Valid configuration for IKEv2 VPN for iOS and OSX

matp

IKEv2 VPN for iOS and OSX

Confirmed working with OSX 10.11, iOS 9+ and pfSense 2.2.3

Following this easy guide will provide you with:

• A certificate based IKEv2 VPN

• An Apple Configuration profile suitable for installing on either device

Three sections to this guide. Certificates, VPN settings, Apple Configurator settings.

Caveat: The only way that I've been able to get DNS resolution to work is by routing all traffic over the VPN, not just traffic that is destined for it. I'd be interested in a solution to this.
(Possible DNS fix in post 14 below)

Certificates

Remove all certs if you have any (Excluding the web config cert if you have one), to give a clean start.

Make the CA Cert
System | Cert Manager | CA's

Click the + to add a new CA. Pick the following settings:

• Descriptive Name: Anything you like, I picked "internalCA"

• Method: Create an Internal Certificate Authority

• Key Length: 2048

• Digest Algorithm: SHA256

• Lifetime: 3650 days

• Country Code: as required

• State: as required

• City: as required

• Organisation: as required

• Email address: as required (seems to be unimportant)

• Common Name: internalCA (this can be anything unique that you like I just used internalCA for this example)

save the certificate.

Make the server cert
System | Cert Manager | Certificates

Click the + to add a new certificate, set the following:

• Method: Create an internal certificate

• Descriptive name: Anything you like, I picked "serverCert"

• Certificate Authority: internalCA (or whatever name you used)

• Key Length: 2048

• Digest Algorithm: SHA256

• Certificate Type: Server Certificate

• Lifetime: 3650 days

• Country Code: as required

• State: as required

• City: as required

• Organisation: as required

• Email address: as required (seems to be unimportant)

• Common Name: [External DNS name of the pfSense box]

• ADD AN ALTERNATIVE NAME

• • Type: DNS (case sensitive)
• • Value: [External DNS name of the pfSense box (yes, the same as the CN above)]

• ADD ANOTHER ALTERNATIVE NAME

• • Type: IP (case sensitive)
• • Value: [External IP address of pfSense box]

Save the cert

Make a user cert
System | Cert Manager | Certificates

Only one here of course, and the 'person' is called 'user' but you should make a certificate for every user of the VPN and replace 'user' with a reasonable username.

Click the + to add a new certificate, set the following:

• Method: Create an internal certificate

• Descriptive name: Anything you like, I picked "userCert"

• Certificate Authority: internalCA (or whatever name you used)

• Key Length: 2048

• Digest Algorithm: SHA256

• Certificate Type: User Certificate

• Lifetime: 3650 days

• Country Code: as required

• State: as required

• City: as required

• Organization: as required

• Email address: as required (seems to be unimportant)

• Common Name: user (replace with valid username if there's to be multiple users)

• ADD AN ALTERNATIVE NAME

• • Type: DNS
• • Value: user (same value as the Common Name)

Save the cert

Download the certificates
Switch to the CA tab, click the arrow for "export CA cert"
Switch to the Certificates tab. For the server cert, click the arrow for "export cert". For the user cert, click both the "export cert" arrow and the "export key" arrow.

Create the p12 for the user certs:

sudo openssl pkcs12 -export -in userCert.crt -inkey userCert.key -out userCert.p12

(Make a note of the password you give the cert to allow you to import it later)

Configure the VPN
This part should be familiar. Delete any Mobile Client Tunnel if you have one.

VPN | IPsec | Tunnels

Ensure "Enable IPsec" is ticked.

VPN | IPsec | Mobile clients

• IKE Extensions: check the 'enable IPsec mobile client support' box

• User Authentication: Local Database

• Group Authentication: system

• Virtual Address pool: Provide, and give a suitable private IP scope, one that isn't your LAN

• Virtual IPv6 Address Pool: not checked

• Network List: not checked

• Save Xauth Password: not checked

• DNS Default Domain: checked and set to domain name of VPN LAN

• Split DNS: not checked

• DNS Servers: checked. Specify your LAN DNS server IP

• WINS Servers: not checked

• Phase2 PFS Group: not checked

• Login Banner: not checked

You may tune those as you see fit. This is simply what worked for me in testing.

