Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    IKEv2 and iOS 9

    IPsec
    7
    12
    4058
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      miken32 last edited by

      Anyone got this working? I'm having problems getting past P1 setup and I'm not sure why.

      
      Oct 16 11:51:28	charon: 15[MGR] checkout IKE_SA by message
      Oct 16 11:51:28	charon: 15[MGR] created IKE_SA (unnamed)[3]
      Oct 16 11:51:28	charon: 15[MGR] created IKE_SA (unnamed)[3]
      Oct 16 11:51:28	charon: 15[CFG] <3> looking for an ike config for 1.2.3.4...9.8.7.6
      Oct 16 11:51:28	charon: 15[CFG] <3> looking for an ike config for 1.2.3.4...9.8.7.6
      Oct 16 11:51:28	charon: 15[CFG] <3> candidate: 1.2.3.4...%any, prio 1052
      Oct 16 11:51:28	charon: 15[CFG] <3> candidate: 1.2.3.4...%any, prio 1052
      Oct 16 11:51:28	charon: 15[CFG] <3> found matching ike config: 1.2.3.4...%any with prio 1052
      Oct 16 11:51:28	charon: 15[CFG] <3> found matching ike config: 1.2.3.4...%any with prio 1052
      Oct 16 11:51:28	charon: 15[IKE] <3> 9.8.7.6 is initiating an IKE_SA
      Oct 16 11:51:28	charon: 15[IKE] <3> 9.8.7.6 is initiating an IKE_SA
      Oct 16 11:51:28	charon: 15[IKE] <3> IKE_SA (unnamed)[3] state change: CREATED => CONNECTING
      Oct 16 11:51:28	charon: 15[IKE] <3> IKE_SA (unnamed)[3] state change: CREATED => CONNECTING
      Oct 16 11:51:28	charon: 15[CFG] <3> selecting proposal:
      Oct 16 11:51:28	charon: 15[CFG] <3> selecting proposal:
      Oct 16 11:51:28	charon: 15[CFG] <3> no acceptable ENCRYPTION_ALGORITHM found
      Oct 16 11:51:28	charon: 15[CFG] <3> no acceptable ENCRYPTION_ALGORITHM found
      Oct 16 11:51:28	charon: 15[CFG] <3> selecting proposal:
      Oct 16 11:51:28	charon: 15[CFG] <3> selecting proposal:
      Oct 16 11:51:28	charon: 15[CFG] <3> proposal matches
      Oct 16 11:51:28	charon: 15[CFG] <3> proposal matches
      Oct 16 11:51:28	charon: 15[CFG] <3> received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Oct 16 11:51:28	charon: 15[CFG] <3> received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Oct 16 11:51:28	charon: 15[CFG] <3> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
      Oct 16 11:51:28	charon: 15[CFG] <3> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
      Oct 16 11:51:28	charon: 15[CFG] <3> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
      Oct 16 11:51:28	charon: 15[CFG] <3> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
      Oct 16 11:51:28	charon: 15[IKE] <3> remote host is behind NAT
      Oct 16 11:51:28	charon: 15[IKE] <3> remote host is behind NAT
      Oct 16 11:51:28	charon: 15[IKE] <3> DH group MODP_1024 inacceptable, requesting MODP_1536
      Oct 16 11:51:28	charon: 15[IKE] <3> DH group MODP_1024 inacceptable, requesting MODP_1536
      Oct 16 11:51:28	charon: 15[MGR] <3> checkin and destroy IKE_SA (unnamed)[3]
      Oct 16 11:51:28	charon: 15[MGR] <3> checkin and destroy IKE_SA (unnamed)[3]
      Oct 16 11:51:28	charon: 15[IKE] <3> IKE_SA (unnamed)[3] state change: CONNECTING => DESTROYING
      Oct 16 11:51:28	charon: 15[IKE] <3> IKE_SA (unnamed)[3] state change: CONNECTING => DESTROYING
      Oct 16 11:51:28	charon: 15[MGR] check-in and destroy of IKE_SA successful
      Oct 16 11:51:28	charon: 15[MGR] check-in and destroy of IKE_SA successful
      
      

      ipsec.conf shows a config that matches perfectly what the iPhone is sending (ike = aes256-sha256-modp1536!) so I'm not sure from where it gets the error about MODP_1024 being "inacceptable."

      1 Reply Last reply Reply Quote 0
      • M
        MrMoo last edited by

        mod1536 is broken on the iPhone:

        https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)

        1 Reply Last reply Reply Quote 0
        • M
          miken32 last edited by

          @MrMoo:

          mod1536 is broken on the iPhone:

          https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)

          Ugh, SHA1 it is, I guess. Thanks for the link.

          1 Reply Last reply Reply Quote 0
          • M
            MrMoo last edited by

            Of note that wiki article has updated for OS X El Capitan which apparently is sending 3DES by default.  Only tried iOS so far.

