Valid configuration for IKEv2 VPN for iOS and OSX

matp

IKEv2 VPN for iOS and OSX

Confirmed working with OSX 10.11, iOS 9+ and pfSense 2.2.3

Following this easy guide will provide you with:

• A certificate based IKEv2 VPN

• An Apple Configuration profile suitable for installing on either device

Three sections to this guide. Certificates, VPN settings, Apple Configurator settings.

Caveat: The only way that I've been able to get DNS resolution to work is by routing all traffic over the VPN, not just traffic that is destined for it. I'd be interested in a solution to this.
(Possible DNS fix in post 14 below)

Certificates

Remove all certs if you have any (Excluding the web config cert if you have one), to give a clean start.

Make the CA Cert
System | Cert Manager | CA's

Click the + to add a new CA. Pick the following settings:

• Descriptive Name: Anything you like, I picked "internalCA"

• Method: Create an Internal Certificate Authority

• Key Length: 2048

• Digest Algorithm: SHA256

• Lifetime: 3650 days

• Country Code: as required

• State: as required

• City: as required

• Organisation: as required

• Email address: as required (seems to be unimportant)

• Common Name: internalCA (this can be anything unique that you like I just used internalCA for this example)

save the certificate.

Make the server cert
System | Cert Manager | Certificates

Click the + to add a new certificate, set the following:

• Method: Create an internal certificate

• Descriptive name: Anything you like, I picked "serverCert"

• Certificate Authority: internalCA (or whatever name you used)

• Key Length: 2048

• Digest Algorithm: SHA256

• Certificate Type: Server Certificate

• Lifetime: 3650 days

• Country Code: as required

• State: as required

• City: as required

• Organisation: as required

• Email address: as required (seems to be unimportant)

• Common Name: [External DNS name of the pfSense box]

• ADD AN ALTERNATIVE NAME

• • Type: DNS (case sensitive)
• • Value: [External DNS name of the pfSense box (yes, the same as the CN above)]

• ADD ANOTHER ALTERNATIVE NAME

• • Type: IP (case sensitive)
• • Value: [External IP address of pfSense box]

Save the cert

Make a user cert
System | Cert Manager | Certificates

Only one here of course, and the 'person' is called 'user' but you should make a certificate for every user of the VPN and replace 'user' with a reasonable username.

Click the + to add a new certificate, set the following:

• Method: Create an internal certificate

• Descriptive name: Anything you like, I picked "userCert"

• Certificate Authority: internalCA (or whatever name you used)

• Key Length: 2048

• Digest Algorithm: SHA256

• Certificate Type: User Certificate

• Lifetime: 3650 days

• Country Code: as required

• State: as required

• City: as required

• Organization: as required

• Email address: as required (seems to be unimportant)

• Common Name: user (replace with valid username if there's to be multiple users)

• ADD AN ALTERNATIVE NAME

• • Type: DNS
• • Value: user (same value as the Common Name)

Save the cert

Download the certificates
Switch to the CA tab, click the arrow for "export CA cert"
Switch to the Certificates tab. For the server cert, click the arrow for "export cert". For the user cert, click both the "export cert" arrow and the "export key" arrow.

Create the p12 for the user certs:

sudo openssl pkcs12 -export -in userCert.crt -inkey userCert.key -out userCert.p12

(Make a note of the password you give the cert to allow you to import it later)

Configure the VPN
This part should be familiar. Delete any Mobile Client Tunnel if you have one.

VPN | IPsec | Tunnels

Ensure "Enable IPsec" is ticked.

VPN | IPsec | Mobile clients

• IKE Extensions: check the 'enable IPsec mobile client support' box

• User Authentication: Local Database

• Group Authentication: system

• Virtual Address pool: Provide, and give a suitable private IP scope, one that isn't your LAN

• Virtual IPv6 Address Pool: not checked

• Network List: not checked

• Save Xauth Password: not checked

• DNS Default Domain: checked and set to domain name of VPN LAN

• Split DNS: not checked

• DNS Servers: checked. Specify your LAN DNS server IP

• WINS Servers: not checked

• Phase2 PFS Group: not checked

• Login Banner: not checked

You may tune those as you see fit. This is simply what worked for me in testing.

Save the settings. Apply the changes and click the "Create Phase 1" banner button.

• Disabled: not checked

• Key Exchange version: v2

• Internet Protocol: IPv4

• Interface: WAN

• Description: as required

• Authentication method: EAP-TLS

• My identifier: Distinguished Name. Set the value to the DNS of the pfSense, the same as you used when making the server certificate

• Peer identifier: Any

• My Certificate: serverCert (or whatever you called it)

• Peer Certificate Authority: internalCA (or whatever you called it)

• Encryption algorithm: AES256

• Hash algorithm: SHA384

• DH key group: 20

• Lifetime: 28800 seconds

• Disable Rekey: not checked

• Disable Reauth: not checked

• Responder Only: checked

• MOBIKE: Enable

• Dead Peer Detection: 10 seconds, 5 retries

save the phase 1. Apply the changes.

