Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Valid configuration for IKEv2 VPN for iOS and OSX

    Scheduled Pinned Locked Moved IPsec
    68 Posts 33 Posters 52.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pfsensepilot
      last edited by

      I went through all the steps in the first post.  I am not getting a connection.  What am I missing?  Here's what the logs say:

      Sep 2 15:22:34	charon		05[ENC] <bypasslan|7> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
      Sep 2 15:22:34	charon		05[IKE] <bypasslan|7> peer supports MOBIKE
      Sep 2 15:22:34	charon		05[IKE] <bypasslan|7> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
      Sep 2 15:22:34	charon		05[CFG] <bypasslan|7> no alternative config found
      Sep 2 15:22:34	charon		05[IKE] <bypasslan|7> peer requested EAP, config inacceptable
      Sep 2 15:22:34	charon		05[CFG] <bypasslan|7> selected peer config 'bypasslan'</bypasslan|7></bypasslan|7></bypasslan|7></bypasslan|7></bypasslan|7></bypasslan|7>
      
      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        This doesn't work??

        https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • P
          pfsensepilot
          last edited by

          Following the instructions on that link, I am getting what looks like the same errors:

          Sep 5 14:36:38	charon		07[ENC] <bypasslan|10> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
          Sep 5 14:36:38	charon		07[IKE] <bypasslan|10> peer supports MOBIKE
          Sep 5 14:36:38	charon		07[IKE] <bypasslan|10> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
          Sep 5 14:36:38	charon		07[CFG] <bypasslan|10> no alternative config found
          Sep 5 14:36:38	charon		07[IKE] <bypasslan|10> peer requested EAP, config inacceptable
          Sep 5 14:36:38	charon		07[CFG] <bypasslan|10> selected peer config 'bypasslan'</bypasslan|10></bypasslan|10></bypasslan|10></bypasslan|10></bypasslan|10></bypasslan|10>
          

          The only thing I was confused about when following the instructions was the CN.  I used my static external ip address as the common name, then added "ip address" as an alternative and rekeyed in my static external ip.  I'm not sure what the hostname for my box means and when I click alternative, I do not have the option for DNS.

          Please help!  I was using PPTP before and lost that after I upgraded my box.  Now I can't get into my office remotely anymore, can't go on vacation or out of town, I have to drive to the office in the evenings and on weekends when I need access to my network.

          Trying to configure ipsec to work with my macbook and iphone has cost me a lot of hours and been very frustrating.  I hope to get it configured correctly and up and running soon.

          1 Reply Last reply Reply Quote 0
          • J
            jffortier
            last edited by

            Hi, newbie here! :o

            At one point I was able to make it work but I have some issues now.

            I setup OpenVPN and it's working fine, but I need the Apple configurator option "AlwaysON" and it can only be achive with IKEv2.

            I can setup all those parameters, but the p12 certificate, I search online and openssl command line doesn't ask for a password, you can't set one and Apple configurator won't let you add that certificate to a profile with an empty password field and "space" is not working.

            I have PFSense 2.3, iOS 10.1  and latest version of Apple configurator.

            I need something simple, one user only that need to be on VPN all the time and can't get it off with configuration profile that can't be removed (supervised mode)

            So how can I get it to work ? or have a self sign certificate p12 with the password.

            Thank you

            1 Reply Last reply Reply Quote 0
            • A
              aholtzma
              last edited by

              To make split DNS work w/o routing all traffic through the tunnel, you need to provide a second, fake, domain name to work around bug 4418:

              https://redmine.pfsense.org/issues/4418

              Without this work around, you will see a 'p' character appended to the domain in 'scutil –dns'. The extra 'p' is still there, it just gets appended to the fake domain name and is harmless.

              1 Reply Last reply Reply Quote 0
              • F
                flagsense
                last edited by

                Hi,

                i configured as you described in your post. And the VPN Tunnel works fast, but after 3-30 Minutes the iPhone do a panic - and restart. Sometime it happend directly if i do some network traffic.

