Bounty offered: IKEv2 for iOS and OSX mobile client



  • [if offering cash for answers is not allowed here, I'll happily remove the reward offer, just let me know]

    I'm using pfsense 2.2.6 and desire the following:

    iOS VPN using auto connect (vpn on demand) iOS devices should be configured using Apple Configurator
    OSX VPN, manual configuration is acceptable.
    IKEv2 using certificates is desired for security. If you can convince me that a shared secret is better then x509 then I'll consider it!

    Native tools must be used, I don't want to install anything on the iOS devices or OSX laptops.
    Laptops all running El Capitan. iOS devices all running iOS9 or above.

    So far, I've not been able to configure pfsense to accept connections from both devices. We can configure it to allow one or the other, but not both.

    It seems that this should be simple, but after multiple attempts, I've been unsuccessful.
    I offer a paypal transfer for 100 UKP for a solution. Payment will be made when the provided instructions have been found effective.
    Solution will be publicly posted here once proven, it really should be a sticky in this thread already, IMHO.

    I look forward to a solution! Thanks.



  • An offer for assistance has been made by PM, so there's hope!



  • This is a page that I created with the supported ciphers.
    https://medium.com/@gpit2286/pfsense-ipsec-and-all-the-operating-systems-6270fe5c4006

    I would start there. Post your logs if you're getting errors and we can help more.



  • 10.11 supports many more ciphers than that. I am using AES-256/SHA384/DH20 for phase one (yes, I know SHA384 is overkill), and AES256-GCM for phase 2 with both OS X 10.11 and iOS 9.2.



  • Those were the ciphers that I pulled from the logs when endpoints sent its cipher request to pfSense. If there's a better way to do this, then please let me know. I would rather create a beneficial resource than an incomplete one.



  • What is communicated across the connection is the list of acceptable ciphers based on the configuration of the endpoint. The default list is pretty old. To see the actual list of supported ciphers, you need to get Apple Configurator and look at the pull down lists in the VPN section.



  • Matp, here is a sanitized version of the .mobileconfig I use for both OS X and iOS. I've removed the certificate data and the IP address of the firewall. Look for "FIXME" and "X.X.X.X"

    This should be enough to get you going using Apple Configurator 2. You will need to replace the CA and device certificate with your own in the Certificates tab, and then update the certificates in the VPN tab. Let me know if you run into any issues.

    If you find this sufficient and still want to pay the bounty, please donate it to the FreeBSD Foundation (https://www.freebsdfoundation.org/donate).

