Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Bounty offered: IKEv2 for iOS and OSX mobile client

    IPsec
    3
    9
    2638
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      matp last edited by

      [if offering cash for answers is not allowed here, I'll happily remove the reward offer, just let me know]

      I'm using pfsense 2.2.6 and desire the following:

      iOS VPN using auto connect (vpn on demand) iOS devices should be configured using Apple Configurator
      OSX VPN, manual configuration is acceptable.
      IKEv2 using certificates is desired for security. If you can convince me that a shared secret is better then x509 then I'll consider it!

      Native tools must be used, I don't want to install anything on the iOS devices or OSX laptops.
      Laptops all running El Capitan. iOS devices all running iOS9 or above.

      So far, I've not been able to configure pfsense to accept connections from both devices. We can configure it to allow one or the other, but not both.

      It seems that this should be simple, but after multiple attempts, I've been unsuccessful.
      I offer a paypal transfer for 100 UKP for a solution. Payment will be made when the provided instructions have been found effective.
      Solution will be publicly posted here once proven, it really should be a sticky in this thread already, IMHO.

      I look forward to a solution! Thanks.

      1 Reply Last reply Reply Quote 0
      • M
        matp last edited by

        An offer for assistance has been made by PM, so there's hope!

        1 Reply Last reply Reply Quote 0
        • G
          gpit2286 last edited by

          This is a page that I created with the supported ciphers.
          https://medium.com/@gpit2286/pfsense-ipsec-and-all-the-operating-systems-6270fe5c4006

          I would start there. Post your logs if you're getting errors and we can help more.

          1 Reply Last reply Reply Quote 0
          • dennypage
            dennypage last edited by

            10.11 supports many more ciphers than that. I am using AES-256/SHA384/DH20 for phase one (yes, I know SHA384 is overkill), and AES256-GCM for phase 2 with both OS X 10.11 and iOS 9.2.

            1 Reply Last reply Reply Quote 0
            • G
              gpit2286 last edited by

              Those were the ciphers that I pulled from the logs when endpoints sent its cipher request to pfSense. If there's a better way to do this, then please let me know. I would rather create a beneficial resource than an incomplete one.

              1 Reply Last reply Reply Quote 0
              • dennypage
                dennypage last edited by

                What is communicated across the connection is the list of acceptable ciphers based on the configuration of the endpoint. The default list is pretty old. To see the actual list of supported ciphers, you need to get Apple Configurator and look at the pull down lists in the VPN section.

                1 Reply Last reply Reply Quote 0
                • dennypage
                  dennypage last edited by

                  Matp, here is a sanitized version of the .mobileconfig I use for both OS X and iOS. I've removed the certificate data and the IP address of the firewall. Look for "FIXME" and "X.X.X.X"

                  This should be enough to get you going using Apple Configurator 2. You will need to replace the CA and device certificate with your own in the Certificates tab, and then update the certificates in the VPN tab. Let me know if you run into any issues.

                  If you find this sufficient and still want to pay the bounty, please donate it to the FreeBSD Foundation (https://www.freebsdfoundation.org/donate).

