IKEv2 VPN for Windows 10 and OSX - HOW-TO!


  • Rebel Alliance Developer Netgate

    This is almost entirely the same as the existing doc except for the client setup. The original doc was written to be used against either Windows 10 or OS X, depending on the settings. There are ways to use both, but as you've found it isn't so straightforward.

    The native IKEv2 client on OS X works fine when you configure it properly using our export tool (if you're on the factory version), or by crafting a profile using Apple Configurator 2. Then it can use the same settings recommended for Windows 10 and they'll both work OK without third-party software.

    Sure, you can install strongSwan and use that but I wouldn't pick that over the native client in most cases.

    For the Windows 10 setup, I do need to put up the parts for using powershell since using split routing is a common request, though using the GUI to setup the VPN still works fine.



  • Just tested:

    pfSense 2.4.0-BETA
    macOS 10.12
    iOS 10.2.1
    MSW 10

    All work (LAN traffic, DNS resolving, outbound traffic etc.) with certificate based IKEv2 auth just using built in OS func OOB. Currently could not be happier.

    –-----------------------------------------------------------------------

    Using DH14 as apple now supports it and MSW can be easily made to support it.

    For macOS/iOS it is super easy - just use profile(s), mail them to (users), 3 clicks and user is ready.
    Enable perfect forward secrecy must be urned on in Apple Configurator, so that DH group for Phase 2 is proposed.

    Adding MSW support was easier than I thought. I am not power user on this os. Followed this guide, but only the part that describes how to install certs on MSW and configure interface.
    For this part I created registry entry and exported as double-click-to install file that just has to be shipped to clients along with certs.

    At first, after enabling reg key, it did not work on MSW, but logs said it all

    Mar 21 15:34:42     charon          05[CFG] <con1|8> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
    Mar 21 15:34:42     charon          05[CFG] <con1|8> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ</con1|8></con1|8>
    

    Thus phase 2 has to include also 3DES and SHA1 (which means: AES-256, 3DES for enc; SHA1, SHA256 for hash). DH group 14 for both phase 1 and Phase 2.

    Basically takes ~3min to set it up on MSW (or faster if i was poweruser and could script cert installation, vpn adapter setup).

    Profit. All mentioned OSes connect w/ cert based auth & DH14

    Now I have to test how stable IKEv2 conn is on all OSes :)

    –-----------------------------------------------------------------------

    Using DH20

    Note that per Cisco docs 3 years ago DH14 is really lowest DH group one should use, so i'll check wether DH20 (that macOS/iOS support OOB) can be brought to MSW w/o external client. This doc and this doc says ecdhp384 is supported since MSW7 which imho refers to 384 bit elliptic curve which itself is DH20.

    EDIT: DH20 can be made to work on windows OOB, see ECP384. The docs are clear so…

    switched pFsense back to DH20 @ phase 1&2
    Rolled back phase 2 - removed 3DES and SHA1 (back to AES256; SHA256 only).

    For macOS/iOS just rolled back to DH20 in Phase 1 & 2, reexported and reinstalled the profiles.
    Enable perfect forward secrecy must be urned on in Apple Configurator, so that DH group for Phase 2 is proposed.

    For MSW deleted DH14 registry entry (you have to for this to work).
    Fired up PS and

    Set-VpnConnectionIPsecConfiguration -ConnectionName "myvpnname" -AuthenticationTransformConstants SHA256 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA384 -DHGroup ECP384 -PfsGroup ECP384 -PassThru -Force
    

    Profit. All mentioned OSes connect w/ cert based auth & DH20

    –-----------------------------------------------------------------------

    I'll probably stick with DH20 now, as for macOS it does not matter, and both DH14 and DH20 need some "custom script execution" on MSW, so why not choosing the latter.


    I'm awaiting quantum resistant stuff though.



  • @jimp:

    This is almost entirely the same as the existing doc except for the client setup. The original doc was written to be used against either Windows 10 or OS X, depending on the settings. There are ways to use both, but as you've found it isn't so straightforward.

    The native IKEv2 client on OS X works fine when you configure it properly using our export tool (if you're on the factory version), or by crafting a profile using Apple Configurator 2. Then it can use the same settings recommended for Windows 10 and they'll both work OK without third-party software.

