Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IKEv2 and iOS 9

    Scheduled Pinned Locked Moved IPsec
    12 Posts 7 Posters 4.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      miken32
      last edited by

      Anyone got this working? I'm having problems getting past P1 setup and I'm not sure why.

      
      Oct 16 11:51:28	charon: 15[MGR] checkout IKE_SA by message
      Oct 16 11:51:28	charon: 15[MGR] created IKE_SA (unnamed)[3]
      Oct 16 11:51:28	charon: 15[MGR] created IKE_SA (unnamed)[3]
      Oct 16 11:51:28	charon: 15[CFG] <3> looking for an ike config for 1.2.3.4...9.8.7.6
      Oct 16 11:51:28	charon: 15[CFG] <3> looking for an ike config for 1.2.3.4...9.8.7.6
      Oct 16 11:51:28	charon: 15[CFG] <3> candidate: 1.2.3.4...%any, prio 1052
      Oct 16 11:51:28	charon: 15[CFG] <3> candidate: 1.2.3.4...%any, prio 1052
      Oct 16 11:51:28	charon: 15[CFG] <3> found matching ike config: 1.2.3.4...%any with prio 1052
      Oct 16 11:51:28	charon: 15[CFG] <3> found matching ike config: 1.2.3.4...%any with prio 1052
      Oct 16 11:51:28	charon: 15[IKE] <3> 9.8.7.6 is initiating an IKE_SA
      Oct 16 11:51:28	charon: 15[IKE] <3> 9.8.7.6 is initiating an IKE_SA
      Oct 16 11:51:28	charon: 15[IKE] <3> IKE_SA (unnamed)[3] state change: CREATED => CONNECTING
      Oct 16 11:51:28	charon: 15[IKE] <3> IKE_SA (unnamed)[3] state change: CREATED => CONNECTING
      Oct 16 11:51:28	charon: 15[CFG] <3> selecting proposal:
      Oct 16 11:51:28	charon: 15[CFG] <3> selecting proposal:
      Oct 16 11:51:28	charon: 15[CFG] <3> no acceptable ENCRYPTION_ALGORITHM found
      Oct 16 11:51:28	charon: 15[CFG] <3> no acceptable ENCRYPTION_ALGORITHM found
      Oct 16 11:51:28	charon: 15[CFG] <3> selecting proposal:
      Oct 16 11:51:28	charon: 15[CFG] <3> selecting proposal:
      Oct 16 11:51:28	charon: 15[CFG] <3> proposal matches
      Oct 16 11:51:28	charon: 15[CFG] <3> proposal matches
      Oct 16 11:51:28	charon: 15[CFG] <3> received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Oct 16 11:51:28	charon: 15[CFG] <3> received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Oct 16 11:51:28	charon: 15[CFG] <3> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
      Oct 16 11:51:28	charon: 15[CFG] <3> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
      Oct 16 11:51:28	charon: 15[CFG] <3> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
      Oct 16 11:51:28	charon: 15[CFG] <3> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
      Oct 16 11:51:28	charon: 15[IKE] <3> remote host is behind NAT
      Oct 16 11:51:28	charon: 15[IKE] <3> remote host is behind NAT
      Oct 16 11:51:28	charon: 15[IKE] <3> DH group MODP_1024 inacceptable, requesting MODP_1536
      Oct 16 11:51:28	charon: 15[IKE] <3> DH group MODP_1024 inacceptable, requesting MODP_1536
      Oct 16 11:51:28	charon: 15[MGR] <3> checkin and destroy IKE_SA (unnamed)[3]
      Oct 16 11:51:28	charon: 15[MGR] <3> checkin and destroy IKE_SA (unnamed)[3]
      Oct 16 11:51:28	charon: 15[IKE] <3> IKE_SA (unnamed)[3] state change: CONNECTING => DESTROYING
      Oct 16 11:51:28	charon: 15[IKE] <3> IKE_SA (unnamed)[3] state change: CONNECTING => DESTROYING
      Oct 16 11:51:28	charon: 15[MGR] check-in and destroy of IKE_SA successful
      Oct 16 11:51:28	charon: 15[MGR] check-in and destroy of IKE_SA successful
      
      

      ipsec.conf shows a config that matches perfectly what the iPhone is sending (ike = aes256-sha256-modp1536!) so I'm not sure from where it gets the error about MODP_1024 being "inacceptable."

      1 Reply Last reply Reply Quote 0
      • M
        MrMoo
        last edited by

        mod1536 is broken on the iPhone:

        https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)

        1 Reply Last reply Reply Quote 0
        • M
          miken32
          last edited by

          @MrMoo:

          mod1536 is broken on the iPhone:

          https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)

          Ugh, SHA1 it is, I guess. Thanks for the link.

