Can't install IKEv2 CA iOS 11.02

yuljk

Hi - I followed this guide https://forum.pfsense.org/index.php?topic=127457.0 - which I believe is almost identical to the Wiki guide.

I'm using FileExplorer Pro with a network drive mapping to an SMB share, since it appears iOS doesn't actually have a file manager…

Edit: Just tried emailing it and opening the attachment in the Outlook app -'File format is not supported'

Ta

Derelict

If you want to you can post the cert pem to me in a PM.

yuljk

Thanks Derelict - PM'd you

Derelict

I saved that as TestCert.crt, emailed it over, and it installed fine so I don't know.

yuljk

Are you using the default Mail app? - I'm just wondering if for some oddball reason I need to be using that as opposed to a third party file manager and/or Outlook app..

Derelict

Yes. Attached using Mail.app and installed using iOS Mail. Nothing special.

I haven't checked lately if you can load those using itunes or something.

yuljk

Managed to install it - Seems using the default Mail app works.  Yet nothing third party does.. awesome.

I've also set the certificate as trusted in About > Certificate Trust Settings.

I've configured the built-in VPN client as follows:-

IKEv2

Server: FGQN (same as specified in the common name)
Remote: FQDN as above
Local ID: Blank

User Authentication - entered username and password for EAP user.

When I slide across to connect - it instantly goes back to 'greyed out' - no error message.

Any ideas? (P.S - Apple devices are a nightmare)

Derelict

Check your IPsec logs on pfSense.

yuljk

Ignore those logs - Had to perform a reboot of the VM to rectify the time issue.  Here's the latest log

Oct 9 18:01:28 charon 10[NET] <2> sending packet: from wan ip[500] to 192.168.50.107[500] (36 bytes)
Oct 9 18:01:28 charon 10[ENC] <2> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 9 18:01:28 charon 10[IKE] <2> received proposals inacceptable
Oct 9 18:01:28 charon 10[CFG] <2> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
Oct 9 18:01:28 charon 10[CFG] <2> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 9 18:01:28 charon 10[IKE] <2> 192.168.50.107 is initiating an IKE_SA
Oct 9 18:01:28 charon 10[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Oct 9 18:01:28 charon 10[NET] <2> received packet: from 192.168.50.107[500] to wan ip[500] (604 bytes)
Oct 9 18:01:28 charon 10[NET] <1> sending packet: from wan ip[500] to 192.168.50.107[500] (36 bytes)
Oct 9 18:01:28 charon 10[ENC] <1> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 9 18:01:28 charon 10[IKE] <1> received proposals inacceptable
Oct 9 18:01:28 charon 10[CFG] <1> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
Oct 9 18:01:28 charon 10[CFG] <1> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 9 18:01:28 charon 10[IKE] <1> 192.168.50.107 is initiating an IKE_SA
Oct 9 18:01:28 charon 10[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Oct 9 18:01:28 charon 10[NET] <1> received packet: from 192.168.50.107[500] to wan ip[500] (604 bytes)

I'm guessing that guide I followed isn't correct with respect to encryption settings?

yuljk

Looks like I'll need to use Apple Configurator to configure the built-in client correctly for my proposals. Unfortunately I don't have access to an OSX install - not going down the route of installing it on ESXi.

If I pop you my IPSEC config via PM - would you mind creating a profile for me?

Would be very much appreciated! - Prefer that over going with StrongSWAN

Derelict

Oct 9 18:01:28  charon      10[CFG] <1> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
Oct 9 18:01:28  charon      10[CFG] <1> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

So….
The client is asking for:
received (Phase 1, IKE) proposals:
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

Server is set for:
configured (Phase 1, IKE) proposals:
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024

No match.

If you want to use AES256 and SHA256 you have to set group 5 (1536) or group 14 (2048) in your phase 1.

yuljk

Thanks Derelict - I've switched over to DH14 and managed to spin up a MacOS Sierra install on VMware Workstation to create the proper VPN profile.  All working now after modifying the registry on Windows 10 and using StrongSWAN on Android.

Much appreciated.