VPN | IPsec | Tunnels

Expand the Mobile Client phase 1 and click the + to add the phase 2

• Disabled: not checked

• Mode: Tunnel IPv4

• Local Network: Type: Network: 0.0.0.0/0

• NAT/BINAT: Type: None

• Description: as required

• Protocol: ESP

• Encryption algorithms: AES256

• Hash algorithms: SHA256

• PFS key group: 20

• Lifetime: 3600 seconds

save the phase 2. Apply the changes.

Firewall | Rules | IPsec

Check that there is an entry here for allow all. Add one if needed.

Create the profile

Launch Apple Configurator 2

File | New Profile

The profile editor launches. We want three sections: General, Certificates, VPN.

General

• Name: MyVPN (or whatever you like)

• everything else is optional

Certificates

• Click "configure" to add the certs, add the serverCert.crt file, the caCert.crt file and the userCert.p12 file

• Provide the export password for the p12. This is the password you gave in the openssl command after exporting the certificate and key.

VPN

• Click "configure" to make a new VPN

• Connection Name: MyVPN (or anything you like)

• Connection Type: IKEv2

• Always-on VPN: up to you

• Server: DNS name of the pfSense box, much match the CN of the serverCert

• Remote Identifier: DNS name of the pfSense box, much match the CN of the serverCert

• Local Identifier: the CN of the user cert for this connection, in this example 'user'

• Machine Authentication: Certificate

• Certificate Type: RSA

• Server Certificate Issuer Common Name: internalCA (or whatever you called the CA cert earlier)

• Server Certificate Common Name: DNS name of the pfSense box, much match the CN of the serverCert

• Enable EAP: checked

• EAP Authentication: Certificate

• Identity Certificate: pick the imported user.p12 file

• Dead Peer Detection: Medium

• Disable redirects: not checked

• Disable Mobility: not checked

• Use IPv4 internal subnet attributes: not checked

• Enable PFS: not checked

• Enable certificate revocation check: not checked

IKE SA Params

• Encryption Algorithm: AES-256

• Integrity Algorithm: SHA2-384

• Diffie Hellman Group: 20

• Lifetime In Minutes: 480

• Proxy Setup: None

Child SA Params

• Encryption Algorithm: AES-256

• Integrity Algorithm: SHA2-256

• Diffie Hellman Group: 20

• Lifetime In Minutes: 60

• Proxy Setup: None

Save the profile. Install to device. Done.

[edits made: Change P2 DH group to 20. Correct the value 'SHA256' to the more accurate 'SHA2-256']

acc4ever

I have one thing, I'm using DynDNS resolution for the public IP address of the PfSense Boxes.
In your tutorial, it's mandatory to put the public IP address as quoted here, what should I put ??

Thanks a lot for sharing this how-to !!!

Make the server cert
System | Cert Manager | Certificates

Click the + to add a new certificate, set the following:
Method: Create an internal certificate
Descriptive name: Anything you like, I picked "serverCert"
Certificate Authority: internalCA (or whatever name you used)
Key Length: 2048
Digest Algorithm: SHA256
Certificate Type: Server Certificate
Lifetime: 3650 days
Country Code: as required
State: as required
City: as required
Organisation: as required
Email address: as required (seems to be unimportant)
Common Name: [External DNS name of the pfSense box]
ADD AN ALTERNATIVE NAME
Type: DNS (case sensitive)
Value: [External DNS name of the pfSense box (yes, the same as the CN above)]
ADD ANOTHER ALTERNATIVE NAME
Type: IP (case sensitive)
Value: [External IP address of pfSense box]

matp

Good question.
I don't know. :)
Some of this was worked out with pfSense support, who insisted that the certificates be set up this way. We did initially have them with just domain names I think. To be fair, I've deleted and recreated the certs so many times I can no longer be sure!

Given that the connections are established by DNS name, I would think it would work, but the log files seem to talk DNS and IP, so it may be a quirk or StrongSwan or Charon or whatever.

My only suggestion would be to try it, following every step carefully with the exception of the IP SAN's and see what happens. Worst case is it won't connect!

dennypage

Is the Diffie-Hellman group in phase 2 meaningful? DH group 2 has been in the "no longer recommended" category for some time. Given that it's covered by the phase 1, it's not particularly important that it's a weak DH group, but it's not particularly helpful either.

Perhaps someone with deeper IPSEC knowledge can comment…

matp

denny, it is not. In fact, I did have it working set to 20.
I'm no authority on this stuff by a long shot. My concern was that there seemed to be no set of instructions that would produce a working link. These values 'work' and they're pretty good, but yes, setting the P2 to DH20 is a good idea.

As I have already tested this and I know it works with the rest of the values, I'll edit the post to use DH20 for both the P1 and the P2.