                Did somebody else have the same problem ?

                best

                regards

                flagsense

                1 Reply Last reply Reply Quote 0
                • P
                  pfguy2017
                  last edited by

                  I am trying to get this set up on my pfsense box 2.3.3_1.  I am stuck on the server certificate, where the instructions say:

                  Click "+" to add a new Alternative Name
                  Enter DNS in the Type field
                  Enter the hostname of the firewall as it exists in DNS again in the Value field – Some clients require the value in SAN not just CN!
                  Click "+" to add a new Alternative Name
                  Enter IP in the Type field
                  Enter the WAN IP address of the firewall in the Value field

                  At my end, there does not seem to be any way to type in DNS or IP into the type field.  The type field is a drop down menu containing the following choices:
                  -FQDN or Hostname
                  -IP address
                  -URI
                  -email address

                  Am I missing something here?

                  1 Reply Last reply Reply Quote 0
                  • P
                    posto587
                    last edited by

                    I'm trying to get this work with EAP-MSCHAPv2.
                    On Windows 10 it's working great but I have problems getting this to work on macOS/iOS with AppleConfigurator profiles.

                    I did everything to generate the profile suggested in the first post but instead of eap-authentication: certificate I choose username/password.
                    When connecting with macOS/iOS with the profile installed I'm getting the exact same errors as pfsensepilot:

                    Apr 4 17:13:27 	charon 		07[ENC] <bypasslan|54>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
                    Apr 4 17:13:27 	charon 		07[IKE] <bypasslan|54>peer supports MOBIKE
                    Apr 4 17:13:27 	charon 		07[IKE] <bypasslan|54>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
                    Apr 4 17:13:27 	charon 		07[CFG] <bypasslan|54>no alternative config found
                    Apr 4 17:13:27 	charon 		07[IKE] <bypasslan|54>peer requested EAP, config inacceptable
                    Apr 4 17:13:27 	charon 		07[CFG] <bypasslan|54>selected peer config 'bypasslan'</bypasslan|54></bypasslan|54></bypasslan|54></bypasslan|54></bypasslan|54></bypasslan|54> 
                    

                    Does anybody has an idea/hint?

                    EDIT: Now I tested with EAP-TLS and configured everything exactly as described in the first post.
                    And again, it's working on Windows 10 but when I try to connect with macOS I'm getting the same errors shown above.
                    Trying to modify certain settings (e.g. PFS off/on) changes nothing…

                    1 Reply Last reply Reply Quote 0
                    • P
                      pfguy2017
                      last edited by

                      I am also having trouble getting a connection.  Here is the log.  Can anyone give some insight as to what the problem might be?