Save the settings. Apply the changes and click the "Create Phase 1" banner button.

• Disabled: not checked

• Key Exchange version: v2

• Internet Protocol: IPv4

• Interface: WAN

• Description: as required

• Authentication method: EAP-TLS

• My identifier: Distinguished Name. Set the value to the DNS of the pfSense, the same as you used when making the server certificate

• Peer identifier: Any

• My Certificate: serverCert (or whatever you called it)

• Peer Certificate Authority: internalCA (or whatever you called it)

• Encryption algorithm: AES256

• Hash algorithm: SHA384

• DH key group: 20

• Lifetime: 28800 seconds

• Disable Rekey: not checked

• Disable Reauth: not checked

• Responder Only: checked

• MOBIKE: Enable

• Dead Peer Detection: 10 seconds, 5 retries

save the phase 1. Apply the changes.

VPN | IPsec | Tunnels

Expand the Mobile Client phase 1 and click the + to add the phase 2

• Disabled: not checked

• Mode: Tunnel IPv4

• Local Network: Type: Network: 0.0.0.0/0

• NAT/BINAT: Type: None

• Description: as required

• Protocol: ESP

• Encryption algorithms: AES256

• Hash algorithms: SHA256

• PFS key group: 20

• Lifetime: 3600 seconds

save the phase 2. Apply the changes.

Firewall | Rules | IPsec

Check that there is an entry here for allow all. Add one if needed.

Create the profile

Launch Apple Configurator 2

File | New Profile

The profile editor launches. We want three sections: General, Certificates, VPN.

General

• Name: MyVPN (or whatever you like)

• everything else is optional

Certificates

• Click "configure" to add the certs, add the serverCert.crt file, the caCert.crt file and the userCert.p12 file

• Provide the export password for the p12. This is the password you gave in the openssl command after exporting the certificate and key.

VPN

• Click "configure" to make a new VPN

• Connection Name: MyVPN (or anything you like)

• Connection Type: IKEv2

• Always-on VPN: up to you

• Server: DNS name of the pfSense box, much match the CN of the serverCert

• Remote Identifier: DNS name of the pfSense box, much match the CN of the serverCert

• Local Identifier: the CN of the user cert for this connection, in this example 'user'

• Machine Authentication: Certificate

• Certificate Type: RSA

• Server Certificate Issuer Common Name: internalCA (or whatever you called the CA cert earlier)

• Server Certificate Common Name: DNS name of the pfSense box, much match the CN of the serverCert

• Enable EAP: checked

• EAP Authentication: Certificate

• Identity Certificate: pick the imported user.p12 file

• Dead Peer Detection: Medium

• Disable redirects: not checked

• Disable Mobility: not checked

• Use IPv4 internal subnet attributes: not checked

• Enable PFS: not checked

• Enable certificate revocation check: not checked

IKE SA Params

• Encryption Algorithm: AES-256

• Integrity Algorithm: SHA2-384

• Diffie Hellman Group: 20

• Lifetime In Minutes: 480

• Proxy Setup: None

Child SA Params

• Encryption Algorithm: AES-256

• Integrity Algorithm: SHA2-256

• Diffie Hellman Group: 20

• Lifetime In Minutes: 60

• Proxy Setup: None

Save the profile. Install to device. Done.

[edits made: Change P2 DH group to 20. Correct the value 'SHA256' to the more accurate 'SHA2-256']

acc4ever

I have one thing, I'm using DynDNS resolution for the public IP address of the PfSense Boxes.
In your tutorial, it's mandatory to put the public IP address as quoted here, what should I put ??