                  
                   <plist version="1.0"><dict><key>PayloadContent</key>
                  	 <array><dict><key>PayloadCertificateFileName</key>
                  			<string>test.crt</string>
                  			<key>PayloadContent</key>
                  			 <data>FIXME</data> 
                  			<key>PayloadDescription</key>
                  			<string>Configures certificate settings.</string>
                  			<key>PayloadDisplayName</key>
                  			<string>TEST CA</string>
                  			<key>PayloadIdentifier</key>
                  			<string>com.apple.security.root.D71CA063-01C3-4E13-BD97-AEA7C8D3DA4C</string>
                  			<key>PayloadType</key>
                  			<string>com.apple.security.root</string>
                  			<key>PayloadUUID</key>
                  			<string>D71CA063-01C3-4E13-BD97-AEA7C8D3DA4C</string>
                  			<key>PayloadVersion</key>
                  			<integer>1</integer></dict> 
                  		 <dict><key>PayloadCertificateFileName</key>
                  			<string>test-iphone.pfx</string>
                  			<key>PayloadContent</key>
                  			 <data>FIXME</data> 
                  			<key>PayloadDescription</key>
                  			<string>Configures certificate settings.</string>
                  			<key>PayloadDisplayName</key>
                  			<string>test-iphone.pfx</string>
                  			<key>PayloadIdentifier</key>
                  			<string>com.apple.security.pkcs12.BEC7F412-50FE-49DC-8AF3-1E8243D11B84</string>
                  			<key>PayloadType</key>
                  			<string>com.apple.security.pkcs12</string>
                  			<key>PayloadUUID</key>
                  			<string>BEC7F412-50FE-49DC-8AF3-1E8243D11B84</string>
                  			<key>PayloadVersion</key>
                  			<integer>1</integer></dict> 
                  		 <dict><key>IKEv2</key>
                  			 <dict><key>AuthenticationMethod</key>
                  				<string>Certificate</string>
                  				<key>ChildSecurityAssociationParameters</key>
                  				 <dict><key>DiffieHellmanGroup</key>
                  					<integer>0</integer>
                  					<key>EncryptionAlgorithm</key>
                  					<string>AES-256</string>
                  					<key>IntegrityAlgorithm</key>
                  					<string>SHA2-256</string>
                  					<key>LifeTimeInMinutes</key>
                  					<integer>60</integer></dict> 
                  				<key>DeadPeerDetectionRate</key>
                  				<string>Medium</string>
                  				<key>DisableMOBIKE</key>
                  				<integer>0</integer>
                  				<key>DisableRedirect</key>
                  				<integer>0</integer>
                  				<key>EnableCertificateRevocationCheck</key>
                  				<integer>0</integer>
                  				<key>EnablePFS</key>
                  				<integer>0</integer>
                  				<key>ExtendedAuthEnabled</key>
                  				 <true><key>IKESecurityAssociationParameters</key>
                  				 <dict><key>DiffieHellmanGroup</key>
                  					<integer>20</integer>
                  					<key>EncryptionAlgorithm</key>
                  					<string>AES-256</string>
                  					<key>IntegrityAlgorithm</key>
                  					<string>SHA2-384</string>
                  					<key>LifeTimeInMinutes</key>
                  					<integer>480</integer></dict> 
                  				<key>LocalIdentifier</key>
                  				<string>test-remote.test.com</string>
                  				<key>PayloadCertificateUUID</key>
                  				<string>BEC7F412-50FE-49DC-8AF3-1E8243D11B84</string>
                  				<key>RemoteAddress</key>
                  				<string>X.X.X.X</string>
                  				<key>RemoteIdentifier</key>
                  				<string>fw.test.com</string>
                  				<key>ServerCertificateIssuerCommonName</key>
                  				<string>TEST CA</string>
                  				<key>UseConfigurationAttributeInternalIPSubnet</key>
                  				<integer>0</integer></true></dict> 
                  			<key>IPv4</key>
                  			 <dict><key>OverridePrimary</key>
                  				<integer>1</integer></dict> 
                  			<key>PayloadDescription</key>
                  			<string>Configures VPN settings</string>
                  			<key>PayloadDisplayName</key>
                  			<string>VPN</string>
                  			<key>PayloadIdentifier</key>
                  			<string>com.apple.vpn.managed.AFE1AEEF-3E71-4F0E-8DA5-E1B68840D16E</string>
                  			<key>PayloadType</key>
                  			<string>com.apple.vpn.managed</string>
                  			<key>PayloadUUID</key>
                  			<string>13960120-E059-4199-8D75-43A4A5457A67</string>
                  			<key>PayloadVersion</key>
                  			<real>1</real>
                  			<key>UserDefinedName</key>
                  			<string>Test</string>
                  			<key>VPNType</key>
                  			<string>IKEv2</string>
                  			<key>VendorConfig</key></dict></array> 
                  	<key>PayloadDisplayName</key>
                  	<string>Test config</string>
                  	<key>PayloadIdentifier</key>
                  	<string>test.com.F16335E0-58B2-4EDF-A15F-F162C04ABDA7</string>
                  	<key>PayloadOrganization</key>
                  	<string>Test</string>
                  	<key>PayloadRemovalDisallowed</key>
                  	 <false><key>PayloadType</key>
                  	<string>Configuration</string>
                  	<key>PayloadUUID</key>
                  	<string>F7958990-DF0C-49B1-800B-7737BFAF014A</string>
                  	<key>PayloadVersion</key>
                  	<integer>1</integer></false></dict></plist> 
                  
                  
                  1 Reply Last reply Reply Quote 0
                  • M
                    matp last edited by

                    Oh crap, there are replies! What happened to my email notifications!! argh.

                    Ok, I'll study that mobileconfig post in a moment, thanks for that.
                    Here's the update.

                    It seemed quiet (because I wasn't squatted on the thread, relying on the notifier emails) and so we went ahead and contacted pfSense support directly, asking basically "If I pay you, will you give me a set of working instructions". I'd love to say that this worked out perfectly.

                    Anyway, it took a fair bit of back and forth with support, but eventually, as a result of a whole lot of trial and error, we have it working about 98% of the way. iOS and OSX clients connect using the same mobileconfig file, but currently I don't have DNS resolution. Should have that fixed soon though.

                    We have a viable step-by-step that actually works and (hopefully) is easy and clear to follow. I will post it as soon as I fix this DNS issue, as I'd like to ensure it's perfect.

                    Getting these details has been a nightmare, so I truly hope that someone may benefit from the labor! Will post the details before the end of the week, hopefully!

                    Thanks to those who responded, even though I only just noticed!

                    1 Reply Last reply Reply Quote 0
                    • M
                      matp last edited by

                      Ok, my solution is posted to a new post, to keep things clean.
                      https://forum.pfsense.org/index.php?topic=106433.0

                      Imagine how pleased I was to find that the forum does not support markdown and I had to reformat the whole thing!!!

                      It would be great if that post could be 'stickied' if this forum supports that, at least for as long as the instructions are valid!

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post