17:13:27 	charon 		07[CFG] <bypasslan|54>selected peer config 'bypasslan'</bypasslan|54></bypasslan|54></bypasslan|54></bypasslan|54></bypasslan|54></bypasslan|54> 

Does anybody has an idea/hint?

EDIT: Now I tested with EAP-TLS and configured everything exactly as described in the first post.
And again, it's working on Windows 10 but when I try to connect with macOS I'm getting the same errors shown above.
Trying to modify certain settings (e.g. PFS off/on) changes nothing…

pfguy2017

I am also having trouble getting a connection.  Here is the log.  Can anyone give some insight as to what the problem might be?

Apr 4 14:33:08 	charon 		15[MGR] <con1|3>checkin of IKE_SA successful
Apr 4 14:33:08 	charon 		15[MGR] <con1|3>checkin IKE_SA con1[3]
Apr 4 14:33:08 	charon 		15[NET] <con1|3>sending packet: from x.x.x.x[4500] to y.y.y.y[4533] (1196 bytes)
Apr 4 14:33:08 	charon 		15[NET] <con1|3>sending packet: from x.x.x.x[4500] to y.y.y.y[4533] (1244 bytes)
Apr 4 14:33:08 	charon 		15[ENC] <con1|3>generating IKE_AUTH response 1 [ EF(2/2) ]
Apr 4 14:33:08 	charon 		15[ENC] <con1|3>generating IKE_AUTH response 1 [ EF(1/2) ]
Apr 4 14:33:08 	charon 		15[ENC] <con1|3>splitting IKE message with length of 2360 bytes into 2 fragments
Apr 4 14:33:08 	charon 		15[ENC] <con1|3>generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Apr 4 14:33:08 	charon 		15[IKE] <con1|3>sending end entity cert "C=CA, ST=ON, L=Home, O=z, E=admin@z.z, CN=zzz.com"
Apr 4 14:33:08 	charon 		15[IKE] <con1|3>authentication of 'zzz.com' (myself) with RSA signature successful
Apr 4 14:33:08 	charon 		15[IKE] <con1|3>peer supports MOBIKE
Apr 4 14:33:08 	charon 		15[IKE] <con1|3>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Apr 4 14:33:08 	charon 		15[IKE] <con1|3>initiating EAP_IDENTITY method (id 0x00)
Apr 4 14:33:08 	charon 		15[CFG] <con1|3>selected peer config 'con1'
Apr 4 14:33:08 	charon 		15[CFG] <3> candidate "con1", match: 20/1/1052 (me/other/ike)
Apr 4 14:33:08 	charon 		15[CFG] <3> candidate "bypasslan", match: 1/1/24 (me/other/ike)
Apr 4 14:33:08 	charon 		15[CFG] <3> looking for peer configs matching x.x.x.x[xx.xx.com]...y.y.y.y[zzz]
Apr 4 14:33:08 	charon 		15[ENC] <3> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Apr 4 14:33:08 	charon 		15[ENC] <3> unknown attribute type (25)
Apr 4 14:33:08 	charon 		15[NET] <3> received packet: from y.y.y.y[4533] to x.x.x.x[4500] (360 bytes)
Apr 4 14:33:08 	charon 		15[MGR] IKE_SA (unnamed)[3] successfully checked out
Apr 4 14:33:08 	charon 		15[MGR] checkout IKEv2 SA by message with SPIs b34bf46abdfd5380_i c93792bfd0b4d1d3_r
Apr 4 14:33:08 	charon 		15[MGR] <3> checkin of IKE_SA successful
Apr 4 14:33:08 	charon 		15[MGR] <3> checkin IKE_SA (unnamed)[3]
Apr 4 14:33:08 	charon 		15[NET] <3> sending packet: from x.x.x.x[500] to y.y.y.y[1446] (313 bytes)
Apr 4 14:33:08 	charon 		15[ENC] <3> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Apr 4 14:33:08 	charon 		15[IKE] <3> sending cert request for "C=CA, ST=ON, L=Home, O=z, E=admin@z.z, CN=XXX"
Apr 4 14:33:08 	charon 		15[IKE] <3> remote host is behind NAT
Apr 4 14:33:08 	charon 		15[CFG] <3> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384
Apr 4 14:33:08 	charon 		15[CFG] <3> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384
Apr 4 14:33:08 	charon 		15[CFG] <3> received proposals: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384
Apr 4 14:33:08 	charon 		15[CFG] <3> proposal matches
Apr 4 14:33:08 	charon 		15[CFG] <3> selecting proposal:
Apr 4 14:33:08 	charon 		15[IKE] <3> y.y.y.y is initiating an IKE_SA
Apr 4 14:33:08 	charon 		15[CFG] <3> found matching ike config: x.x.x.x...%any with prio 1052
Apr 4 14:33:08 	charon 		15[CFG] <3> candidate: x.x.x.x...%any, prio 1052
Apr 4 14:33:08 	charon 		15[CFG] <3> candidate: %any...%any, prio 24
Apr 4 14:33:08 	charon 		15[CFG] <3> looking for an ike config for x.x.x.x...y.y.y.y
Apr 4 14:33:08 	charon 		15[ENC] <3> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Apr 4 14:33:08 	charon 		15[NET] <3> received packet: from x.x.x.x [1446] to x.x.x.x[500] (280 bytes)
Apr 4 14:33:08 	charon 		15[MGR] created IKE_SA (unnamed)[3]
Apr 4 14:33:08 	charon 		15[MGR] checkout IKEv2 SA by message with SPIs b34bf46abdfd5380_i 0000000000000000_r</con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3> 