Thanks a lot for sharing this how-to !!!

Make the server cert
System | Cert Manager | Certificates

Click the + to add a new certificate, set the following:
Method: Create an internal certificate
Descriptive name: Anything you like, I picked "serverCert"
Certificate Authority: internalCA (or whatever name you used)
Key Length: 2048
Digest Algorithm: SHA256
Certificate Type: Server Certificate
Lifetime: 3650 days
Country Code: as required
State: as required
City: as required
Organisation: as required
Email address: as required (seems to be unimportant)
Common Name: [External DNS name of the pfSense box]
ADD AN ALTERNATIVE NAME
Type: DNS (case sensitive)
Value: [External DNS name of the pfSense box (yes, the same as the CN above)]
ADD ANOTHER ALTERNATIVE NAME
Type: IP (case sensitive)
Value: [External IP address of pfSense box]

matp

Good question.
I don't know. :)
Some of this was worked out with pfSense support, who insisted that the certificates be set up this way. We did initially have them with just domain names I think. To be fair, I've deleted and recreated the certs so many times I can no longer be sure!

Given that the connections are established by DNS name, I would think it would work, but the log files seem to talk DNS and IP, so it may be a quirk or StrongSwan or Charon or whatever.

My only suggestion would be to try it, following every step carefully with the exception of the IP SAN's and see what happens. Worst case is it won't connect!

dennypage

Is the Diffie-Hellman group in phase 2 meaningful? DH group 2 has been in the "no longer recommended" category for some time. Given that it's covered by the phase 1, it's not particularly important that it's a weak DH group, but it's not particularly helpful either.

Perhaps someone with deeper IPSEC knowledge can comment…

matp

denny, it is not. In fact, I did have it working set to 20.
I'm no authority on this stuff by a long shot. My concern was that there seemed to be no set of instructions that would produce a working link. These values 'work' and they're pretty good, but yes, setting the P2 to DH20 is a good idea.

As I have already tested this and I know it works with the rest of the values, I'll edit the post to use DH20 for both the P1 and the P2.

Cheers!

paulchen0815

Hi,

I want to configure my pfSense as an VPN "dial-in-server" to access my home network via IPsec VPN from my mobile clients (smartphone, tablet, Mac).

I have the following problem when configuring it with your documentation:

when creating the phase 1 entry I have to enter a remote gateway address and this is a mandatory field, so I have to fill in anything.

But in my usecase my mobile phone has no known official IP adress… So what I have to fill in there?

Thanks,

paulchen

matp

Not too sure I follow you, only the pfSense box needs a fixed IP, the mobile device does not.

Your message means that the instructions are not clear enough, as it would seem that you have made a mistake in them, could you please tell me which step you are looking at and I'll enhance it.
Thanks.

@paulchen0815:

when creating the phase 1 entry I have to enter a remote gateway address and this is a mandatory field, so I have to fill in anything.

But in my usecase my mobile phone has no known official IP adress… So what I have to fill in there?

luckman212

I think what he means is that the pfSense does not have a static IPv4 WAN address. Can a DNS name e.g. a dynamic-dns entry be substituted in place?

paulchen0815

Maybe the wording in the pfSense GUI is a little bit missleading. I have to enter the "Remote Gateway: Enter the public IP address or host name of the remote gateway". See attached screenshot.

So in my point of view this would be the other end of the IPsec tunnel, so not my pfSense box but the mobile device (which has a dynamic IP address that is unkown).

So which IP address or hostname I have to enter in this field?


matp

Ah, now it makes sense.
First, you're setting up an IKEv1 connection, and these instructions are for IKEv2
Second, in the screenshot you are configuring a P1 for a static site-to-site link, not a mobile one, which is why you are being asked for a remote address.
You want to be configuring the Mobile Client phase 1.

