Problems with IKEv2 VP from iOS, with certificate based user auth
-
Hi All,
Has anyone managed to successfully connect a VPN tunnel using IKEv2 from an iOS mobile device eg. iPad / iPhone to pfsense 2.5.1 using a certificate for user auth? I'm using Apple Configurator 2 to create the VPN profile for the device.
Using a Mutual PSK in the Phase 1 Proposal works just fine, and the tunnel works perfectly.
I just cant seem to get this to work using a Mutual Certificate. The most success I've had is using a SHA256 RSA cert with v3 extension alt DNS name, which as far as I'm able to tell seems to get through the Phase 1 stage, but then fails with little to go on in the logs other than
IKE_SA checkout not successful
similarly to described here: https://forum.netgate.com/topic/142583/ipsec-won-t-connect-beyond-phase-1
For obvious reasons I'd much rather use a certificate over a PSK, but no matter what I try and with so many options I'm struggling.
I've sen mention of EAP-MSChapv2 working, but running through the available guides eg.
https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-mobile-ikev2-eap-mschapv2.html
hasn't got me anywhere. Theres some usefully info here
https://www.reddit.com/r/PFSENSE/comments/hwrskn/ikev2_w_ios_issues/
but the settings on the iOS side aren't clarified.
Any help / advice would be really appreciated.
Thanks