pfguy2017

I am popping back in to this thread to provide some additional info. I was able to get the IKEv2 VPN connection working following my previous post, by deleting everything and stepping through the instructions again. And I was able to leave out the "IP" and "DNS" fields (which as I noted upthread, do not seem to be enter-able any more). Thank you very much to the OP!

I was also able to turn the VPN connection into a VPN on demand connection, and I thought I would outline the steps involved in case anyone else wants to do this.  Apple Configurator 2 does not show the "VPN on demand" toggle when setting up a profile for IKEv2 (it seems to be present for L2TP and IPSEC only).  However, I was able to achieve this by manually editing (using Text Wrangler) the .mobileconfig profile as below. The relevant changes are near the bottom, where I was able to set things up so that if I am connected to my home Wifi, the VPN is turned off, but the VPN connection is enabled if connected to any other network.  Note that if you sign the profile in Configurator, it cannot be edited.  Note also that this does not require a supervised iOS device.

 <plist version="1.0"><dict><key>HasRemovalPasscode</key>
	 <true><key>PayloadContent</key>
	 <array><dict><key>PayloadCertificateFileName</key>
			<string>MyCA.cer</string>
			<key>PayloadContent</key>
			 <data>abc123 (generated by Configurator)</data> 
			<key>PayloadDescription</key>
			<string>Adds a CA root certificate</string>
			<key>PayloadDisplayName</key>
			<string>MyCA</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.security.root.xxx (generated by Configurator)</string>
			<key>PayloadType</key>
			<string>com.apple.security.root</string>
			<key>PayloadUUID</key>
			<string>xxx (generated by Configurator)</string>
			<key>PayloadVersion</key>
			<integer>1</integer></dict> 
		 <dict><key>PayloadCertificateFileName</key>
			<string>MyVPN.cer</string>
			<key>PayloadContent</key>
			 <data>xyz456 (generated by Configurator)</data> 
			<key>PayloadDescription</key>
			<string>Adds a PKCS#1-formatted certificate</string>
			<key>PayloadDisplayName</key>
			<string>example.com</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.security.pkcs1.xxx (generated by Configurator)</string>
			<key>PayloadType</key>
			<string>com.apple.security.pkcs1</string>
			<key>PayloadUUID</key>
			<string>xxx (generated by Configurator)</string>
			<key>PayloadVersion</key>
			<integer>1</integer></dict> 
		 <dict><key>PayloadDescription</key>
			<string>Configures a password for profile removal</string>
			<key>PayloadDisplayName</key>
			<string>Profile Removal</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.profileRemovalPassword.xxx (generated by Configurator)</string>
			<key>PayloadType</key>
			<string>com.apple.profileRemovalPassword</string>
			<key>PayloadUUID</key>
			<string>xxx (generated by Configurator)</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>RemovalPassword</key>
			<string>mypassword</string></dict> 
		 <dict><key>Password</key>
			<string>yyy</string>
			<key>PayloadCertificateFileName</key>
			<string>username.p12</string>
			<key>PayloadContent</key>
			 <data>abc456 (generated by Configurator)</data> 
			<key>PayloadDescription</key>
			<string>Adds a PKCS#12-formatted certificate</string>
			<key>PayloadDisplayName</key>
			<string>username.p12</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.security.pkcs12.xxxx (generated by Configurator)</string>
			<key>PayloadType</key>
			<string>com.apple.security.pkcs12</string>
			<key>PayloadUUID</key>
			<string>xxx (generated by Configurator)</string>
			<key>PayloadVersion</key>
			<integer>1</integer></dict> 
		 <dict><key>IKEv2</key>
			 <dict><key>AuthenticationMethod</key>
				<string>Certificate</string>
				<key>ChildSecurityAssociationParameters</key>
				 <dict><key>DiffieHellmanGroup</key>
					<integer>20</integer>
					<key>EncryptionAlgorithm</key>
					<string>AES-256</string>
					<key>IntegrityAlgorithm</key>
					<string>SHA2-256</string>
					<key>LifeTimeInMinutes</key>
					<integer>60</integer></dict> 
				<key>DeadPeerDetectionRate</key>
				<string>Medium</string>
				<key>DisableMOBIKE</key>
				<integer>0</integer>
				<key>DisableRedirect</key>
				<integer>0</integer>
