Valid configuration for IKEv2 VPN for iOS and OSX WITH PSK

GrafGirula

Hey,

I'm use (and will use this config in future) the pfSense IKEv2 Server with PSK (mschapv2) with a lot of Windows clients. It works pretty well with the default Windows VPN client.

Now there are three Apple devices (2x MacBook Pro, 1x iPad) which can't connect to the IKEv2 server.

• I won't change the Config / Server Certificate for the Windows clients.
• The pfSense should be the only VPN Server in my network.
• I don't know much about the Apple OS'. I don't even know, where do config a PSK in iOS?!?!
• I can't use the "Apple Configurator 2"
• I will use the default VPN Client in Mac/iOS.
• It has to be a PreSharedKey authentication. Not with client certificates.

Does anybody know a working configuration (with User/Password and PSK authentication) for this scenario?

Since iOS 10, Apple hast changed a lot in configuration of VPN, so the old tutorials doesn't work anymore.

GrafGirula

seanmcb

What to the server-side and client-side logs say?  Do you have 3des and sha1 enabled for phase1?  (that seems required.)

GrafGirula

3des and sha1 are enabled. Like in the tutorial.

Server Log:

Jan 18 12:18:11	charon		08[JOB] <con1|197> deleting half open IKE_SA after timeout
Jan 18 12:17:42	charon		13[NET] <con1|197> sending packet: from 201.08.15.23[4500] to 13.37.13.37[61621] (280 bytes)
Jan 18 12:17:42	charon		13[NET] <con1|197> sending packet: from 201.08.15.23[4500] to 13.37.13.37[61621] (544 bytes)
Jan 18 12:17:42	charon		13[NET] <con1|197> sending packet: from 201.08.15.23[4500] to 13.37.13.37[61621] (544 bytes)
Jan 18 12:17:42	charon		13[NET] <con1|197> sending packet: from 201.08.15.23[4500] to 13.37.13.37[61621] (544 bytes)
Jan 18 12:17:42	charon		13[ENC] <con1|197> generating IKE_AUTH response 1 [ EF(4/4) ]
Jan 18 12:17:42	charon		13[ENC] <con1|197> generating IKE_AUTH response 1 [ EF(3/4) ]
Jan 18 12:17:42	charon		13[ENC] <con1|197> generating IKE_AUTH response 1 [ EF(2/4) ]
Jan 18 12:17:42	charon		13[ENC] <con1|197> generating IKE_AUTH response 1 [ EF(1/4) ]
Jan 18 12:17:42	charon		13[ENC] <con1|197> splitting IKE message with length of 1740 bytes into 4 fragments
Jan 18 12:17:42	charon		13[ENC] <con1|197> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Jan 18 12:17:42	charon		13[IKE] <con1|197> sending end entity cert "C=DE, ST=Hamburg, L=Hamburg, O=Die Firma GmbH, E=admin@die-firma.de, CN=vpn.die-firma.de"
Jan 18 12:17:42	charon		13[IKE] <con1|197> authentication of 'vpn.die-firma.de' (myself) with RSA signature successful
Jan 18 12:17:42	charon		13[IKE] <con1|197> peer supports MOBIKE, but disabled in config
Jan 18 12:17:42	charon		13[IKE] <con1|197> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jan 18 12:17:42	charon		13[IKE] <con1|197> initiating EAP_IDENTITY method (id 0x00)
Jan 18 12:17:42	charon		13[CFG] <con1|197> selected peer config 'con1'
Jan 18 12:17:42	charon		13[CFG] <197> looking for peer configs matching 201.08.15.23[vpn.die-firma.de]...13.37.13.37[192.168.112.50]
Jan 18 12:17:42	charon		13[ENC] <197> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Jan 18 12:17:42	charon		13[NET] <197> received packet: from 13.37.13.37[61621] to 201.08.15.23[4500] (492 bytes)
Jan 18 12:17:41	charon		13[NET] <197> sending packet: from 201.08.15.23[500] to 13.37.13.37[61620] (341 bytes)
Jan 18 12:17:41	charon		13[ENC] <197> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Jan 18 12:17:41	charon		13[IKE] <197> sending cert request for "C=DE, ST=Hamburg, L=Hamburg, O=Die Firma GmbH, E=admin@die-firma.de, CN=internal-ca"
Jan 18 12:17:41	charon		13[IKE] <197> remote host is behind NAT
Jan 18 12:17:41	charon		13[IKE] <197> 13.37.13.37 is initiating an IKE_SA
Jan 18 12:17:41	charon		13[ENC] <197> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Jan 18 12:17:41	charon		13[NET] <197> received packet: from 13.37.13.37[61620] to 201.08.15.23[500] (476 bytes)
Jan 18 12:17:41	charon		11[NET] <196> sending packet: from 201.08.15.23[500] to 13.37.13.37[61620] (38 bytes)
Jan 18 12:17:41	charon		11[ENC] <196> generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Jan 18 12:17:41	charon		11[IKE] <196> DH group MODP_2048 inacceptable, requesting MODP_1024
Jan 18 12:17:41	charon		11[IKE] <196> remote host is behind NAT
Jan 18 12:17:41	charon		11[IKE] <196> 13.37.13.37 is initiating an IKE_SA
Jan 18 12:17:41	charon		11[ENC] <196> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Jan 18 12:17:41	charon		11[NET] <196> received packet: from 13.37.13.37[61620] to 201.08.15.23[500] (604 bytes)</con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|197>

The client has no logs or error messages. The "VPN"-Switch in the iOS settings menu just turns of after a second.

Derelict

Not enough logs. What's after that? That shows an attempt at PFS group 14, with a request for group 2 after that but that's all you showed.

GrafGirula

That's all! There is nothing after that.
It ends with " <con1|197>deleting half open IKE_SA after timeout"</con1|197>

seanmcb

The client should have logs.  I dunno about iOS, but in macOS you should see stuff in Console.app.