IPSec mobile without certificate
-
Hello,
Usually I've always worked with OpenVPN for mobile VPN clients.
But here, I have a company asking me to install a mobile VPN for them to use mainly on macOS and they want it to be native VPN without having to install any client software (like Viscosity).
So, I thought of IPSec IKEv2 which is natively implemented in macOS but there is still a problem: you have to manually install the certificate in the root certificat library of each Mac. I have also tried using a wildcard certificate validated by a certification authority, but it does not work.
They want something simpler with a PSK for example.
Is it possible to use IKEv2 without a certificate, with a PSK and which works on macOS natively?
Thanks for your help :-)
Best regards,
Fabien -
If you are using EAP-MSCHAPv2 or EAP-RADIUS then you could use a publicly trusted server certificate like one from ACME on the IPsec mobile config on pfSense and that does work.
If you have a Netgate appliance we have IPsec export tools there to make profiles automatically which can be imported into OS X/iOS, or you can download the Apple profile tools and do that yourself.
Using profiles is still native, nothing has to be installed on top of OS X/iOS to use them, it just saves you from having to manually add the settings.
If you stick to only the default settings native in the OS you're pretty limited on encryption choices and behavior.
-
@jimp said in IPSec mobile without certificate:
If you are using EAP-MSCHAPv2 or EAP-RADIUS then you could use a publicly trusted server certificate like one from ACME on the IPsec mobile config on pfSense and that does work.
I use an APU appliance.
I did the test with a certificate signed by a certification authority. But a wildcard *.domaine.xx. And it didn't work. Do wildcards work or do you need a specific certificate with a common name that exactly matches the VPN hostname?
If you have a Netgate appliance we have IPsec export tools
where is this export tool ? I don't find in package listthanks
-
@fabiensch said in IPSec mobile without certificate:
I did the test with a certificate signed by a certification authority. But a wildcard *.domaine.xx. And it didn't work. Do wildcards work or do you need a specific certificate with a common name that exactly matches the VPN hostname?
I haven't tried it with a wildcard, that's really up to what the clients will accept, which may also depend on the properties of the certificate itself.
If you have a Netgate appliance we have IPsec export tools
where is this export tool ? I don't find in package listIf you have installed the factory version of pfSense from Netgate, for use on appliances purchased from Netgate, it is in the package list under "ipsec-profile-wizard".
-
@jimp said in IPSec mobile without certificate:
I haven't tried it with a wildcard, that's really up to what the clients will accept, which may also depend on the properties of the certificate itself.
I just tried with a certificate with the full hostname in the CN and it works. So unfortunately the wildcard does not work, but a dedicated certificate is ok.
It remains to be seen if there is an automated solution to renew the certificate with ACME in pfSense (but I'm dreaming a little :-)) -
There is an ACME package in pfSense, works great for me and many others. YMMV depending on your update method, though.
-
This post is deleted! -
@jimp said in IPSec mobile without certificate:
There is an ACME package in pfSense, works great for me and many others. YMMV depending on your update method, though.
Great!
I just tested, it works! thank you
Do I have to configure an "Action" in the ACME service so that it restarts IPSec server when renewing the certificate to take the new certificat or does it happen automatically without restart?