                      Apr 4 14:33:08 	charon 		15[MGR] <con1|3>checkin of IKE_SA successful
                      Apr 4 14:33:08 	charon 		15[MGR] <con1|3>checkin IKE_SA con1[3]
                      Apr 4 14:33:08 	charon 		15[NET] <con1|3>sending packet: from x.x.x.x[4500] to y.y.y.y[4533] (1196 bytes)
                      Apr 4 14:33:08 	charon 		15[NET] <con1|3>sending packet: from x.x.x.x[4500] to y.y.y.y[4533] (1244 bytes)
                      Apr 4 14:33:08 	charon 		15[ENC] <con1|3>generating IKE_AUTH response 1 [ EF(2/2) ]
                      Apr 4 14:33:08 	charon 		15[ENC] <con1|3>generating IKE_AUTH response 1 [ EF(1/2) ]
                      Apr 4 14:33:08 	charon 		15[ENC] <con1|3>splitting IKE message with length of 2360 bytes into 2 fragments
                      Apr 4 14:33:08 	charon 		15[ENC] <con1|3>generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
                      Apr 4 14:33:08 	charon 		15[IKE] <con1|3>sending end entity cert "C=CA, ST=ON, L=Home, O=z, E=admin@z.z, CN=zzz.com"
                      Apr 4 14:33:08 	charon 		15[IKE] <con1|3>authentication of 'zzz.com' (myself) with RSA signature successful
                      Apr 4 14:33:08 	charon 		15[IKE] <con1|3>peer supports MOBIKE
                      Apr 4 14:33:08 	charon 		15[IKE] <con1|3>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
                      Apr 4 14:33:08 	charon 		15[IKE] <con1|3>initiating EAP_IDENTITY method (id 0x00)
                      Apr 4 14:33:08 	charon 		15[CFG] <con1|3>selected peer config 'con1'
                      Apr 4 14:33:08 	charon 		15[CFG] <3> candidate "con1", match: 20/1/1052 (me/other/ike)
                      Apr 4 14:33:08 	charon 		15[CFG] <3> candidate "bypasslan", match: 1/1/24 (me/other/ike)
                      Apr 4 14:33:08 	charon 		15[CFG] <3> looking for peer configs matching x.x.x.x[xx.xx.com]...y.y.y.y[zzz]
                      Apr 4 14:33:08 	charon 		15[ENC] <3> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
                      Apr 4 14:33:08 	charon 		15[ENC] <3> unknown attribute type (25)
                      Apr 4 14:33:08 	charon 		15[NET] <3> received packet: from y.y.y.y[4533] to x.x.x.x[4500] (360 bytes)
                      Apr 4 14:33:08 	charon 		15[MGR] IKE_SA (unnamed)[3] successfully checked out
                      Apr 4 14:33:08 	charon 		15[MGR] checkout IKEv2 SA by message with SPIs b34bf46abdfd5380_i c93792bfd0b4d1d3_r
                      Apr 4 14:33:08 	charon 		15[MGR] <3> checkin of IKE_SA successful
                      Apr 4 14:33:08 	charon 		15[MGR] <3> checkin IKE_SA (unnamed)[3]
                      Apr 4 14:33:08 	charon 		15[NET] <3> sending packet: from x.x.x.x[500] to y.y.y.y[1446] (313 bytes)
                      Apr 4 14:33:08 	charon 		15[ENC] <3> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
                      Apr 4 14:33:08 	charon 		15[IKE] <3> sending cert request for "C=CA, ST=ON, L=Home, O=z, E=admin@z.z, CN=XXX"
                      Apr 4 14:33:08 	charon 		15[IKE] <3> remote host is behind NAT
                      Apr 4 14:33:08 	charon 		15[CFG] <3> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384
                      Apr 4 14:33:08 	charon 		15[CFG] <3> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384
                      Apr 4 14:33:08 	charon 		15[CFG] <3> received proposals: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384
                      Apr 4 14:33:08 	charon 		15[CFG] <3> proposal matches
                      Apr 4 14:33:08 	charon 		15[CFG] <3> selecting proposal:
                      Apr 4 14:33:08 	charon 		15[IKE] <3> y.y.y.y is initiating an IKE_SA
                      Apr 4 14:33:08 	charon 		15[CFG] <3> found matching ike config: x.x.x.x...%any with prio 1052
                      Apr 4 14:33:08 	charon 		15[CFG] <3> candidate: x.x.x.x...%any, prio 1052
                      Apr 4 14:33:08 	charon 		15[CFG] <3> candidate: %any...%any, prio 24
                      Apr 4 14:33:08 	charon 		15[CFG] <3> looking for an ike config for x.x.x.x...y.y.y.y
                      Apr 4 14:33:08 	charon 		15[ENC] <3> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
                      Apr 4 14:33:08 	charon 		15[NET] <3> received packet: from x.x.x.x [1446] to x.x.x.x[500] (280 bytes)
                      Apr 4 14:33:08 	charon 		15[MGR] created IKE_SA (unnamed)[3]
                      Apr 4 14:33:08 	charon 		15[MGR] checkout IKEv2 SA by message with SPIs b34bf46abdfd5380_i 0000000000000000_r</con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3> 
                      
                      1 Reply Last reply Reply Quote 0
                      • P
                        pfguy2017
                        last edited by

                        I am popping back in to this thread to provide some additional info. I was able to get the IKEv2 VPN connection working following my previous post, by deleting everything and stepping through the instructions again. And I was able to leave out the "IP" and "DNS" fields (which as I noted upthread, do not seem to be enter-able any more). Thank you very much to the OP!

                        I was also able to turn the VPN connection into a VPN on demand connection, and I thought I would outline the steps involved in case anyone else wants to do this.  Apple Configurator 2 does not show the "VPN on demand" toggle when setting up a profile for IKEv2 (it seems to be present for L2TP and IPSEC only).  However, I was able to achieve this by manually editing (using Text Wrangler) the .mobileconfig profile as below. The relevant changes are near the bottom, where I was able to set things up so that if I am connected to my home Wifi, the VPN is turned off, but the VPN connection is enabled if connected to any other network.  Note that if you sign the profile in Configurator, it cannot be edited.  Note also that this does not require a supervised iOS device.