Recheck the instructions from the 'Configure the VPN' section and try again.

paulchen0815

Yes, that was the problem: I didn't realize, that there is a difference how to create the phase 1 entry. I did it via the "tunnel" tab and not via the button "create mobile phase 1". With this button there is no "Remote gateway" field and that makes sense now.

Thanks!

Best regards

paulchen

bahsig

does dns resolution work from the ios device in this configuration? with the current ipsec config ios 9 doesn't do name resolution through tunnel. running shrewsoft on windows works. so i'm looking for a solution that will allow dns through tunnel from any ios 9 device.

jeevajii

Useful ideas.. Great information Thanks..

matp

It does, but only if you route all traffic over the link. I do mention this in the post.
I've been unable to find a resolution to this.

Sadly, paid support responded with a "works for me" answer, which wasn't much help.

@bahsig:

does dns resolution work from the ios device in this configuration? with the current ipsec config ios 9 doesn't do name resolution through tunnel. running shrewsoft on windows works. so i'm looking for a solution that will allow dns through tunnel from any ios 9 device.

shpokas

@bahsig:

does dns resolution work from the ios device in this configuration? with the current ipsec config ios 9 doesn't do name resolution through tunnel. running shrewsoft on windows works. so i'm looking for a solution that will allow dns through tunnel from any ios 9 device.

This hint worked for me, on both IOS and OS X.
https://lists.strongswan.org/pipermail/users/2015-October/008842.html

For details on my setup, please see https://forum.pfsense.org/index.php?topic=106694.0

matp

Thanks shpokas!
Very interesting hack. I'm not using signed profiles, so I was able to try this. I didn't have any success with it but I'll try again soon. Quite odd that this may be fixable at the client side, despite dns settings being provided in the pfsense config. It still screams 'bug' to me.

(Plus, the paid support team said it worked just fine in their tests without doing this)

@shpokas:

This hint worked for me, on both IOS and OS X.
https://lists.strongswan.org/pipermail/users/2015-October/008842.html

For details on my setup, please see https://forum.pfsense.org/index.php?topic=106694.0

kapara

Have you tried installing/using the strongswan client for the MAC?

https://download.strongswan.org/osx/strongswan-5.3.2-1.app.zip

shpokas

nope, DNS still does not work for me and there's no way to configure it -  in contrary to OS X built-in client.

matp

I had a look at that strong swan client, don't like it.
It didnt seem to do anything with the certificates, and the advantage of using the native configurator profile is that we can deploy and modify the settings via the MDM enrolment, which helps.

We're still simply routing all traffic to work around the DNS issue, its good enough for now.

bluefoxreg

I'm not sure what's causing this but my windows 10 was able to route all traffic through VPN (with one phase 2 config of 0.0.0.0/0). While my IOS (iphone 5s w IOS 9.2.1) is not routing any traffic through the VPN, even though the VPN icon is showing.

I also noticed that on the iphone the IP seems to remain the same after the VPN is connected.

I followed this guide, and the only thing that's different than what is outlined is the profile setup through app configurator 2, which I don't have access to

https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

Thoughts?

bluefoxreg

Actually, found the problem… I followed the document and didn't have a local domain set, once I did, the ios devices are able to route all traffics through the VPN now!

hidalgo

First, thank you for these instructions. With these I could finally connect my iPhone to my pfSense 2.3. But I cannot figure out how to resolve my local dns names through the tunnel.
If I leave phase 2 “Local Network” to “LAN subnet” I reach my local devices with IP address and the internet outside the tunnel.
If I put phase 2  “Local Network” to “Network” and “Address 0.0.0.0/0” I reach my local devices with IP address but no internet. Do I have to change my firewall settings?

But how can I resolve my devices with names? This

https://lists.strongswan.org/pipermail/users/2015-October/008842.html

doesn’t work for me. Or I don’t understand exactly how to do it?

matp

Yeah, I was hoping 2.3 fixed/changed this. Only way seems to be to route all traffic, as mentioned. This means internet access goes out from the other end of the VPN, and domain name resolution is handled by the LAN dns server, it could be that you've not got access to them?

dennypage

I'm not sure it's something that pfSense can fix. Best that I can tell, the correct options are being set for StrongSwan, and StrongSwan is pushing the options correctly. The fix would need to be on the iOS/MacOS side.

