Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec mobile without certificate

    Scheduled Pinned Locked Moved IPsec
    8 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fabiensch
      last edited by fabiensch

      Hello,

      Usually I've always worked with OpenVPN for mobile VPN clients.

      But here, I have a company asking me to install a mobile VPN for them to use mainly on macOS and they want it to be native VPN without having to install any client software (like Viscosity).

      So, I thought of IPSec IKEv2 which is natively implemented in macOS but there is still a problem: you have to manually install the certificate in the root certificat library of each Mac. I have also tried using a wildcard certificate validated by a certification authority, but it does not work.

      They want something simpler with a PSK for example.

      Is it possible to use IKEv2 without a certificate, with a PSK and which works on macOS natively?

      Thanks for your help :-)

      Best regards,
      Fabien

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        If you are using EAP-MSCHAPv2 or EAP-RADIUS then you could use a publicly trusted server certificate like one from ACME on the IPsec mobile config on pfSense and that does work.

        If you have a Netgate appliance we have IPsec export tools there to make profiles automatically which can be imported into OS X/iOS, or you can download the Apple profile tools and do that yourself.

        Using profiles is still native, nothing has to be installed on top of OS X/iOS to use them, it just saves you from having to manually add the settings.

        If you stick to only the default settings native in the OS you're pretty limited on encryption choices and behavior.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        F 1 Reply Last reply Reply Quote 1
        • F
          fabiensch @jimp
          last edited by fabiensch

          @jimp said in IPSec mobile without certificate:

          If you are using EAP-MSCHAPv2 or EAP-RADIUS then you could use a publicly trusted server certificate like one from ACME on the IPsec mobile config on pfSense and that does work.

          I use an APU appliance.

          I did the test with a certificate signed by a certification authority. But a wildcard *.domaine.xx. And it didn't work. Do wildcards work or do you need a specific certificate with a common name that exactly matches the VPN hostname?

          If you have a Netgate appliance we have IPsec export tools
          where is this export tool ? I don't find in package list

          thanks

          jimpJ 1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate @fabiensch
            last edited by

            @fabiensch said in IPSec mobile without certificate:

            I did the test with a certificate signed by a certification authority. But a wildcard *.domaine.xx. And it didn't work. Do wildcards work or do you need a specific certificate with a common name that exactly matches the VPN hostname?

            I haven't tried it with a wildcard, that's really up to what the clients will accept, which may also depend on the properties of the certificate itself.

            If you have a Netgate appliance we have IPsec export tools
            where is this export tool ? I don't find in package list

            If you have installed the factory version of pfSense from Netgate, for use on appliances purchased from Netgate, it is in the package list under "ipsec-profile-wizard".

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            F 1 Reply Last reply Reply Quote 0
            • F
              fabiensch @jimp
              last edited by

              @jimp said in IPSec mobile without certificate:

              I haven't tried it with a wildcard, that's really up to what the clients will accept, which may also depend on the properties of the certificate itself.

              I just tried with a certificate with the full hostname in the CN and it works. So unfortunately the wildcard does not work, but a dedicated certificate is ok.
              It remains to be seen if there is an automated solution to renew the certificate with ACME in pfSense (but I'm dreaming a little :-))

              jimpJ 1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate @fabiensch
                last edited by

                There is an ACME package in pfSense, works great for me and many others. YMMV depending on your update method, though.

                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                F 2 Replies Last reply Reply Quote 0
                • F
                  fabiensch @jimp
                  last edited by

                  This post is deleted!
                  1 Reply Last reply Reply Quote 0
                  • F
                    fabiensch @jimp
                    last edited by

                    @jimp said in IPSec mobile without certificate:

                    There is an ACME package in pfSense, works great for me and many others. YMMV depending on your update method, though.

                    Great!
                    I just tested, it works! thank you
                    Do I have to configure an "Action" in the ACME service so that it restarts IPSec server when renewing the certificate to take the new certificat or does it happen automatically without restart?

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.