    Sure, you can install strongSwan and use that but I wouldn't pick that over the native client in most cases.

    For the Windows 10 setup, I do need to put up the parts for using powershell since using split routing is a common request, though using the GUI to setup the VPN still works fine.

    Hi there,

    The original is well done just needs some updates and clarification. I was offering to do that but it looks like you're the actual maintainer of the doc anyway.

    The changes on the doc are in a few places - I'd have to do a side-by-side comparison, but there were a few key things. (And of course that whole PowerShell nonsense if you need split routing). (Nonsense on MS's part not your or PFSense's part). Agreed the VPN setup using the GUI will also work fine, I just figured since the user has to issue PowerShell commands anyway it's quicker and less prone to missed steps to issue the initial VPN setup as well.

    Re: use of 3rd-party client software ie: StongSwan. Personally I looked at using that vs. a to-be-installed tool kinda one in the same problem - only that StrongSwan is just quicker and easier to set up. Up to the user which one is best for their particular situation I guess. If you have a dozen client computers to maintain, perhaps the tool would be best. Maybe both options should be noted.

    At the end of the day hey, you're the one who works here and it's your doc to maintain. I'm just trying to save people the headaches I had to go through that's all. I'm happy to pitch in where needed. (In particular on the OSX side).

    Take care,
    -G



  • @kroko:

    Just tested:

    pfSense 2.4.0-BETA
    macOS 10.12
    iOS 10.2.1
    MSW 10

    Hi,

    My thoughts are whatever is easier for the user, and will work for both Win10 and OSX. I'm not the judge of what the correct method is since it's partly up to opinion (profile tools vs. client, DH 2 vs DH14, etc). My logic on the matter is whatever is less effort for the client while still being secure and functional. Registry changes are not easy for the client. Nor is installing and messing with Apple's Profile Tool (Unless you are maintaining a lot of machines). But again, that's just MY opinion.

    Seems Jimp is the actual doc maintainer - his call I guess. Glad to see we're all working together for a good final experience though!



  • Well, you can go the secure way and you can go insecure way. I would not agree upon "it's partly up to opinion (…) DH 2 vs DH14". There is lot of educated opinion out there that DH2 is insecure and i provided links to what cisco has to say about DH2. But I see your point - you just want to VPN going and really don't care about security for that speciffic case. Been there, done that - if one does not care then for the sake of simplicity just use PPTP VPN with shared CHAP, it is really easy to setup on both ends, used it for years for VPNing in my home network. Offt: Actually I have seen people pulling hair out on configuring VPN when simple SSH tunnel would provide everything needed.

    If security is concern then the orignal doc should also note this, why certs should be used.



  • I wouldn't exactly compare DH2 to PPTP and CHAP (unencrypted). Yes 1024 is not ideal for everyone, however I'm not so sure it's completely insecure.

    If it's that big of a deal then Jimp can decide wether DH2 is acceptable for documentation, or guiding the user through editing their registry.

    For me, considering there's still encryption, and a certificate required in the client side to boot, it's fine. However this is a small operation and not a bank. The user should decide what's right for them.

    I guess the long and short of it is, the original doc maintainer is now involved. We've made our suggestions, and PFSense staff can implement as they see fit. You're not wrong about the DH14 btw.



  • Don't get me wrong - imho your input is great. My two cents is just
    a) If the docs are updated, it should be noted that by year 2017 standards it is insecure*.

    • which comes to offtopic for my case - i'm building something that i don't have to return to in near future and i need security, my use case is medium office infrastructure, other cases might really be security indifferent (secured traffic over unsecured tunnel is secure).
      b) If one seeks for supersimple VPN capability ("i want to login in my home media bin and don't know how to use console & SSH, only those auto SMB share icons that show up in my MSW explorer left panel; security? -  i don't care, i do not watch balck mirror :)" stuff) then there are evern simplier methods to get cross-OS VPN working, which was part of agenda of this post - having "something that works on both Windows 10 and OSX" and does not involve cert installation and what not.

