Can't install IKEv2 CA iOS 11.02

yuljk

Hi guys - I'm attempting to install my IKEv2 CA on an iPAD 9.7" running iOS 11.0.2.  After transferring the certificate to the device, when I click on it I get 'crt file type is not supported. Do you want to open in text viewer or other apps'.  I've tried converting to 'cer format and I get the same message.

The cert installs fine on Android and Windows 10…

Any ideas?

Derelict

This works. What did you do when you generated the CA? Did you change any of the default algorithms? To what?

How are you getting the CA Cert to iOS?

yuljk

Hi - I followed this guide https://forum.pfsense.org/index.php?topic=127457.0 - which I believe is almost identical to the Wiki guide.

I'm using FileExplorer Pro with a network drive mapping to an SMB share, since it appears iOS doesn't actually have a file manager…

Edit: Just tried emailing it and opening the attachment in the Outlook app -'File format is not supported'

Ta

Derelict

If you want to you can post the cert pem to me in a PM.

yuljk

Thanks Derelict - PM'd you

Derelict

I saved that as TestCert.crt, emailed it over, and it installed fine so I don't know.

yuljk

Are you using the default Mail app? - I'm just wondering if for some oddball reason I need to be using that as opposed to a third party file manager and/or Outlook app..

Derelict

Yes. Attached using Mail.app and installed using iOS Mail. Nothing special.

I haven't checked lately if you can load those using itunes or something.

yuljk

Managed to install it - Seems using the default Mail app works.  Yet nothing third party does.. awesome.

I've also set the certificate as trusted in About > Certificate Trust Settings.

I've configured the built-in VPN client as follows:-

IKEv2

Server: FGQN (same as specified in the common name)
Remote: FQDN as above
Local ID: Blank

User Authentication - entered username and password for EAP user.

When I slide across to connect - it instantly goes back to 'greyed out' - no error message.

Any ideas? (P.S - Apple devices are a nightmare)

Derelict

Check your IPsec logs on pfSense.

yuljk

Ignore those logs - Had to perform a reboot of the VM to rectify the time issue.  Here's the latest log

Oct 9 18:01:28 charon 10[NET] <2> sending packet: from wan ip[500] to 192.168.50.107[500] (36 bytes)
Oct 9 18:01:28 charon 10[ENC] <2> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 9 18:01:28 charon 10[IKE] <2> received proposals inacceptable
Oct 9 18:01:28 charon 10[CFG] <2> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
Oct 9 18:01:28 charon 10[CFG] <2> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 9 18:01:28 charon 10[IKE] <2> 192.168.50.107 is initiating an IKE_SA
Oct 9 18:01:28 charon 10[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Oct 9 18:01:28 charon 10[NET] <2> received packet: from 192.168.50.107[500] to wan ip[500] (604 bytes)
Oct 9 18:01:28 charon 10[NET] <1> sending packet: from wan ip[500] to 192.168.50.107[500] (36 bytes)
Oct 9 18:01:28 charon 10[ENC] <1> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 9 18:01:28 charon 10[IKE] <1> received proposals inacceptable
Oct 9 18:01:28 charon 10[CFG] <1> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
Oct 9 18:01:28 charon 10[CFG] <1> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 9 18:01:28 charon 10[IKE] <1> 192.168.50.107 is initiating an IKE_SA
Oct 9 18:01:28 charon 10[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Oct 9 18:01:28 charon 10[NET] <1> received packet: from 192.168.50.107[500] to wan ip[500] (604 bytes)

I'm guessing that guide I followed isn't correct with respect to encryption settings?

yuljk

Looks like I'll need to use Apple Configurator to configure the built-in client correctly for my proposals. Unfortunately I don't have access to an OSX install - not going down the route of installing it on ESXi.

If I pop you my IPSEC config via PM - would you mind creating a profile for me?

Would be very much appreciated! - Prefer that over going with StrongSWAN

Derelict

Oct 9 18:01:28  charon      10[CFG] <1> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
Oct 9 18:01:28  charon      10[CFG] <1> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

So….
The client is asking for:
received (Phase 1, IKE) proposals:
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

Server is set for:
configured (Phase 1, IKE) proposals:
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024

No match.

If you want to use AES256 and SHA256 you have to set group 5 (1536) or group 14 (2048) in your phase 1.

yuljk

Thanks Derelict - I've switched over to DH14 and managed to spin up a MacOS Sierra install on VMware Workstation to create the proper VPN profile.  All working now after modifying the registry on Windows 10 and using StrongSWAN on Android.

Much appreciated.