            1 Reply Last reply Reply Quote 0
            • dennypage
              dennypage last edited by

              It's only broken for manually configured VPNs. If you use Apple Configurator, you can use higher groups, including groups 14-21. Configurator is kind of a pain, but it's necessary if you want access to better encryption settings.

              One word of caution however: Using AES-256-GCM will eventually crash both iOS 9.1 and OS X 10.11.1. I haven't tested AES-128-GCM, but I'm guessing that will crash as well.

              1 Reply Last reply Reply Quote 0
              • L
                ltctech last edited by

                Has anyone managed to route all traffic from iOS 9.1 through the tunnel using the manual configuration?

                I can only get it to route to the LAN subnet if I specify it directly on the router, but if I specify something like 0.0.0.0/0 nothing goes through the tunnel.

                1 Reply Last reply Reply Quote 0
                • jimp
                  jimp Rebel Alliance Developer Netgate last edited by

                  @ltctech:

                  Has anyone managed to route all traffic from iOS 9.1 through the tunnel using the manual configuration?

                  I can only get it to route to the LAN subnet if I specify it directly on the router, but if I specify something like 0.0.0.0/0 nothing goes through the tunnel.

                  Uncheck "Provide a list of accessible networks to clients" on the mobile clients tab
                  Add a P2 for 0.0.0.0/0

                  If it doesn't work for whatever reason, try adding a P2 for just mobile clients to LAN first, and put the 0.0.0.0/0 P2 below it. I didn't need that, but I saw someone else mention they couldn't route properly without it.

                  1 Reply Last reply Reply Quote 0
                  • jwt
                    jwt Netgate last edited by

                    @dennypage:

                    It's only broken for manually configured VPNs. If you use Apple Configurator, you can use higher groups, including groups 14-21. Configurator is kind of a pain, but it's necessary if you want access to better encryption settings.

                    I don't agree that Configurator is the only way.  Anything that can produce the profile should get the same result.

                    @dennypage:

                    One word of caution however: Using AES-256-GCM will eventually crash both iOS 9.1 and OS X 10.11.1. I haven't tested AES-128-GCM, but I'm guessing that will crash as well.

                    Have you reported this to Apple?

                    1 Reply Last reply Reply Quote 0
                    • dennypage
                      dennypage last edited by

                      Sorry, I didn't mean to imply that the configurator is the only way you could create an Apple config. You could always create one by hand editing a plist file, but that's even more painful than Configurator and rather error prone. Configurator is the only tool I know of that that actually generates Apple VPN configs. Is there another tool that I don't know of?

                      The point of the original post was communicate the limitations of creating the VPN via Network Preferences.

                      @jwt:

                      @dennypage:

                      It's only broken for manually configured VPNs. If you use Apple Configurator, you can use higher groups, including groups 14-21. Configurator is kind of a pain, but it's necessary if you want access to better encryption settings.

                      I don't agree that Configurator is the only way.  Anything that can produce the profile should get the same result.

                      1 Reply Last reply Reply Quote 0
                      • L
                        ltctech last edited by

                        I upgraded our router to 2.2.5 today, iOS is now able to connect and routes all traffic through the tunnel.

                        Problem is that without resorting to 3DES, we cannot support both Windows and iOS while still using AES. Windows requires AES256 while iOS requires AES128 for SHA1 and DH 1024 in Phase 1. There is no way to configure this in pfSense even though strongSwan supports multiple Phase 1 proposals.
                        https://forum.pfsense.org/index.php?topic=101889.0

                        At this point I am considering adding a few lines into vpn.inc to check for my Mobile VPN identifier and hard code the ike line to what I need into ipsec.conf.

                        1 Reply Last reply Reply Quote 0
                        • dennypage
                          dennypage last edited by

                          If you configure via iOS' built-in UI, you are severely limited in what you can achieve. However, if you use a profile you can configure AES256/SHA2 and reasonable DH groups.

                          @ltctech:

                          Problem is that without resorting to 3DES, we cannot support both Windows and iOS while still using AES. Windows requires AES256 while iOS requires AES128 for SHA1 and DH 1024 in Phase 1.

                          1 Reply Last reply Reply Quote 0
                          • D
                            davros123 last edited by

                            Thanks for the info.

                            I just used the Apple configurator to use AES256/SHA2…but it seems my Windows 10 VPN wants to use DH group2 (1024).

                            Is there an easy way I can change win10 VPN client to use group 21 DH?

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post

                            Products

                            • Platform Overview
                            • TNSR
                            • pfSense
                            • Appliances

                            Services

                            • Training
                            • Professional Services

                            Support

                            • Subscription Plans
                            • Contact Support
                            • Product Lifecycle
                            • Documentation

                            News

                            • Media Coverage
                            • Press
                            • Events

                            Resources

                            • Blog
                            • FAQ
                            • Find a Partner
                            • Resource Library
                            • Security Information

                            Company

                            • About Us
                            • Careers
                            • Partners
                            • Contact Us
                            • Legal
                            Our Mission

                            We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                            Subscribe to our Newsletter

                            Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                            © 2021 Rubicon Communications, LLC | Privacy Policy