    EDIT: beware, that my comments on my setup above with setting PF group for phase 2 will not work for rekeying if  Enable Perfect Forward Secrecy is off when creating profile in Apple Configurator. Either this or set pfSense not to use DH group for phase 2 (as Enable Perfect Forward Secrecy macOS/iOS will never send DH proposals).



  • @kroko:

    Just tested:

    pfSense 2.4.0-BETA
    macOS 10.12
    iOS 10.2.1
    MSW 10

    All work (LAN traffic, DNS resolving, outbound traffic etc.) with certificate based IKEv2 auth just using built in OS func OOB. Currently could not be happier.

    –-----------------------------------------------------------------------

    Using DH14 as apple now supports it and MSW can be easily made to support it.

    For macOS/iOS it is super easy - just use profile(s), mail them to (users), 3 clicks and user is ready.
    Enable perfect forward secrecy must be urned on in Apple Configurator, so that DH group for Phase 2 is proposed.

    Adding MSW support was easier than I thought. I am not power user on this os. Followed this guide, but only the part that describes how to install certs on MSW and configure interface.
    For this part I created registry entry and exported as double-click-to install file that just has to be shipped to clients along with certs.

    At first, after enabling reg key, it did not work on MSW, but logs said it all

    Mar 21 15:34:42     charon          05[CFG] <con1|8> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
    Mar 21 15:34:42     charon          05[CFG] <con1|8> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ</con1|8></con1|8>
    

    Thus phase 2 has to include also 3DES and SHA1 (which means: AES-256, 3DES for enc; SHA1, SHA256 for hash). DH group 14 for both phase 1 and Phase 2.

    Basically takes ~3min to set it up on MSW (or faster if i was poweruser and could script cert installation, vpn adapter setup).

    Profit. All mentioned OSes connect w/ cert based auth & DH14

    Now I have to test how stable IKEv2 conn is on all OSes :)

    –-----------------------------------------------------------------------

    Using DH20

    Note that per Cisco docs 3 years ago DH14 is really lowest DH group one should use, so i'll check wether DH20 (that macOS/iOS support OOB) can be brought to MSW w/o external client. This doc and this doc says ecdhp384 is supported since MSW7 which imho refers to 384 bit elliptic curve which itself is DH20.

    EDIT: DH20 can be made to work on windows OOB, see ECP384. The docs are clear so…

    switched pFsense back to DH20 @ phase 1&2
    Rolled back phase 2 - removed 3DES and SHA1 (back to AES256; SHA256 only).

    For macOS/iOS just rolled back to DH20 in Phase 1 & 2, reexported and reinstalled the profiles.
    Enable perfect forward secrecy must be urned on in Apple Configurator, so that DH group for Phase 2 is proposed.

    For MSW deleted DH14 registry entry (you have to for this to work).
    Fired up PS and

    Set-VpnConnectionIPsecConfiguration -ConnectionName "myvpnname" -AuthenticationTransformConstants SHA256 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA384 -DHGroup ECP384 -PfsGroup ECP384 -PassThru -Force
    

    Profit. All mentioned OSes connect w/ cert based auth & DH20

    –-----------------------------------------------------------------------

    I'll probably stick with DH20 now, as for macOS it does not matter, and both DH14 and DH20 need some "custom script execution" on MSW, so why not choosing the latter.


    I'm awaiting quantum resistant stuff though.

    Sorry. Who can help set ikev2 from iOS 10? You wrote you can set, but i cant. From Win10 i can connect, but not from iphone.



  • Hello,

    I Would like to follow this guide but in the configuration of the Phase1 I'm unable to select the EAP-MSCHAPv2 option as authentication option.

    Our system version is 2.3.2_1

    Thank you for your support.
    Bart



  • The guide worked for me using FreeRadius user authentication. For W10 clients, had to add another route command for the remote LAN subnet so the W10 clients could see clients in the remote network.

    thanks!



  • @gbitglenn:

    IKEv2 with EAP-MSCHAPv2
    ….