I did see someone who said that they had fixed it by introducing options in the profile that could not be set in Configurator. I dug into this a bit, but was not able to reproduce their success with MacOS. I didn't try with iOS though.

matp

Yeah, I'm not sure either, but my thinking runs that if it were an iOS/OSX issue, then it would affect all VPN providers and that does not seem to be the case. I've not actually tested it with a Cisco or Juniper unit but I'd expect that something not based on strong swan wouldn't have this problem.

bpawlak

Hi,

Does this setup work for pfSense in version 2.3.2-RELEASE?
Can anyone confirm that?

Cheers!

tcw

@bpawlak:

Hi,

Does this setup work for pfSense in version 2.3.2-RELEASE?
Can anyone confirm that?

Cheers!

Yes, I just set this up today. To address an earlier question about Dynamic DNS, I have this working also but I had to set everything up on a subdomain (vpn.myname.com, versus just myname.com), including setting a dynamic DNS A record for vpn on my nameserver.

Thanks OP for such a detailed post! Your instructions are the first I got working. If you're still following this thread, what was your rationale for making the cipher selections you did? I'm wondering if this will work with ciphers that take advantage of AES-NI hardware acceleration.

pfsensepilot

Where or how do I key in this command?? In the web interface somewhere??  From the physical console??

sudo openssl pkcs12 -export -in userCert.crt -inkey userCert.key -out userCert.p12

I'm going through the steps and hope to make a connection between my iphone IOS 9.3.5 and pfSense 2.3.2…

Thanks.

acc4ever

you have downloaded command line tools for Xcode..

this is a little tutorial… hope it helps you...

http://railsapps.github.io/xcode-command-line-tools.html

pfsensepilot

Ok, so copy the 3 certificates and 1 user key to a folder on my mac, then modify the command to the correct paths and run through xcode?

acc4ever

You have to run it in through /Applications/Utilities/Terminal.app

pfsensepilot

I was able to run the command.  Thank you.

pfsensepilot

I went through all the steps in the first post.  I am not getting a connection.  What am I missing?  Here's what the logs say:

Sep 2 15:22:34	charon		05[ENC] <bypasslan|7> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Sep 2 15:22:34	charon		05[IKE] <bypasslan|7> peer supports MOBIKE
Sep 2 15:22:34	charon		05[IKE] <bypasslan|7> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sep 2 15:22:34	charon		05[CFG] <bypasslan|7> no alternative config found
Sep 2 15:22:34	charon		05[IKE] <bypasslan|7> peer requested EAP, config inacceptable
Sep 2 15:22:34	charon		05[CFG] <bypasslan|7> selected peer config 'bypasslan'</bypasslan|7></bypasslan|7></bypasslan|7></bypasslan|7></bypasslan|7></bypasslan|7>

Derelict

This doesn't work??

https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

pfsensepilot

Following the instructions on that link, I am getting what looks like the same errors:

Sep 5 14:36:38	charon		07[ENC] <bypasslan|10> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Sep 5 14:36:38	charon		07[IKE] <bypasslan|10> peer supports MOBIKE
Sep 5 14:36:38	charon		07[IKE] <bypasslan|10> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sep 5 14:36:38	charon		07[CFG] <bypasslan|10> no alternative config found
Sep 5 14:36:38	charon		07[IKE] <bypasslan|10> peer requested EAP, config inacceptable
Sep 5 14:36:38	charon		07[CFG] <bypasslan|10> selected peer config 'bypasslan'</bypasslan|10></bypasslan|10></bypasslan|10></bypasslan|10></bypasslan|10></bypasslan|10>

The only thing I was confused about when following the instructions was the CN.  I used my static external ip address as the common name, then added "ip address" as an alternative and rekeyed in my static external ip.  I'm not sure what the hostname for my box means and when I click alternative, I do not have the option for DNS.

