Can't install IKEv2 CA iOS 11.02
-
Hi guys - I'm attempting to install my IKEv2 CA on an iPAD 9.7" running iOS 11.0.2. After transferring the certificate to the device, when I click on it I get 'crt file type is not supported. Do you want to open in text viewer or other apps'. I've tried converting to 'cer format and I get the same message.
The cert installs fine on Android and Windows 10…
Any ideas?
-
This works. What did you do when you generated the CA? Did you change any of the default algorithms? To what?
How are you getting the CA Cert to iOS?
-
Hi - I followed this guide https://forum.pfsense.org/index.php?topic=127457.0 - which I believe is almost identical to the Wiki guide.
I'm using FileExplorer Pro with a network drive mapping to an SMB share, since it appears iOS doesn't actually have a file manager…
Edit: Just tried emailing it and opening the attachment in the Outlook app -'File format is not supported'
Ta
-
If you want to you can post the cert pem to me in a PM.
-
Thanks Derelict - PM'd you
-
I saved that as TestCert.crt, emailed it over, and it installed fine so I don't know.
-
Are you using the default Mail app? - I'm just wondering if for some oddball reason I need to be using that as opposed to a third party file manager and/or Outlook app..
-
Yes. Attached using Mail.app and installed using iOS Mail. Nothing special.
I haven't checked lately if you can load those using itunes or something.
-
Managed to install it - Seems using the default Mail app works. Yet nothing third party does.. awesome.
I've also set the certificate as trusted in About > Certificate Trust Settings.
I've configured the built-in VPN client as follows:-
IKEv2
Server: FGQN (same as specified in the common name)
Remote: FQDN as above
Local ID: BlankUser Authentication - entered username and password for EAP user.
When I slide across to connect - it instantly goes back to 'greyed out' - no error message.
Any ideas? (P.S - Apple devices are a nightmare)
-
Check your IPsec logs on pfSense.
-
Ignore those logs - Had to perform a reboot of the VM to rectify the time issue. Here's the latest log
Oct 9 18:01:28 charon 10[NET] <2> sending packet: from wan ip[500] to 192.168.50.107[500] (36 bytes)
Oct 9 18:01:28 charon 10[ENC] <2> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 9 18:01:28 charon 10[IKE] <2> received proposals inacceptable
Oct 9 18:01:28 charon 10[CFG] <2> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
Oct 9 18:01:28 charon 10[CFG] <2> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 9 18:01:28 charon 10[IKE] <2> 192.168.50.107 is initiating an IKE_SA
Oct 9 18:01:28 charon 10[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Oct 9 18:01:28 charon 10[NET] <2> received packet: from 192.168.50.107[500] to wan ip[500] (604 bytes)
Oct 9 18:01:28 charon 10[NET] <1> sending packet: from wan ip[500] to 192.168.50.107[500] (36 bytes)
Oct 9 18:01:28 charon 10[ENC] <1> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 9 18:01:28 charon 10[IKE] <1> received proposals inacceptable
Oct 9 18:01:28 charon 10[CFG] <1> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
Oct 9 18:01:28 charon 10[CFG] <1> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 9 18:01:28 charon 10[IKE] <1> 192.168.50.107 is initiating an IKE_SA
Oct 9 18:01:28 charon 10[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Oct 9 18:01:28 charon 10[NET] <1> received packet: from 192.168.50.107[500] to wan ip[500] (604 bytes)I'm guessing that guide I followed isn't correct with respect to encryption settings?
-
Looks like I'll need to use Apple Configurator to configure the built-in client correctly for my proposals. Unfortunately I don't have access to an OSX install - not going down the route of installing it on ESXi.
If I pop you my IPSEC config via PM - would you mind creating a profile for me?
Would be very much appreciated! - Prefer that over going with StrongSWAN
-
Oct 9 18:01:28 charon 10[CFG] <1> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
Oct 9 18:01:28 charon 10[CFG] <1> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024So….
The client is asking for:
received (Phase 1, IKE) proposals:
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024Server is set for:
configured (Phase 1, IKE) proposals:
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024No match.
If you want to use AES256 and SHA256 you have to set group 5 (1536) or group 14 (2048) in your phase 1.
-
Thanks Derelict - I've switched over to DH14 and managed to spin up a MacOS Sierra install on VMware Workstation to create the proper VPN profile. All working now after modifying the registry on Windows 10 and using StrongSWAN on Android.
Much appreciated.