IPsec vpn for OCX 10.10.3 and any IOS
-
Hello!
This is guide IPsec VPN for MAC ;)
se attachment please .
when u finsh
OS X configuration
In System Preferences -> Network, VPN Type Cisco IPSec,Server Address is the public IP of your firewall. Account Name is the pfSense user
In Authentication Settings, Shared Secret is the pre-shared
Group Name is the identifier you created.iOS configuration
Settings -> VPN, VPN configuration of type IPSec.
Server Address is the public IP of your firewall. Account Name is the pfSense user
In Authentication Settings, Shared Secret is the pre-shared
Group Name is the identifier you created.Please ask me for any question
-
Hi,
question:iOS configuration
Settings -> VPN, VPN configuration of type IPSec.
Server Address is the public IP of your firewall. Account Name is the pfSense user
what you mean by pfsense user? The identifier from pre-shared key or the user distinguished name from the Phase 1?
In Authentication Settings, Shared Secret is the pre-shared
Group Name is the identifier you created.What version of Pfsense you are using (2.2.1)?
-
Doest not work for me…
charon: 05[JOB] deleting half open IKE_SA after timeout -
Updated pfsense to 2.2.2, but still not working with this settings.
-
In System -> User Manager, you need to create a group (let's call it 'My IPsec Group'), and give this group the necessary privilege by adding the group membership called 'User - VPN - IPsec auth Dialin'.
Then, create a pfSense user account and make it a member of the group you just created.
See attached pictures for the end result. Works for me with pfSense 2.2.2 + OSX 10.10.3 and IOS 8.3.
-
Hi
In System -> User Manager, you need to create a group (let's call it 'My IPsec Group'), and give this group the necessary privilege by adding the group membership called 'User - VPN - IPsec auth Dialin'.
Then, create a pfSense user account and make it a member of the group you just created.
See attached pictures for the end result. Works for me with pfSense 2.2.2 + OSX 10.10.3 and IOS 8.3.
I have already used these settings (see my previous topic: https://forum.pfsense.org/index.php?topic=92056.0), it didn't work.
So my question to okaenrique about the iOS side settings still same:
iOS configuration
Settings -> VPN, VPN configuration of type IPSec.
Server Address is the public IP of your firewall. Account Name is the pfSense user
what you mean by pfsense user? The identifier from pre-shared key or the user distinguished name from the Phase 1?
In Authentication Settings, Shared Secret is the pre-shared
Group Name is the identifier you created. -
They are referring to the Xauth user (as in Mutual PSK + Xauth). In iOS this is "Account" in the IPSec setting. Users are set up in System -> User Manager.
FWIW, I no longer use "Group Name" in iOS or in OS X. I just leave it blank.
what you mean by pfsense user? The identifier from pre-shared key or the user distinguished name from the Phase 1?
-
Okaenrique's instructions are correct, but he left out a small detail about the pfSense group privilege as I described in my previous post. The group I am talking about has nothing to do with the User Distinguished Name or Group Name.
If it still doesn't work for you, then post screenshots of your settings and I'll try to help you.
-
Here are the complete list of my current settings, which are slightly different than above.
–-
IPsec Phase 1
Key Exchange version: Auto
Internet Protocol: IPv4
Interface: WANAuthentication method: Mutual PSK + Xauth
Negotiation mode: main
My Identifier: Distinguished name myfirewall.mydomain.org
Peer Identifier: mydomain.org
Pre-Shared Key: xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxxEncrytption algorithm: AES 256
Hash algorithm: SHA1
DH key group: 2 (1024 bit)
Lifetime: 28800NAT Traversal: Auto
Deed Peer Detection: disabled
IPsec Phase 2
Mode: Tunnel IPv4
Local Network: LAN subnetProtocol: ESP
Encryption algorithms: AES 256, AES256-GCM/auto
Hash algorithms: SHA1, SHA256, SHA384
PFS key group: off
Lifetime: 3600
iOS settings
Server: IP address of firewall
Account: myiosuser
Password: xxxxxxxxxxxxxx
Use Certificate: off
Group Name: <empty>Secret: xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx
OS X settings
Server Address: IP address of firewall
Account Name: myosxuser
Password: xxxxxxxxxxxxxx
Shared Secret: xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx
Group Name: <empty>---Note that user "myiosuser" and "myosxuser" must exist in System -> User Manager, and they must have the "User - VPN - IPsec auth Dialin" privilege.