    SECTION B: Set up Mobile IPsec for IKEv2+EAP-MSCHAPv2

    1. Mobile Clients

    2. IPSEC Phase 1
      • If the “Create Phase 1” button appeared at the top of the page after you clicked Apply in the previous step, click it. Otherwise, go to the Tunnels Tab and “Add P1”.
      • “Key Exchange version”: to IKEv2.
      • “Description”: ‘Mobile Phase 1’ (Or whatever you want, it doesn’t matter).
      • “Authentication method” to “EAP-MSChapv2”
      • “My Identifier”: ‘Distinguished name’, and enter in either the hostname or WAN IP address.
      • NOTE: This MUST match what you used as the “Common Name” of the server certificate, in Step 1.
      …...

    Am I missing anything, or why doesn't I get the option?



  • @io-automation:

    I'm unable to select the EAP-MSCHAPv2 option as authentication option.

    @franken:

    “Authentication method” to “EAP-MSChapv2”
    Am I missing anything, or why doesn't I get the option?

    It's a stupid feature (a bug in my opinion), but you need to create the tunnel from the Mobile Clients page instead of from the Tunnels page. At the very least there is a lack of documentation (ie: something at that stage that lets you know you're in the wrong place).

    If you go to create a Tunnel from the Tunnels menu, it won't give you the option

    https://router:443/vpn_ipsec_phase1.php

    If you go to create a Tunnel from the Mobile Clients menu

    https://router:443/vpn_ipsec_phase1.php?mobile=true



  • Thanks for the writeup. I'm using windows 7 instead of win10, I got the VPN connected, however I could not access anything on the LAN. I notice compared to my other VPN, this connection did not set the DNS server.



  • thanks this worked for me under win 7

    question is
    if i turn off default gw in VPN connection (under win 7 network vpn connection), and internet passes directly, i cant connecto to servers behind vpn.
    If i turn on default gw under VPN connection, internet goes through VPN and i can access servers behind VPN.

    I guess i have to add default route for servers subnet? but what is my gw then, because there is no IPV4 address of IKEv2 under connection details.

    i hope you will understand what im asking, because i think i didnt explain this very well.

    thanks

    edit:
    i add route
    route add "server netvork" mask 255.255.255.0 "ip address of ike vpn" -p
    and it is working.
    but, if i have two or more useres connected and if ip address change, than route will not work.
    I need ipv4 address of ikev2 server to add correct route. and it seems there is no one :(



  • @josey:

    I guess i have to add default route for servers subnet? but what is my gw then, because there is no IPV4 address of IKEv2 under connection details.

    I didn't test IKEv2 yet (still on L2TP with IKEv1), but it seem you can create route using device, instead of gateway IP:

    • use ipconfig to get the name of each device (you probably can get those form GUI also);
    • use route print to get the number of each interface, and get the one of your VPN device (the table at the begining of "route print" command output);
    • create the route using "IF" option instead of the gateway address:

    route ADD 10.10.10.0 MASK 255.255.255.0 IF 10 -p
    (this would create a route to subnet 10.10.10.0/24 through interface number 10)



  • Hello guys!

    I can connect to the IKEv2 IPSec VPN and ping both WAN and LAN NIC from my pfsense but I cannot ping other hosts in the remote LAN

    Thanks!










  • @gbitglenn:

    @jimp:

    This is almost entirely the same as the existing doc except for the client setup. The original doc was written to be used against either Windows 10 or OS X, depending on the settings. There are ways to use both, but as you've found it isn't so straightforward.

    The native IKEv2 client on OS X works fine when you configure it properly using our export tool (if you're on the factory version), or by crafting a profile using Apple Configurator 2. Then it can use the same settings recommended for Windows 10 and they'll both work OK without third-party software.

    Sure, you can install strongSwan and use that but I wouldn't pick that over the native client in most cases.

    For the Windows 10 setup, I do need to put up the parts for using powershell since using split routing is a common request, though using the GUI to setup the VPN still works fine.

    Hi there,

    The original is well done just needs some updates and clarification. I was offering to do that but it looks like you're the actual maintainer of the doc anyway.

    The changes on the doc are in a few places - I'd have to do a side-by-side comparison, but there were a few key things. (And of course that whole PowerShell nonsense if you need split routing). (Nonsense on MS's part not your or PFSense's part). Agreed the VPN setup using the GUI will also work fine, I just figured since the user has to issue PowerShell commands anyway it's quicker and less prone to missed steps to issue the initial VPN setup as well.