          1 Reply Last reply Reply Quote 0
          • M
            MrMoo
            last edited by

            Of note that wiki article has updated for OS X El Capitan which apparently is sending 3DES by default.  Only tried iOS so far.

            1 Reply Last reply Reply Quote 0
            • dennypageD
              dennypage
              last edited by

              It's only broken for manually configured VPNs. If you use Apple Configurator, you can use higher groups, including groups 14-21. Configurator is kind of a pain, but it's necessary if you want access to better encryption settings.

              One word of caution however: Using AES-256-GCM will eventually crash both iOS 9.1 and OS X 10.11.1. I haven't tested AES-128-GCM, but I'm guessing that will crash as well.

              1 Reply Last reply Reply Quote 0
              • L
                ltctech
                last edited by

                Has anyone managed to route all traffic from iOS 9.1 through the tunnel using the manual configuration?

                I can only get it to route to the LAN subnet if I specify it directly on the router, but if I specify something like 0.0.0.0/0 nothing goes through the tunnel.

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  @ltctech:

                  Has anyone managed to route all traffic from iOS 9.1 through the tunnel using the manual configuration?

                  I can only get it to route to the LAN subnet if I specify it directly on the router, but if I specify something like 0.0.0.0/0 nothing goes through the tunnel.

                  Uncheck "Provide a list of accessible networks to clients" on the mobile clients tab
                  Add a P2 for 0.0.0.0/0

                  If it doesn't work for whatever reason, try adding a P2 for just mobile clients to LAN first, and put the 0.0.0.0/0 P2 below it. I didn't need that, but I saw someone else mention they couldn't route properly without it.

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • J
                    jwt Netgate
                    last edited by

                    @dennypage:

                    It's only broken for manually configured VPNs. If you use Apple Configurator, you can use higher groups, including groups 14-21. Configurator is kind of a pain, but it's necessary if you want access to better encryption settings.

                    I don't agree that Configurator is the only way.  Anything that can produce the profile should get the same result.

                    @dennypage:

                    One word of caution however: Using AES-256-GCM will eventually crash both iOS 9.1 and OS X 10.11.1. I haven't tested AES-128-GCM, but I'm guessing that will crash as well.

                    Have you reported this to Apple?

                    1 Reply Last reply Reply Quote 0
                    • dennypageD
                      dennypage
                      last edited by

                      Sorry, I didn't mean to imply that the configurator is the only way you could create an Apple config. You could always create one by hand editing a plist file, but that's even more painful than Configurator and rather error prone. Configurator is the only tool I know of that that actually generates Apple VPN configs. Is there another tool that I don't know of?

                      The point of the original post was communicate the limitations of creating the VPN via Network Preferences.

                      @jwt:

                      @dennypage:

                      It's only broken for manually configured VPNs. If you use Apple Configurator, you can use higher groups, including groups 14-21. Configurator is kind of a pain, but it's necessary if you want access to better encryption settings.

                      I don't agree that Configurator is the only way.  Anything that can produce the profile should get the same result.

                      1 Reply Last reply Reply Quote 0
                      • L
                        ltctech
                        last edited by

                        I upgraded our router to 2.2.5 today, iOS is now able to connect and routes all traffic through the tunnel.

                        Problem is that without resorting to 3DES, we cannot support both Windows and iOS while still using AES. Windows requires AES256 while iOS requires AES128 for SHA1 and DH 1024 in Phase 1. There is no way to configure this in pfSense even though strongSwan supports multiple Phase 1 proposals.
                        https://forum.pfsense.org/index.php?topic=101889.0

                        At this point I am considering adding a few lines into vpn.inc to check for my Mobile VPN identifier and hard code the ike line to what I need into ipsec.conf.

                        1 Reply Last reply Reply Quote 0
                        • dennypageD
                          dennypage
                          last edited by

                          If you configure via iOS' built-in UI, you are severely limited in what you can achieve. However, if you use a profile you can configure AES256/SHA2 and reasonable DH groups.

                          @ltctech:

                          Problem is that without resorting to 3DES, we cannot support both Windows and iOS while still using AES. Windows requires AES256 while iOS requires AES128 for SHA1 and DH 1024 in Phase 1.

                          1 Reply Last reply Reply Quote 0
                          • D
                            davros123
                            last edited by

                            Thanks for the info.

                            I just used the Apple configurator to use AES256/SHA2…but it seems my Windows 10 VPN wants to use DH group2 (1024).

                            Is there an easy way I can change win10 VPN client to use group 21 DH?

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.