    
     <plist version="1.0"><dict><key>PayloadContent</key>
    	 <array><dict><key>PayloadCertificateFileName</key>
    			<string>test.crt</string>
    			<key>PayloadContent</key>
    			 <data>FIXME</data> 
    			<key>PayloadDescription</key>
    			<string>Configures certificate settings.</string>
    			<key>PayloadDisplayName</key>
    			<string>TEST CA</string>
    			<key>PayloadIdentifier</key>
    			<string>com.apple.security.root.D71CA063-01C3-4E13-BD97-AEA7C8D3DA4C</string>
    			<key>PayloadType</key>
    			<string>com.apple.security.root</string>
    			<key>PayloadUUID</key>
    			<string>D71CA063-01C3-4E13-BD97-AEA7C8D3DA4C</string>
    			<key>PayloadVersion</key>
    			<integer>1</integer></dict> 
    		 <dict><key>PayloadCertificateFileName</key>
    			<string>test-iphone.pfx</string>
    			<key>PayloadContent</key>
    			 <data>FIXME</data> 
    			<key>PayloadDescription</key>
    			<string>Configures certificate settings.</string>
    			<key>PayloadDisplayName</key>
    			<string>test-iphone.pfx</string>
    			<key>PayloadIdentifier</key>
    			<string>com.apple.security.pkcs12.BEC7F412-50FE-49DC-8AF3-1E8243D11B84</string>
    			<key>PayloadType</key>
    			<string>com.apple.security.pkcs12</string>
    			<key>PayloadUUID</key>
    			<string>BEC7F412-50FE-49DC-8AF3-1E8243D11B84</string>
    			<key>PayloadVersion</key>
    			<integer>1</integer></dict> 
    		 <dict><key>IKEv2</key>
    			 <dict><key>AuthenticationMethod</key>
    				<string>Certificate</string>
    				<key>ChildSecurityAssociationParameters</key>
    				 <dict><key>DiffieHellmanGroup</key>
    					<integer>0</integer>
    					<key>EncryptionAlgorithm</key>
    					<string>AES-256</string>
    					<key>IntegrityAlgorithm</key>
    					<string>SHA2-256</string>
    					<key>LifeTimeInMinutes</key>
    					<integer>60</integer></dict> 
    				<key>DeadPeerDetectionRate</key>
    				<string>Medium</string>
    				<key>DisableMOBIKE</key>
    				<integer>0</integer>
    				<key>DisableRedirect</key>
    				<integer>0</integer>
    				<key>EnableCertificateRevocationCheck</key>
    				<integer>0</integer>
    				<key>EnablePFS</key>
    				<integer>0</integer>
    				<key>ExtendedAuthEnabled</key>
    				 <true><key>IKESecurityAssociationParameters</key>
    				 <dict><key>DiffieHellmanGroup</key>
    					<integer>20</integer>
    					<key>EncryptionAlgorithm</key>
    					<string>AES-256</string>
    					<key>IntegrityAlgorithm</key>
    					<string>SHA2-384</string>
    					<key>LifeTimeInMinutes</key>
    					<integer>480</integer></dict> 
    				<key>LocalIdentifier</key>
    				<string>test-remote.test.com</string>
    				<key>PayloadCertificateUUID</key>
    				<string>BEC7F412-50FE-49DC-8AF3-1E8243D11B84</string>
    				<key>RemoteAddress</key>
    				<string>X.X.X.X</string>
    				<key>RemoteIdentifier</key>
    				<string>fw.test.com</string>
    				<key>ServerCertificateIssuerCommonName</key>
    				<string>TEST CA</string>
    				<key>UseConfigurationAttributeInternalIPSubnet</key>
    				<integer>0</integer></true></dict> 
    			<key>IPv4</key>
    			 <dict><key>OverridePrimary</key>
    				<integer>1</integer></dict> 
    			<key>PayloadDescription</key>
    			<string>Configures VPN settings</string>
    			<key>PayloadDisplayName</key>
    			<string>VPN</string>
    			<key>PayloadIdentifier</key>
    			<string>com.apple.vpn.managed.AFE1AEEF-3E71-4F0E-8DA5-E1B68840D16E</string>
    			<key>PayloadType</key>
    			<string>com.apple.vpn.managed</string>
    			<key>PayloadUUID</key>
    			<string>13960120-E059-4199-8D75-43A4A5457A67</string>
    			<key>PayloadVersion</key>
    			<real>1</real>
    			<key>UserDefinedName</key>
    			<string>Test</string>
    			<key>VPNType</key>
    			<string>IKEv2</string>
    			<key>VendorConfig</key></dict></array> 
    	<key>PayloadDisplayName</key>
    	<string>Test config</string>
    	<key>PayloadIdentifier</key>
    	<string>test.com.F16335E0-58B2-4EDF-A15F-F162C04ABDA7</string>
    	<key>PayloadOrganization</key>
    	<string>Test</string>
    	<key>PayloadRemovalDisallowed</key>
    	 <false><key>PayloadType</key>
    	<string>Configuration</string>
    	<key>PayloadUUID</key>
    	<string>F7958990-DF0C-49B1-800B-7737BFAF014A</string>
    	<key>PayloadVersion</key>
    	<integer>1</integer></false></dict></plist> 
    
    


  • Oh crap, there are replies! What happened to my email notifications!! argh.

    Ok, I'll study that mobileconfig post in a moment, thanks for that.
    Here's the update.

    It seemed quiet (because I wasn't squatted on the thread, relying on the notifier emails) and so we went ahead and contacted pfSense support directly, asking basically "If I pay you, will you give me a set of working instructions". I'd love to say that this worked out perfectly.

    Anyway, it took a fair bit of back and forth with support, but eventually, as a result of a whole lot of trial and error, we have it working about 98% of the way. iOS and OSX clients connect using the same mobileconfig file, but currently I don't have DNS resolution. Should have that fixed soon though.

    We have a viable step-by-step that actually works and (hopefully) is easy and clear to follow. I will post it as soon as I fix this DNS issue, as I'd like to ensure it's perfect.

    Getting these details has been a nightmare, so I truly hope that someone may benefit from the labor! Will post the details before the end of the week, hopefully!

    Thanks to those who responded, even though I only just noticed!



  • Ok, my solution is posted to a new post, to keep things clean.
    https://forum.pfsense.org/index.php?topic=106433.0

    Imagine how pleased I was to find that the forum does not support markdown and I had to reformat the whole thing!!!

    It would be great if that post could be 'stickied' if this forum supports that, at least for as long as the instructions are valid!


Locked