    Re: use of 3rd-party client software ie: StongSwan. Personally I looked at using that vs. a to-be-installed tool kinda one in the same problem - only that StrongSwan is just quicker and easier to set up. Up to the user which one is best for their particular situation I guess. If you have a dozen client computers to maintain, perhaps the tool would be best. Maybe both options should be noted.

    At the end of the day hey, you're the one who works here and it's your doc to maintain. I'm just trying to save people the headaches I had to go through that's all. I'm happy to pitch in where needed. (In particular on the OSX side).

    Take care,
    -G

    Thank you very much. I have set up a few VPNs, and recently set up 2 at different sites., both in the latest version.

    Strangely I only had to run the powershell command to connect to one of the sites. thank you very much for the information, and thanks also to the creators of the original doc.



  • @peter911:

    Hello guys!

    I can connect to the IKEv2 IPSec VPN and ping both WAN and LAN NIC from my pfsense but I cannot ping other hosts in the remote LAN

    Thanks!

    Hi all,

    Is there anyone, who could help me? How to start debugging what's wrong in my config?

    Thank you,

    Peter



  • sorry to reopen this, but following the same config for windows 10 I was able to set dh20 via powershelll but I get a odd certificate issue:

    Aug 24 22:12:29 charon 08[IKE] <2> received cert request for unknown ca with keyid xx:xx:xx..
    Aug 24 22:12:29 charon 08[IKE] <2> received cert request for unknown ca with keyid xx:xx:xx..
    Aug 24 22:12:29 charon 08[IKE] <2> received cert request for unknown ca with keyid xx:xx:xx..
    Aug 24 22:12:29 charon 08[IKE] <2> received cert request for unknown ca with keyid xx:xx:xx..
    Aug 24 22:12:29 charon 08[IKE] <2> received cert request for unknown ca with keyid xx:xx:xx..
    Aug 24 22:12:29 charon 08[IKE] <2> received cert request for unknown ca with keyid xx:xx:xx..
    Aug 24 22:12:29 charon 08[IKE] <2> received cert request for unknown ca with keyid xx:xx:xx..
    Aug 24 22:12:29 charon 08[IKE] <2> received cert request for unknown ca with keyid xx:xx:xx..
    Aug 24 22:12:29 charon 08[IKE] <2> received 41 cert requests for an unknown ca

    The ca is installed to the trusted store and this works fine on OSX with the same ca :/

    I was using the IP for remote connection and unlike OSX you can't set the Address and the actual remote identifier so I change to use a public dns name set in cloudflare and created a new server certificate , updated the OSX profile which still works, but in windows I get the same exact issue.

    Unfortuntly I didn't find much help on google (other then it being related to the CN/subject names, but that should be a issue if using the FQDN name to connect and use that as CN/add dns and IP to alt subject names.

    Any ideas?



  • Actually I was focusing on that cause I didn't see this in the OSX successful connection, but there also:

     24 22:12:29 	charon 		08[CFG] <2> looking for peer configs matching 192.x.x.x[%any]....x.x.x.x.[172.16xx.x]
    Aug 24 22:12:29 	charon 		08[CFG] <2> candidate "bypasslan", match: 1/1/24 (me/other/ike)
    Aug 24 22:12:29 	charon 		08[CFG] <2> candidate "con-mobile", match: 1/1/1052 (me/other/ike)
    Aug 24 22:12:29 	charon 		08[CFG] <2> ignore candidate 'con-mobile' without matching IKE proposal
    Aug 24 22:12:29 	charon 		08[CFG] <bypasslan|2> selected peer config 'bypasslan'
    Aug 24 22:12:29 	charon 		08[IKE] <bypasslan|2> peer requested EAP, config unacceptable
    Aug 24 22:12:29 	charon 		08[CFG] <bypasslan|2> no alternative config found 
    


  • I could finally connect my windows 10 pro, but results are:

    Windows 10 Good.
    Windows 8, good no need to add the route command, but once the vpn connect, all the traffic goes over the vpn, I still checking this.
    Windows 7 no luck, trying different settings.
    Android strongswan no luck yet
    Ubuntu strongwan no luck yet

    Thanks for the tutorial.


Log in to reply