Cheers!

paulchen0815

Hi,

I want to configure my pfSense as an VPN "dial-in-server" to access my home network via IPsec VPN from my mobile clients (smartphone, tablet, Mac).

I have the following problem when configuring it with your documentation:

when creating the phase 1 entry I have to enter a remote gateway address and this is a mandatory field, so I have to fill in anything.

But in my usecase my mobile phone has no known official IP adress… So what I have to fill in there?

Thanks,

paulchen

matp

Not too sure I follow you, only the pfSense box needs a fixed IP, the mobile device does not.

Your message means that the instructions are not clear enough, as it would seem that you have made a mistake in them, could you please tell me which step you are looking at and I'll enhance it.
Thanks.

@paulchen0815:

when creating the phase 1 entry I have to enter a remote gateway address and this is a mandatory field, so I have to fill in anything.

But in my usecase my mobile phone has no known official IP adress… So what I have to fill in there?

luckman212

I think what he means is that the pfSense does not have a static IPv4 WAN address. Can a DNS name e.g. a dynamic-dns entry be substituted in place?

paulchen0815

Maybe the wording in the pfSense GUI is a little bit missleading. I have to enter the "Remote Gateway: Enter the public IP address or host name of the remote gateway". See attached screenshot.

So in my point of view this would be the other end of the IPsec tunnel, so not my pfSense box but the mobile device (which has a dynamic IP address that is unkown).

So which IP address or hostname I have to enter in this field?


matp

Ah, now it makes sense.
First, you're setting up an IKEv1 connection, and these instructions are for IKEv2
Second, in the screenshot you are configuring a P1 for a static site-to-site link, not a mobile one, which is why you are being asked for a remote address.
You want to be configuring the Mobile Client phase 1.

Recheck the instructions from the 'Configure the VPN' section and try again.

paulchen0815

Yes, that was the problem: I didn't realize, that there is a difference how to create the phase 1 entry. I did it via the "tunnel" tab and not via the button "create mobile phase 1". With this button there is no "Remote gateway" field and that makes sense now.

Thanks!

Best regards

paulchen

nodau

does dns resolution work from the ios device in this configuration? with the current ipsec config ios 9 doesn't do name resolution through tunnel. running shrewsoft on windows works. so i'm looking for a solution that will allow dns through tunnel from any ios 9 device.

jeevajii

Useful ideas.. Great information Thanks..

matp

It does, but only if you route all traffic over the link. I do mention this in the post.
I've been unable to find a resolution to this.

Sadly, paid support responded with a "works for me" answer, which wasn't much help.

@bahsig:

does dns resolution work from the ios device in this configuration? with the current ipsec config ios 9 doesn't do name resolution through tunnel. running shrewsoft on windows works. so i'm looking for a solution that will allow dns through tunnel from any ios 9 device.

shpokas

@bahsig:

does dns resolution work from the ios device in this configuration? with the current ipsec config ios 9 doesn't do name resolution through tunnel. running shrewsoft on windows works. so i'm looking for a solution that will allow dns through tunnel from any ios 9 device.

This hint worked for me, on both IOS and OS X.
https://lists.strongswan.org/pipermail/users/2015-October/008842.html

For details on my setup, please see https://forum.pfsense.org/index.php?topic=106694.0

matp

Thanks shpokas!
Very interesting hack. I'm not using signed profiles, so I was able to try this. I didn't have any success with it but I'll try again soon. Quite odd that this may be fixable at the client side, despite dns settings being provided in the pfsense config. It still screams 'bug' to me.

(Plus, the paid support team said it worked just fine in their tests without doing this)

@shpokas:

This hint worked for me, on both IOS and OS X.
https://lists.strongswan.org/pipermail/users/2015-October/008842.html

For details on my setup, please see https://forum.pfsense.org/index.php?topic=106694.0

kapara

Have you tried installing/using the strongswan client for the MAC?

https://download.strongswan.org/osx/strongswan-5.3.2-1.app.zip

shpokas

nope, DNS still does not work for me and there's no way to configure it -  in contrary to OS X built-in client.

matp

I had a look at that strong swan client, don't like it.
It didnt seem to do anything with the certificates, and the advantage of using the native configurator profile is that we can deploy and modify the settings via the MDM enrolment, which helps.

We're still simply routing all traffic to work around the DNS issue, its good enough for now.

bluefoxreg

I'm not sure what's causing this but my windows 10 was able to route all traffic through VPN (with one phase 2 config of 0.0.0.0/0). While my IOS (iphone 5s w IOS 9.2.1) is not routing any traffic through the VPN, even though the VPN icon is showing.

I also noticed that on the iphone the IP seems to remain the same after the VPN is connected.

I followed this guide, and the only thing that's different than what is outlined is the profile setup through app configurator 2, which I don't have access to

https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

Thoughts?