Valid configuration for IKEv2 VPN for iOS and OSX
-
Hi all,
I was able to connect to my pfSense box via IKEv2 using the instructions provided here (thank you), but have a small issue which I hope is solvable. The issue is when my iPhone goes from WiFi to LTE or vice versa, the VPN disconnects. Is there a way to keep the tunnel up automatically during the switching? Any help would be appreciated. Thanks!
Anyone? I'm pulling my hair. I thought IKEv2 was very mobile friendly with the inclusion of MOBIKE, etc., but I can't seem to keep the tunnel up when my iPhone switches networking modes.
-
Can anyone confirm this is still working on iOS 10.3.2 and pFsense 2.3.4? I've been trying for a while and I can't make it work.
Yes it's working, got it setup on my 10.3.2 iPhones / iPads and Sierra OSX with pfsense 2.3.4.
The creation of the certificates was a little different in that there is no option to put an IP address to them I believe but besides that it works well.
Thanks! Do you use static or dynamic IP?
-
Can anyone confirm this is still working on iOS 11.0.3 and pFsense 2.2.6-RELEASE (amd64)? I've been trying for a while and I can't make it work.
Thanks.
-
Seems to work OK on iOS 11.0.3. As for pfSense 2.2.6 you're on your own there. Upgrade.
-
I can confirm this works and was a huge help in troubleshooting my use case.
Where I'm stuck is getting user-based auth to work too.
Here's what I've determined:
-
anything with +xauth doesn't work. OSX and iOS seem to only do user/pass as EAP (makes sense) +xauth doesn't use EAP
-
EAP-MSCHAPv2 doesn't work - it seems to only authenticate against users defined in PF
-
EAP-Radius almost works for me. But apparently Apple's version of FreeRadius (2.2.9) does NOT return an MSK with the authentication payload, and IKE auth falls as a result.
So I think I'm close to concluding that:
MacOS Server backend (LDAP, Radius) + iOS clients + IKEv2 with user-based auth != possible -
-
What macOS server lacks is the RADIUS bits to do EAP.
As far as I know you can't do EAP to LDAP.
EAP-RADIUS works to a FreeRADIUS server, just not to macOS RADIUS as it is configured. You might be able to get it to work using a FreeRADIUS server backed by macOS LDAP for username/password but I have not tried it.
It has been a while since I tried any of this.
-
What macOS server lacks is the RADIUS bits to do EAP.
As far as I know you can't do EAP to LDAP.
EAP-RADIUS works to a FreeRADIUS server, just not to macOS RADIUS as it is configured. You might be able to get it to work using a FreeRADIUS server backed by macOS LDAP for username/password but I have not tried it.
It has been a while since I tried any of this.
Thanks Derelict,
In my case this is macOS Server 10.12
Makes sense that EAP can’t do ldap.
Is there a way to do xauth agains LDAP with Apple clients? It seems Apple clients only send user credentials as an EAP auth.
Or if I stick with EAP - I’d love to hear if anyone knows how to (re)configure macOS server’s freeradius 2.2.x to support the MSK payload
-
The problem isn't really Apple clients, it is the macOS server backend.
I am about ready to give up on it here.
-
Hey,
i want to reply to this old topic because I have some problems connecting.
When I Try to connected the message appears, that there is an authorization error.
Is here any way to debug the connection establishment?
Have to ADD:
I am trying this with OSX 10.14.1
and pFSense latest stable build -
Here something from my log... On mAc OSX is no log for ikev2 connections available.
Pls Someone help me.....
Dec 23 18:28:39 charon 12[CFG] vici client 34 disconnected
Dec 23 18:28:39 charon 12[CFG] vici client 34 requests: list-sas
Dec 23 18:28:39 charon 13[CFG] vici client 34 registered for: list-sa
Dec 23 18:28:39 charon 13[CFG] vici client 34 connected
Dec 23 18:28:35 charon 13[CFG] vici client 33 disconnected
Dec 23 18:28:35 charon 13[CFG] vici client 33 requests: list-sas
Dec 23 18:28:35 charon 12[CFG] vici client 33 registered for: list-sa
Dec 23 18:28:35 charon 14[CFG] vici client 33 connected
Dec 23 18:28:15 charon 12[IKE] <bypasslan|6> IKE_SA bypasslan[6] state change: CONNECTING => DESTROYING
Dec 23 18:28:15 charon 12[NET] <bypasslan|6> sending packet: from xxx.xxx.xxx.xx[4500] to xx.xxx.xxx.xx[2324] (80 bytes)
Dec 23 18:28:15 charon 12[ENC] <bypasslan|6> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Dec 23 18:28:15 charon 12[IKE] <bypasslan|6> peer supports MOBIKE
Dec 23 18:28:15 charon 12[IKE] <bypasslan|6> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Dec 23 18:28:15 charon 12[IKE] <bypasslan|6> processing (25) attribute
Dec 23 18:28:15 charon 12[IKE] <bypasslan|6> processing INTERNAL_IP6_DNS attribute
Dec 23 18:28:15 charon 12[IKE] <bypasslan|6> processing INTERNAL_IP6_DHCP attribute
