Valid configuration for IKEv2 VPN for iOS and OSX WITH PSK



  • Hey,

    I'm use (and will use this config in future) the pfSense IKEv2 Server with PSK (mschapv2) with a lot of Windows clients. It works pretty well with the default Windows VPN client.

    Now there are three Apple devices (2x MacBook Pro, 1x iPad) which can't connect to the IKEv2 server.

    • I won't change the Config / Server Certificate for the Windows clients.
    • The pfSense should be the only VPN Server in my network.
    • I don't know much about the Apple OS'. I don't even know, where do config a PSK in iOS?!?!
    • I can't use the "Apple Configurator 2"
    • I will use the default VPN Client in Mac/iOS.
    • It has to be a PreSharedKey authentication. Not with client certificates.

    Does anybody know a working configuration (with User/Password and PSK authentication) for this scenario?

    Since iOS 10, Apple hast changed a lot in configuration of VPN, so the old tutorials doesn't work anymore.

    GrafGirula



  • What to the server-side and client-side logs say?  Do you have 3des and sha1 enabled for phase1?  (that seems required.)



  • 3des and sha1 are enabled. Like in the tutorial.

    Server Log:

    Jan 18 12:18:11	charon		08[JOB] <con1|197> deleting half open IKE_SA after timeout
    Jan 18 12:17:42	charon		13[NET] <con1|197> sending packet: from 201.08.15.23[4500] to 13.37.13.37[61621] (280 bytes)
    Jan 18 12:17:42	charon		13[NET] <con1|197> sending packet: from 201.08.15.23[4500] to 13.37.13.37[61621] (544 bytes)
    Jan 18 12:17:42	charon		13[NET] <con1|197> sending packet: from 201.08.15.23[4500] to 13.37.13.37[61621] (544 bytes)
    Jan 18 12:17:42	charon		13[NET] <con1|197> sending packet: from 201.08.15.23[4500] to 13.37.13.37[61621] (544 bytes)
    Jan 18 12:17:42	charon		13[ENC] <con1|197> generating IKE_AUTH response 1 [ EF(4/4) ]
    Jan 18 12:17:42	charon		13[ENC] <con1|197> generating IKE_AUTH response 1 [ EF(3/4) ]
    Jan 18 12:17:42	charon		13[ENC] <con1|197> generating IKE_AUTH response 1 [ EF(2/4) ]
    Jan 18 12:17:42	charon		13[ENC] <con1|197> generating IKE_AUTH response 1 [ EF(1/4) ]
    Jan 18 12:17:42	charon		13[ENC] <con1|197> splitting IKE message with length of 1740 bytes into 4 fragments
    Jan 18 12:17:42	charon		13[ENC] <con1|197> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
    Jan 18 12:17:42	charon		13[IKE] <con1|197> sending end entity cert "C=DE, ST=Hamburg, L=Hamburg, O=Die Firma GmbH, E=admin@die-firma.de, CN=vpn.die-firma.de"
    Jan 18 12:17:42	charon		13[IKE] <con1|197> authentication of 'vpn.die-firma.de' (myself) with RSA signature successful
    Jan 18 12:17:42	charon		13[IKE] <con1|197> peer supports MOBIKE, but disabled in config
    Jan 18 12:17:42	charon		13[IKE] <con1|197> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Jan 18 12:17:42	charon		13[IKE] <con1|197> initiating EAP_IDENTITY method (id 0x00)
    Jan 18 12:17:42	charon		13[CFG] <con1|197> selected peer config 'con1'
    Jan 18 12:17:42	charon		13[CFG] <197> looking for peer configs matching 201.08.15.23[vpn.die-firma.de]...13.37.13.37[192.168.112.50]
    Jan 18 12:17:42	charon		13[ENC] <197> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
    Jan 18 12:17:42	charon		13[NET] <197> received packet: from 13.37.13.37[61621] to 201.08.15.23[4500] (492 bytes)
    Jan 18 12:17:41	charon		13[NET] <197> sending packet: from 201.08.15.23[500] to 13.37.13.37[61620] (341 bytes)
    Jan 18 12:17:41	charon		13[ENC] <197> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
    Jan 18 12:17:41	charon		13[IKE] <197> sending cert request for "C=DE, ST=Hamburg, L=Hamburg, O=Die Firma GmbH, E=admin@die-firma.de, CN=internal-ca"
    Jan 18 12:17:41	charon		13[IKE] <197> remote host is behind NAT
    Jan 18 12:17:41	charon		13[IKE] <197> 13.37.13.37 is initiating an IKE_SA
    Jan 18 12:17:41	charon		13[ENC] <197> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
    Jan 18 12:17:41	charon		13[NET] <197> received packet: from 13.37.13.37[61620] to 201.08.15.23[500] (476 bytes)
    Jan 18 12:17:41	charon		11[NET] <196> sending packet: from 201.08.15.23[500] to 13.37.13.37[61620] (38 bytes)
    Jan 18 12:17:41	charon		11[ENC] <196> generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
    Jan 18 12:17:41	charon		11[IKE] <196> DH group MODP_2048 inacceptable, requesting MODP_1024
    Jan 18 12:17:41	charon		11[IKE] <196> remote host is behind NAT
    Jan 18 12:17:41	charon		11[IKE] <196> 13.37.13.37 is initiating an IKE_SA
    Jan 18 12:17:41	charon		11[ENC] <196> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
    Jan 18 12:17:41	charon		11[NET] <196> received packet: from 13.37.13.37[61620] to 201.08.15.23[500] (604 bytes)</con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|197>
    

    The client has no logs or error messages. The "VPN"-Switch in the iOS settings menu just turns of after a second.


  • Netgate

    Not enough logs. What's after that? That shows an attempt at PFS group 14, with a request for group 2 after that but that's all you showed.



  • That's all! There is nothing after that.
    It ends with " <con1|197>deleting half open IKE_SA after timeout"</con1|197>



  • The client should have logs.  I dunno about iOS, but in macOS you should see stuff in Console.app.