                        
                         <plist version="1.0"><dict><key>HasRemovalPasscode</key>
                        	 <true><key>PayloadContent</key>
                        	 <array><dict><key>PayloadCertificateFileName</key>
                        			<string>MyCA.cer</string>
                        			<key>PayloadContent</key>
                        			 <data>abc123 (generated by Configurator)</data> 
                        			<key>PayloadDescription</key>
                        			<string>Adds a CA root certificate</string>
                        			<key>PayloadDisplayName</key>
                        			<string>MyCA</string>
                        			<key>PayloadIdentifier</key>
                        			<string>com.apple.security.root.xxx (generated by Configurator)</string>
                        			<key>PayloadType</key>
                        			<string>com.apple.security.root</string>
                        			<key>PayloadUUID</key>
                        			<string>xxx (generated by Configurator)</string>
                        			<key>PayloadVersion</key>
                        			<integer>1</integer></dict> 
                        		 <dict><key>PayloadCertificateFileName</key>
                        			<string>MyVPN.cer</string>
                        			<key>PayloadContent</key>
                        			 <data>xyz456 (generated by Configurator)</data> 
                        			<key>PayloadDescription</key>
                        			<string>Adds a PKCS#1-formatted certificate</string>
                        			<key>PayloadDisplayName</key>
                        			<string>example.com</string>
                        			<key>PayloadIdentifier</key>
                        			<string>com.apple.security.pkcs1.xxx (generated by Configurator)</string>
                        			<key>PayloadType</key>
                        			<string>com.apple.security.pkcs1</string>
                        			<key>PayloadUUID</key>
                        			<string>xxx (generated by Configurator)</string>
                        			<key>PayloadVersion</key>
                        			<integer>1</integer></dict> 
                        		 <dict><key>PayloadDescription</key>
                        			<string>Configures a password for profile removal</string>
                        			<key>PayloadDisplayName</key>
                        			<string>Profile Removal</string>
                        			<key>PayloadIdentifier</key>
                        			<string>com.apple.profileRemovalPassword.xxx (generated by Configurator)</string>
                        			<key>PayloadType</key>
                        			<string>com.apple.profileRemovalPassword</string>
                        			<key>PayloadUUID</key>
                        			<string>xxx (generated by Configurator)</string>
                        			<key>PayloadVersion</key>
                        			<integer>1</integer>
                        			<key>RemovalPassword</key>
                        			<string>mypassword</string></dict> 
                        		 <dict><key>Password</key>
                        			<string>yyy</string>
                        			<key>PayloadCertificateFileName</key>
                        			<string>username.p12</string>
                        			<key>PayloadContent</key>
                        			 <data>abc456 (generated by Configurator)</data> 
                        			<key>PayloadDescription</key>
                        			<string>Adds a PKCS#12-formatted certificate</string>
                        			<key>PayloadDisplayName</key>
                        			<string>username.p12</string>
                        			<key>PayloadIdentifier</key>
                        			<string>com.apple.security.pkcs12.xxxx (generated by Configurator)</string>
                        			<key>PayloadType</key>
                        			<string>com.apple.security.pkcs12</string>
                        			<key>PayloadUUID</key>
                        			<string>xxx (generated by Configurator)</string>
                        			<key>PayloadVersion</key>
                        			<integer>1</integer></dict> 
                        		 <dict><key>IKEv2</key>
                        			 <dict><key>AuthenticationMethod</key>
                        				<string>Certificate</string>
                        				<key>ChildSecurityAssociationParameters</key>
                        				 <dict><key>DiffieHellmanGroup</key>
                        					<integer>20</integer>
                        					<key>EncryptionAlgorithm</key>
                        					<string>AES-256</string>
                        					<key>IntegrityAlgorithm</key>
                        					<string>SHA2-256</string>
                        					<key>LifeTimeInMinutes</key>
                        					<integer>60</integer></dict> 
                        				<key>DeadPeerDetectionRate</key>
                        				<string>Medium</string>
                        				<key>DisableMOBIKE</key>
                        				<integer>0</integer>
                        				<key>DisableRedirect</key>
                        				<integer>0</integer>
                        				<key>EnableCertificateRevocationCheck</key>
                        				<integer>0</integer>
                        				<key>EnablePFS</key>
                        				<integer>0</integer>
                        				<key>ExtendedAuthEnabled</key>
                        				 <true><key>IKESecurityAssociationParameters</key>
                        				 <dict><key>DiffieHellmanGroup</key>
                        					<integer>20</integer>
                        					<key>EncryptionAlgorithm</key>
                        					<string>AES-256</string>
                        					<key>IntegrityAlgorithm</key>
                        					<string>SHA2-384</string>
                        					<key>LifeTimeInMinutes</key>
                        					<integer>480</integer></dict> 
                        				<key>LocalIdentifier</key>
                        				<string>user</string>
                        				<key>PayloadCertificateUUID</key>
                        				<string>xxx (generated by Configurator)</string>
                        				<key>RemoteAddress</key>
                        				<string>example.com</string>
                        				<key>RemoteIdentifier</key>
                        				<string>example.com</string>
                        				<key>ServerCertificateCommonName</key>
                        				<string>example.com</string>
                        				<key>ServerCertificateIssuerCommonName</key>
                        				<string>MyCA</string>
                        				<key>UseConfigurationAttributeInternalIPSubnet</key>
                        				<integer>0</integer></true></dict> 
                        			<key>IPv4</key>
                        			 <dict><key>OverridePrimary</key>
                        				<integer>1</integer></dict> 
                        			<key>PayloadDescription</key>
                        			<string>Configures VPN settings</string>
                        			<key>PayloadDisplayName</key>
                        			<string>VPN</string>
                        			<key>PayloadIdentifier</key>
                        			<string>com.apple.vpn.managed.xxx (generated by Configurator)</string>
                        			<key>PayloadType</key>
                        			<string>com.apple.vpn.managed</string>
                        			<key>PayloadUUID</key>
                        			<string>xxx (generated by Configurator)</string>
                        			<key>PayloadVersion</key>
                        			<integer>1</integer>
                        			<key>Proxies</key>
                        			 <dict><key>HTTPEnable</key>
                        				<integer>0</integer>
                        				<key>HTTPSEnable</key>
                        				<integer>0</integer></dict> 
                        			<key>UserDefinedName</key>
                        			<string>MyVPN</string>
                        			<key>VPNType</key>
                        			<string>IKEv2</string>
                        			<key>OnDemandEnabled</key>
                                        <integer>1</integer>
                                        <key>OnDemandRules</key>
                                        <array><dict><key>InterfaceTypeMatch</key>
                                                <string>WiFi</string>
                                                <key>SSIDMatch</key>
                                                <array><string>My Home Wifi Network name</string></array>                     
                                                <key>Action</key>
                                                <string>Disconnect</string></dict> 
                        