Dec 23 18:28:15 charon 12[IKE] <bypasslan|6> processing INTERNAL_IP6_ADDRESS attribute
Dec 23 18:28:15 charon 12[IKE] <bypasslan|6> processing INTERNAL_IP4_NETMASK attribute
Dec 23 18:28:15 charon 12[IKE] <bypasslan|6> processing INTERNAL_IP4_DNS attribute
Dec 23 18:28:15 charon 12[IKE] <bypasslan|6> processing INTERNAL_IP4_DHCP attribute
Dec 23 18:28:15 charon 12[IKE] <bypasslan|6> processing INTERNAL_IP4_ADDRESS attribute
Dec 23 18:28:15 charon 12[CFG] <bypasslan|6> no alternative config found
Dec 23 18:28:15 charon 12[IKE] <bypasslan|6> peer requested EAP, config unacceptable
Dec 23 18:28:15 charon 12[CFG] <bypasslan|6> selected peer config 'bypasslan'
Dec 23 18:28:15 charon 12[CFG] <6> ignore candidate 'con-mobile' without matching IKE proposal
Dec 23 18:28:15 charon 12[CFG] <6> candidate "con-mobile", match: 20/1/1052 (me/other/ike)
Dec 23 18:28:15 charon 12[CFG] <6> candidate "bypasslan", match: 1/1/24 (me/other/ike)
Dec 23 18:28:15 charon 12[CFG] <6> looking for peer configs matching xx.xxx.xxx.xx[xxxx.dyndns.org]...xx.xxx.xxx.xx[tobi]
Dec 23 18:28:15 charon 12[IKE] <6> received cert request for "CN=xxxxxxx.dyndns.org, C=DE, ST=xxxx, L=xxxx, O=Private"
Dec 23 18:28:15 charon 12[ENC] <6> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CERTREQ CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Dec 23 18:28:15 charon 12[ENC] <6> unknown attribute type (25)
Dec 23 18:28:15 charon 12[NET] <6> received packet: from xx.xxx.xxx.xx[2324] to xx.xxx.xxx.xx[4500] (384 bytes)
Dec 23 18:28:15 charon 12[NET] <6> sending packet: from xx.xxx.xxx.xx[500] to xx.xxx.xxx.xx[500] (313 bytes)
Dec 23 18:28:15 charon 12[ENC] <6> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Dec 23 18:28:15 charon 12[IKE] <6> sending cert request for "CN=internalVPNCA, C=DE, ST=xxxxx, L=xxxxx, O=Private"
Dec 23 18:28:15 charon 12[IKE] <6> remote host is behind NAT
Dec 23 18:28:15 charon 12[CFG] <6> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
Dec 23 18:28:15 charon 12[CFG] <6> configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Dec 23 18:28:15 charon 12[CFG] <6> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
Dec 23 18:28:15 charon 12[CFG] <6> proposal matches
Dec 23 18:28:15 charon 12[CFG] <6> selecting proposal:
Dec 23 18:28:15 charon 12[IKE] <6> no matching proposal found, trying alternative config
Dec 23 18:28:15 charon 12[CFG] <6> candidate: xx.xxx.xxx.xx...%any, prio 1052
Dec 23 18:28:15 charon 12[CFG] <6> candidate: %any...%any, prio 24
Dec 23 18:28:15 charon 12[CFG] <6> looking for IKEv2 configs for xx.xxx.xxx.xx...xx.xxx.xxx.xx
Dec 23 18:28:15 charon 12[CFG] <6> configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384
Dec 23 18:28:15 charon 12[CFG] <6> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
Dec 23 18:28:15 charon 12[CFG] <6> no acceptable ENCRYPTION_ALGORITHM found
Dec 23 18:28:15 charon 12[CFG] <6> selecting proposal:
Dec 23 18:28:15 charon 12[IKE] <6> IKE_SA (unnamed)[6] state change: CREATED => CONNECTING -
@imushroom said in Valid configuration for IKEv2 VPN for iOS and OSX:
ignore candidate 'con-mobile' without matching IKE proposal
Probably be better off posting a new thread. The forum tried to warn you. When you do post your IKEv2mobile configuration.
-
@imushroom Hey
Create a new thread and I'll write there what to do
Show the phase 1 and phase 2 IPSEC PFSense settings there and install Apple Configurator 2 from the App Store
or
https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients
https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile -
Hey,
@Konstanti thanks for your reply. I try to find time after the holidays to create a new topic.
I already installed the Apple Configurator 2.
-
This post is deleted! -
@imushroom Hope this helps you
https://grokdesigns.com/pfsense-ikev2-for-ios-macos-1/All well-written
Part three - how to use Apple Configurator -
@shpokas said in Valid configuration for IKEv2 VPN for iOS and OSX:
This hint worked for me, on both IOS and OS X.
https://lists.strongswan.org/pipermail/users/2015-October/008842.htmlFor details on my setup, please see https://forum.cheapessaywriter.org/index.php?topic=106694.0
Thank you for the link. Helped me to find a solution to my dns settings on ios.
-
After month of a working vpn my HDD was destroyed and I had no backup, I used the bad thing to turn it into something good - a clean pfSense and a perfect setup.
But now I have some trouble with the Encryption.
I currently use for phase 1 :
AES 256bits SHA384 DH:20
And for Phase 2 :
AES 256bits SHA384 DH:20
Is this secure enough?
When I try to follow the tutorial it doesnt work. The Hash algorithm is also grey in Apple Configurator when I chose AES-256 GCM.
Where is my mistake?
