Ipsec ikev2 on ios8



  • I've been searching for this combination and I've yet to find anybody with a solution.
    Is this something that anybody has done yet? If so I'd love to hear about it.

    So far I've seen: https://atix.co/?p=12 which talks about the server side, and https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile which has the client side (with some bugs).

    I did attempt to start with doing IKEv1 following https://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0 but to no avail, I continually get authentication errors - so I'm suspecting there might be some issue with this configuration in 2.2

    My pfsense setup is:

    2.2-BETA (amd64)
    built on Fri Oct 10 17:42:46 CDT 2014
    FreeBSD 10.1-RC2



  • Mobile IKEv1 with iOS definitely works on 2.2, that's one of the circumstances I've tested a number of times over the past month or two. Both on iOS 7 and 8.

    IKEv2 with iOS is something I haven't tried.



  • @cmb:

    Mobile IKEv1 with iOS definitely works on 2.2, that's one of the circumstances I've tested a number of times over the past month or two. Both on iOS 7 and 8.

    Do the instructions above for Mobile 2.0 still apply?



  • @cmb:

    Mobile IKEv1 with iOS definitely works on 2.2, that's one of the circumstances I've tested a number of times over the past month or two. Both on iOS 7 and 8.

    IKEv2 with iOS is something I haven't tried.

    Followed https://blog.andregasser.net/how-to-configure-ipsec-vpn-on-pfsense-for-use-with-iphone-ipad-android-windows-and-linux/ to a tee, but no matter what I do it fails with "User authentication failed."

    From the logs:

    Oct 13 21:53:57 charon: 06[IKE] <con2|117>no XAuth secret found for '192.168.0.2' - 'vpn'
    Oct 13 21:53:57 charon: 06[IKE] no XAuth secret found for '192.168.0.2' - 'vpn'
    Oct 13 21:53:57 charon: 06[IKE] <con2|117>XAuth authentication of 'vpn' failed
    Oct 13 21:53:57 charon: 06[IKE] XAuth authentication of 'vpn' failed</con2|117></con2|117>



  • That shows you're trying to auth as user 'vpn', and either that user doesn't exist in the user manager, you're using a wrong password, or the user doesn't have IPsec dial-in rights.



  • @cmb:

    That shows you're trying to auth as user 'vpn', and either that user doesn't exist in the user manager, you're using a wrong password, or the user doesn't have IPsec dial-in rights.

    After checking and double checking all the settings I decided to reboot as a last resort and afterwards the authentication errors went away…
    Now on to figuring out the connectivity issues!



  • In few previous snapshot, I have test IKEv1 & v2:

    • There are same issue "no XAuth secret found" then in few next snapshot (in end of Sep) this error gone. I did report on this forum. IKEv2 failed (can not connect). I do add user with XAuth right so no problem about user here.

    • In snapshot of early Oct the error "no XAuth secret found" happen again, authentication always failed. I give up testing till now.



  • Please show logs.

    Though l2tp+ipsec should work nowdays so you can just use that with iOS!



  • @abcslayer:

    • In snapshot of early Oct the error "no XAuth secret found" happen again, authentication always failed. I give up testing till now.

    Try a snapshot after 8-Oct if you have not yet tried one: https://forum.pfsense.org/index.php?topic=82126.msg452078#msg452078

    I believe ipsec was broken for a while after the change from FreeBSD 10.0 –> 10.1 and StrongSwan 5.1.2 to 5.2.0.  Except for some re-keying issues, ipsec is working for me after 8-Oct.



  • I have updated newest snapshot, it seems that IKEv1, PSK + XAuth is working.
    I am trying IKEv1, RSA but failed (I tried IKEv2, EAP-TLS but failed then step back to IKEv1).
    I am not sure if the certificate has issue (I use the Cert Manager on pfSense to create the certs, CA, it is quite useful if things work)
    Thank you for your recomment.


Log in to reply