                                            <dict><key>Action</key>
                                                <string>Connect</string></dict></array></dict></array> 
                        	<key>PayloadDisplayName</key>
                        	<string>MyVPN</string>
                        	<key>PayloadIdentifier</key>
                        	<string>MyVPN</string>
                        	<key>PayloadRemovalDisallowed</key>
                        	 <true><key>PayloadType</key>
                        	<string>Configuration</string>
                        	<key>PayloadUUID</key>
                        	<string>xxx (generated by Configurator)2</string>
                        	<key>PayloadVersion</key>
                        	<integer>1</integer></true></true></dict></plist> 
                        
                        

                        References/credit:
                        https://medium.com/@cattyhouse/ios-ondemand-ipsec-vpn-setup-ebfb82b6f7a1
                        https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile
                        https://developer.apple.com/library/content/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html#//apple_ref/doc/uid/TP40010206-CH1-SW36

                        1 Reply Last reply Reply Quote 0
                        • K
                          krolykke
                          last edited by

                          @pfguy2017:

                          At my end, there does not seem to be any way to type in DNS or IP into the type field.  The type field is a drop down menu containing the following choices:
                          -FQDN or Hostname
                          -IP address
                          -URI
                          -email address

                          Am I missing something here?

                          Look to the right of the dropdown, there is a field where you can enter the required data.

                          1 Reply Last reply Reply Quote 0
                          • P
                            pfguy2017
                            last edited by

                            @krolykke:

                            @pfguy2017:

                            At my end, there does not seem to be any way to type in DNS or IP into the type field.  The type field is a drop down menu containing the following choices:
                            -FQDN or Hostname
                            -IP address
                            -URI
                            -email address

                            Am I missing something here?

                            Look to the right of the dropdown, there is a field where you can enter the required data.