Please help!  I was using PPTP before and lost that after I upgraded my box.  Now I can't get into my office remotely anymore, can't go on vacation or out of town, I have to drive to the office in the evenings and on weekends when I need access to my network.

Trying to configure ipsec to work with my macbook and iphone has cost me a lot of hours and been very frustrating.  I hope to get it configured correctly and up and running soon.

jffortier

Hi, newbie here! :o

At one point I was able to make it work but I have some issues now.

I setup OpenVPN and it's working fine, but I need the Apple configurator option "AlwaysON" and it can only be achive with IKEv2.

I can setup all those parameters, but the p12 certificate, I search online and openssl command line doesn't ask for a password, you can't set one and Apple configurator won't let you add that certificate to a profile with an empty password field and "space" is not working.

I have PFSense 2.3, iOS 10.1  and latest version of Apple configurator.

I need something simple, one user only that need to be on VPN all the time and can't get it off with configuration profile that can't be removed (supervised mode)

So how can I get it to work ? or have a self sign certificate p12 with the password.

Thank you

aholtzma

To make split DNS work w/o routing all traffic through the tunnel, you need to provide a second, fake, domain name to work around bug 4418:

https://redmine.pfsense.org/issues/4418

Without this work around, you will see a 'p' character appended to the domain in 'scutil –dns'. The extra 'p' is still there, it just gets appended to the fake domain name and is harmless.

flagsense

Hi,

i configured as you described in your post. And the VPN Tunnel works fast, but after 3-30 Minutes the iPhone do a panic - and restart. Sometime it happend directly if i do some network traffic.

Did somebody else have the same problem ?

best

regards

flagsense

pfguy2017

I am trying to get this set up on my pfsense box 2.3.3_1.  I am stuck on the server certificate, where the instructions say:

Click "+" to add a new Alternative Name
Enter DNS in the Type field
Enter the hostname of the firewall as it exists in DNS again in the Value field – Some clients require the value in SAN not just CN!
Click "+" to add a new Alternative Name
Enter IP in the Type field
Enter the WAN IP address of the firewall in the Value field

At my end, there does not seem to be any way to type in DNS or IP into the type field.  The type field is a drop down menu containing the following choices:
-FQDN or Hostname
-IP address
-URI
-email address

Am I missing something here?

posto587

I'm trying to get this work with EAP-MSCHAPv2.
On Windows 10 it's working great but I have problems getting this to work on macOS/iOS with AppleConfigurator profiles.

I did everything to generate the profile suggested in the first post but instead of eap-authentication: certificate I choose username/password.
When connecting with macOS/iOS with the profile installed I'm getting the exact same errors as pfsensepilot:

Apr 4 17:13:27 	charon 		07[ENC] <bypasslan|54>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Apr 4 17:13:27 	charon 		07[IKE] <bypasslan|54>peer supports MOBIKE
Apr 4 17:13:27 	charon 		07[IKE] <bypasslan|54>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Apr 4 17:13:27 	charon 		07[CFG] <bypasslan|54>no alternative config found
Apr 4 17:13:27 	charon 		07[IKE] <bypasslan|54>peer requested EAP, config inacceptable
Apr 4 17:13:27 	charon 		07[CFG] <bypasslan|54>selected peer config 'bypasslan'</bypasslan|54></bypasslan|54></bypasslan|54></bypasslan|54></bypasslan|54></bypasslan|54> 

Does anybody has an idea/hint?

EDIT: Now I tested with EAP-TLS and configured everything exactly as described in the first post.
And again, it's working on Windows 10 but when I try to connect with macOS I'm getting the same errors shown above.
Trying to modify certain settings (e.g. PFS off/on) changes nothing…