				<key>EnableCertificateRevocationCheck</key>
				<integer>0</integer>
				<key>EnablePFS</key>
				<integer>0</integer>
				<key>ExtendedAuthEnabled</key>
				 <true><key>IKESecurityAssociationParameters</key>
				 <dict><key>DiffieHellmanGroup</key>
					<integer>20</integer>
					<key>EncryptionAlgorithm</key>
					<string>AES-256</string>
					<key>IntegrityAlgorithm</key>
					<string>SHA2-384</string>
					<key>LifeTimeInMinutes</key>
					<integer>480</integer></dict> 
				<key>LocalIdentifier</key>
				<string>user</string>
				<key>PayloadCertificateUUID</key>
				<string>xxx (generated by Configurator)</string>
				<key>RemoteAddress</key>
				<string>example.com</string>
				<key>RemoteIdentifier</key>
				<string>example.com</string>
				<key>ServerCertificateCommonName</key>
				<string>example.com</string>
				<key>ServerCertificateIssuerCommonName</key>
				<string>MyCA</string>
				<key>UseConfigurationAttributeInternalIPSubnet</key>
				<integer>0</integer></true></dict> 
			<key>IPv4</key>
			 <dict><key>OverridePrimary</key>
				<integer>1</integer></dict> 
			<key>PayloadDescription</key>
			<string>Configures VPN settings</string>
			<key>PayloadDisplayName</key>
			<string>VPN</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.vpn.managed.xxx (generated by Configurator)</string>
			<key>PayloadType</key>
			<string>com.apple.vpn.managed</string>
			<key>PayloadUUID</key>
			<string>xxx (generated by Configurator)</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>Proxies</key>
			 <dict><key>HTTPEnable</key>
				<integer>0</integer>
				<key>HTTPSEnable</key>
				<integer>0</integer></dict> 
			<key>UserDefinedName</key>
			<string>MyVPN</string>
			<key>VPNType</key>
			<string>IKEv2</string>
			<key>OnDemandEnabled</key>
                <integer>1</integer>
                <key>OnDemandRules</key>
                <array><dict><key>InterfaceTypeMatch</key>
                        <string>WiFi</string>
                        <key>SSIDMatch</key>
                        <array><string>My Home Wifi Network name</string></array>                     
                        <key>Action</key>
                        <string>Disconnect</string></dict> 

                    <dict><key>Action</key>
                        <string>Connect</string></dict></array></dict></array> 
	<key>PayloadDisplayName</key>
	<string>MyVPN</string>
	<key>PayloadIdentifier</key>
	<string>MyVPN</string>
	<key>PayloadRemovalDisallowed</key>
	 <true><key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>xxx (generated by Configurator)2</string>
	<key>PayloadVersion</key>
	<integer>1</integer></true></true></dict></plist> 

References/credit:
https://medium.com/@cattyhouse/ios-ondemand-ipsec-vpn-setup-ebfb82b6f7a1
https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile
https://developer.apple.com/library/content/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html#//apple_ref/doc/uid/TP40010206-CH1-SW36

krolykke

@pfguy2017:

At my end, there does not seem to be any way to type in DNS or IP into the type field.  The type field is a drop down menu containing the following choices:
-FQDN or Hostname
-IP address
-URI
-email address

Am I missing something here?

Look to the right of the dropdown, there is a field where you can enter the required data.

pfguy2017

@krolykke:

@pfguy2017:

At my end, there does not seem to be any way to type in DNS or IP into the type field.  The type field is a drop down menu containing the following choices:
-FQDN or Hostname
-IP address
-URI
-email address

Am I missing something here?

Look to the right of the dropdown, there is a field where you can enter the required data.

The field on the right is for the "value", not the "type" (which is on the left).  There is no way (that I can see) to enter a "type" other than the 4 choices in the drop down menu (as in the instructions in the first post in this thread).  I guess this changed with a recent pfSense update.  However, it does not seem to matter.  In my case, I was able to get everything working using the "FQDN or Hostname" and "email address" fields (for email I entered the same string as for the CN and SAN (i.e. the server address or the user name, depending on the cert)).  The "DNS" and "IP" entries do not seem to be required in order to get everything working.