Hope this helps.</empty></empty>
-
See my remarks in red:
@dennypage:Here are the complete list of my current settings, which are slightly different than above.
–-
IPsec Phase 1
Key Exchange version:
AutoV1
Internet Protocol: IPv4
Interface: WANAuthentication method: Mutual PSK + Xauth
Negotiation mode:mainAggressive
My Identifier: Distinguished name myfirewall.mydomain.org
Peer Identifier: mydomain.org
Pre-Shared Key: xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxxEncrytption algorithm: AES 256
Hash algorithm: SHA1
DH key group: 2 (1024 bit)
Lifetime: 28800NAT Traversal: Auto
Deed Peer Detection: disabled–-
IPsec Phase 2
Mode: Tunnel IPv4
Local Network: LAN subnetProtocol: ESP
Encryption algorithms: AES 256, AES256-GCM/auto
Hash algorithms: SHA1, SHA256, SHA384
PFS key group: off
Lifetime: 3600
iOS settings
Server: IP address of firewall
Account: myiosuser
Password: xxxxxxxxxxxxxx
Use Certificate: off
Group Name: you can fill in anything, but don't leave empty
Secret: xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx–-
OS X settings
Server Address: IP address of firewall
Account Name: myosxuser
Password: xxxxxxxxxxxxxx
Shared Secret: xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx
Group Name: you can fill in anything, but don't leave empty–-
Note that user "myiosuser" and "myosxuser" must exist in System -> User Manager, and they must have the "User - VPN - IPsec auth Dialin" privilege.
Hope this helps.
-
Richardd, I wasn't asking a question, I was posting a known working configuration. The configuration I posted works correctly with pfSense 2.2.2, iOS 8.3, and OS X 10.10.3.
You need to leave the Group Name empty in order to use Auto Key Exchange. The reason for doing this is to allow mixed use of IKEv1 and IKEv2 by mobile clients.
IKEv2 on iOS is supported, but requires a custom profile. On my todo list, but not implemented yet.
I have yet to find credible mention of IKEv2 being supported in OS X. :(
-
Hi,
thanks for the replies, I will test a similar configuration and will be back to you for the results. -
@dennypage: I stand corrected, I can confirm that your settings are working too on these platforms!
Nice work with the auto IKEv1 / IKEv2, thanks!
-
https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile
Check this one for reference.
-
Hi,
Sorry for the delay was quite busy at work.. :-\
Question in Okaenrique settings:
- why mobile client setting as NONE for DATABASE? (by the way change this setting make reboot the PFsense firewall)
To test DennyPage settings, I need some more informations:
IPsec Phase 1
Key Exchange version: Auto
Internet Protocol: IPv4
Interface: WANAuthentication method: Mutual PSK + Xauth
Negotiation mode: main
My Identifier: Distinguished name myfirewall.mydomain.org <–-- it is distinguished name or user distinguisghed name ? I can use fake domain?
Peer Identifier: mydomain.org <–-- what is the peer identifer option you choosen distinguished name ?
Pre-Shared Key: xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx -
Richardd, I wasn't asking a question, I was posting a known working configuration. The configuration I posted works correctly with pfSense 2.2.2, iOS 8.3, and OS X 10.10.3.
You need to leave the Group Name empty in order to use Auto Key Exchange. The reason for doing this is to allow mixed use of IKEv1 and IKEv2 by mobile clients.
IKEv2 on iOS is supported, but requires a custom profile. On my todo list, but not implemented yet.
I have yet to find credible mention of IKEv2 being supported in OS X. :(
dennypage: I have tried unsuccessfully to replicate your setup. Any possibility of screen shots? I just can't seem to get it to work.
-
I have moved from PSK to certificates so I can't easily do screen shots for PSK. However if you post shots of your current config, I will be happy to try and help you. Alternatively, I can provide XML fragments for PSK if you are comfortable with that approach.
I'm currently traveling, so it may be a day or two before I can respond.
dennypage: I have tried unsuccessfully to replicate your setup. Any possibility of screen shots? I just can't seem to get it to work.