                            The field on the right is for the "value", not the "type" (which is on the left).  There is no way (that I can see) to enter a "type" other than the 4 choices in the drop down menu (as in the instructions in the first post in this thread).  I guess this changed with a recent pfSense update.  However, it does not seem to matter.  In my case, I was able to get everything working using the "FQDN or Hostname" and "email address" fields (for email I entered the same string as for the CN and SAN (i.e. the server address or the user name, depending on the cert)).  The "DNS" and "IP" entries do not seem to be required in order to get everything working.

                            1 Reply Last reply Reply Quote 0
                            • M
                              mrpsycho
                              last edited by

                              nice manual.

                              but…. i don't understand why this is not working on pfSense 2.3.3_1 and Mac OS Sierra?

                              1 Reply Last reply Reply Quote 0
                              • N
                                netnewb
                                last edited by

                                Can anyone confirm this is still working on iOS 10.3.2 and pFsense 2.3.4? I've been trying for a while and I can't make it work.

                                1 Reply Last reply Reply Quote 0
                                • I
                                  isaack
                                  last edited by

                                  https://forum.pfsense.org/index.php?topic=127457.0

                                  After having tried many times unsuccessfully it to work with the native client, that guide plus using Apple Configurator 2, finally worked for me. Its actually really easy to use Configurator.
                                  So its not necessary to use StrongSwan. I think the key difference is using DH2 instead of DH20 and Configurator which allows some more VPN options.

                                  1 Reply Last reply Reply Quote 0
                                  • J
                                    jgiannakas
                                    last edited by

                                    @netnewb:

                                    Can anyone confirm this is still working on iOS 10.3.2 and pFsense 2.3.4? I've been trying for a while and I can't make it work.

                                    Yes it's working, got it setup on my 10.3.2 iPhones / iPads and Sierra OSX with pfsense 2.3.4.

                                    The creation of the certificates was a little different in that there is no option to put an IP address to them I believe but besides that it works well.

                                    1 Reply Last reply Reply Quote 0
                                    • M
                                      myms
                                      last edited by

                                      Quick question here: have set up the IKEv2 VPN per instructions here and it works great. Only thing I've noticed is that I can still connect to the VPN even if the user certificate I'm using isn't actually associated with the pfSense local user account. Is that intentional?

                                      1 Reply Last reply Reply Quote 0
                                      • R
                                        rnatalli
                                        last edited by

                                        Hi all,

                                        I was able to connect to my pfSense box via IKEv2 using the instructions provided here (thank you), but have a small issue which I hope is solvable.  The issue is when my iPhone goes from WiFi to LTE or vice versa, the VPN disconnects.  Is there a way to keep the tunnel up automatically during the switching?  Any help would be appreciated.  Thanks!

                                        1 Reply Last reply Reply Quote 0
                                        • E
                                          Eara
                                          last edited by

                                          Peoples,

                                          I was able to set up IPSec from MacOS and iOS but something weird happened: I have two pfsense boxes in two locations, connected to each other by IPSec (no problems there).

                                          For mobile client, both boxes use AES 256 as encryption algorithms. However, one box uses SHA384 and DH/PFS group 20 while the other box refuses to connect with that setting (tested on the same Mac that has both connections setup) and will accept SHA256 and DH/PFS group 19. Both are in 2.3.4-RELEASE-p1.

                                          The SHA384 and PFS group 20 has always worked for box nº 1, but I just setup mobile clients on box nº2 and logs says that setting is not acceptable - MacOS doesn't seem to be proposing SHA384 for the second box:

                                          "configured proposals: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384"
                                          "received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024"

                                          Anyone has any clue why?

                                          Update: Nevermind, box nº 1 mobile client was setup through a profile from Apple Configurator. Box nº 2 was set up manually in system preferences.

                                          1 Reply Last reply Reply Quote 0
                                          • R
                                            rnatalli
                                            last edited by

                                            @rnatalli:

                                            Hi all,

                                            I was able to connect to my pfSense box via IKEv2 using the instructions provided here (thank you), but have a small issue which I hope is solvable.  The issue is when my iPhone goes from WiFi to LTE or vice versa, the VPN disconnects.  Is there a way to keep the tunnel up automatically during the switching?  Any help would be appreciated.  Thanks!

                                            Anyone?  I'm pulling my hair.  I thought IKEv2 was very mobile friendly with the inclusion of MOBIKE, etc., but I can't seem to keep the tunnel up when my iPhone switches networking modes.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.