Can't install IKEv2 CA iOS 11.02



  • Hi guys - I'm attempting to install my IKEv2 CA on an iPAD 9.7" running iOS 11.0.2.  After transferring the certificate to the device, when I click on it I get 'crt file type is not supported. Do you want to open in text viewer or other apps'.  I've tried converting to 'cer format and I get the same message.

    The cert installs fine on Android and Windows 10…

    Any ideas?


  • Netgate

    This works. What did you do when you generated the CA? Did you change any of the default algorithms? To what?

    How are you getting the CA Cert to iOS?



  • Hi - I followed this guide https://forum.pfsense.org/index.php?topic=127457.0 - which I believe is almost identical to the Wiki guide.

    I'm using FileExplorer Pro with a network drive mapping to an SMB share, since it appears iOS doesn't actually have a file manager…

    Edit: Just tried emailing it and opening the attachment in the Outlook app -'File format is not supported'

    Ta


  • Netgate

    If you want to you can post the cert pem to me in a PM.



  • Thanks Derelict - PM'd you


  • Netgate

    I saved that as TestCert.crt, emailed it over, and it installed fine so I don't know.



  • Are you using the default Mail app? - I'm just wondering if for some oddball reason I need to be using that as opposed to a third party file manager and/or Outlook app..


  • Netgate

    Yes. Attached using Mail.app and installed using iOS Mail. Nothing special.

    I haven't checked lately if you can load those using itunes or something.



  • Managed to install it - Seems using the default Mail app works.  Yet nothing third party does.. awesome.

    I've also set the certificate as trusted in About > Certificate Trust Settings.

    I've configured the built-in VPN client as follows:-

    IKEv2

    Server: FGQN (same as specified in the common name)
    Remote: FQDN as above
    Local ID: Blank

    User Authentication - entered username and password for EAP user.

    When I slide across to connect - it instantly goes back to 'greyed out' - no error message.

    Any ideas? (P.S - Apple devices are a nightmare)


  • Netgate

    Check your IPsec logs on pfSense.



  • Ignore those logs - Had to perform a reboot of the VM to rectify the time issue.  Here's the latest log

    Oct 9 18:01:28 charon 10[NET] <2> sending packet: from wan ip[500] to 192.168.50.107[500] (36 bytes)
    Oct 9 18:01:28 charon 10[ENC] <2> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
    Oct 9 18:01:28 charon 10[IKE] <2> received proposals inacceptable
    Oct 9 18:01:28 charon 10[CFG] <2> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
    Oct 9 18:01:28 charon 10[CFG] <2> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Oct 9 18:01:28 charon 10[IKE] <2> 192.168.50.107 is initiating an IKE_SA
    Oct 9 18:01:28 charon 10[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
    Oct 9 18:01:28 charon 10[NET] <2> received packet: from 192.168.50.107[500] to wan ip[500] (604 bytes)
    Oct 9 18:01:28 charon 10[NET] <1> sending packet: from wan ip[500] to 192.168.50.107[500] (36 bytes)
    Oct 9 18:01:28 charon 10[ENC] <1> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
    Oct 9 18:01:28 charon 10[IKE] <1> received proposals inacceptable
    Oct 9 18:01:28 charon 10[CFG] <1> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
    Oct 9 18:01:28 charon 10[CFG] <1> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Oct 9 18:01:28 charon 10[IKE] <1> 192.168.50.107 is initiating an IKE_SA
    Oct 9 18:01:28 charon 10[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
    Oct 9 18:01:28 charon 10[NET] <1> received packet: from 192.168.50.107[500] to wan ip[500] (604 bytes)

    I'm guessing that guide I followed isn't correct with respect to encryption settings?



  • Looks like I'll need to use Apple Configurator to configure the built-in client correctly for my proposals. Unfortunately I don't have access to an OSX install - not going down the route of installing it on ESXi.

    If I pop you my IPSEC config via PM - would you mind creating a profile for me?

    Would be very much appreciated! - Prefer that over going with StrongSWAN


  • Netgate

    Oct 9 18:01:28  charon      10[CFG] <1> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
    Oct 9 18:01:28  charon      10[CFG] <1> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

    So….
    The client is asking for:
    received (Phase 1, IKE) proposals:
    AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
    AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
    AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
    AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

    Server is set for:
    configured (Phase 1, IKE) proposals:
    AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024

    No match.

    If you want to use AES256 and SHA256 you have to set group 5 (1536) or group 14 (2048) in your phase 1.



  • Thanks Derelict - I've switched over to DH14 and managed to spin up a MacOS Sierra install on VMware Workstation to create the proper VPN profile.  All working now after modifying the registry on Windows 10 and using StrongSWAN on Android.

    Much appreciated.