Valid configuration for IKEv2 VPN for iOS and OSX

jffortier

Hi, newbie here! :o

At one point I was able to make it work but I have some issues now.

I setup OpenVPN and it's working fine, but I need the Apple configurator option "AlwaysON" and it can only be achive with IKEv2.

I can setup all those parameters, but the p12 certificate, I search online and openssl command line doesn't ask for a password, you can't set one and Apple configurator won't let you add that certificate to a profile with an empty password field and "space" is not working.

I have PFSense 2.3, iOS 10.1  and latest version of Apple configurator.

I need something simple, one user only that need to be on VPN all the time and can't get it off with configuration profile that can't be removed (supervised mode)

So how can I get it to work ? or have a self sign certificate p12 with the password.

Thank you

aholtzma

To make split DNS work w/o routing all traffic through the tunnel, you need to provide a second, fake, domain name to work around bug 4418:

https://redmine.pfsense.org/issues/4418

Without this work around, you will see a 'p' character appended to the domain in 'scutil –dns'. The extra 'p' is still there, it just gets appended to the fake domain name and is harmless.

flagsense

Hi,

i configured as you described in your post. And the VPN Tunnel works fast, but after 3-30 Minutes the iPhone do a panic - and restart. Sometime it happend directly if i do some network traffic.

Did somebody else have the same problem ?

best

regards

flagsense

pfguy2017

I am trying to get this set up on my pfsense box 2.3.3_1.  I am stuck on the server certificate, where the instructions say:

Click "+" to add a new Alternative Name
Enter DNS in the Type field
Enter the hostname of the firewall as it exists in DNS again in the Value field – Some clients require the value in SAN not just CN!
Click "+" to add a new Alternative Name
Enter IP in the Type field
Enter the WAN IP address of the firewall in the Value field

At my end, there does not seem to be any way to type in DNS or IP into the type field.  The type field is a drop down menu containing the following choices:
-FQDN or Hostname
-IP address
-URI
-email address

Am I missing something here?

posto587

I'm trying to get this work with EAP-MSCHAPv2.
On Windows 10 it's working great but I have problems getting this to work on macOS/iOS with AppleConfigurator profiles.

I did everything to generate the profile suggested in the first post but instead of eap-authentication: certificate I choose username/password.
When connecting with macOS/iOS with the profile installed I'm getting the exact same errors as pfsensepilot:

Apr 4 17:13:27 	charon 		07[ENC] <bypasslan|54>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Apr 4 17:13:27 	charon 		07[IKE] <bypasslan|54>peer supports MOBIKE
Apr 4 17:13:27 	charon 		07[IKE] <bypasslan|54>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Apr 4 17:13:27 	charon 		07[CFG] <bypasslan|54>no alternative config found
Apr 4 17:13:27 	charon 		07[IKE] <bypasslan|54>peer requested EAP, config inacceptable
Apr 4 17:13:27 	charon 		07[CFG] <bypasslan|54>selected peer config 'bypasslan'</bypasslan|54></bypasslan|54></bypasslan|54></bypasslan|54></bypasslan|54></bypasslan|54> 

Does anybody has an idea/hint?

EDIT: Now I tested with EAP-TLS and configured everything exactly as described in the first post.
And again, it's working on Windows 10 but when I try to connect with macOS I'm getting the same errors shown above.
Trying to modify certain settings (e.g. PFS off/on) changes nothing…

pfguy2017

I am also having trouble getting a connection.  Here is the log.  Can anyone give some insight as to what the problem might be?

Apr 4 14:33:08 	charon 		15[MGR] <con1|3>checkin of IKE_SA successful
Apr 4 14:33:08 	charon 		15[MGR] <con1|3>checkin IKE_SA con1[3]
Apr 4 14:33:08 	charon 		15[NET] <con1|3>sending packet: from x.x.x.x[4500] to y.y.y.y[4533] (1196 bytes)
Apr 4 14:33:08 	charon 		15[NET] <con1|3>sending packet: from x.x.x.x[4500] to y.y.y.y[4533] (1244 bytes)
Apr 4 14:33:08 	charon 		15[ENC] <con1|3>generating IKE_AUTH response 1 [ EF(2/2) ]
Apr 4 14:33:08 	charon 		15[ENC] <con1|3>generating IKE_AUTH response 1 [ EF(1/2) ]
Apr 4 14:33:08 	charon 		15[ENC] <con1|3>splitting IKE message with length of 2360 bytes into 2 fragments
Apr 4 14:33:08 	charon 		15[ENC] <con1|3>generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Apr 4 14:33:08 	charon 		15[IKE] <con1|3>sending end entity cert "C=CA, ST=ON, L=Home, O=z, E=admin@z.z, CN=zzz.com"
Apr 4 14:33:08 	charon 		15[IKE] <con1|3>authentication of 'zzz.com' (myself) with RSA signature successful
Apr 4 14:33:08 	charon 		15[IKE] <con1|3>peer supports MOBIKE
Apr 4 14:33:08 	charon 		15[IKE] <con1|3>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Apr 4 14:33:08 	charon 		15[IKE] <con1|3>initiating EAP_IDENTITY method (id 0x00)
Apr 4 14:33:08 	charon 		15[CFG] <con1|3>selected peer config 'con1'
Apr 4 14:33:08 	charon 		15[CFG] <3> candidate "con1", match: 20/1/1052 (me/other/ike)
Apr 4 14:33:08 	charon 		15[CFG] <3> candidate "bypasslan", match: 1/1/24 (me/other/ike)
Apr 4 14:33:08 	charon 		15[CFG] <3> looking for peer configs matching x.x.x.x[xx.xx.com]...y.y.y.y[zzz]
Apr 4 14:33:08 	charon 		15[ENC] <3> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Apr 4 14:33:08 	charon 		15[ENC] <3> unknown attribute type (25)
Apr 4 14:33:08 	charon 		15[NET] <3> received packet: from y.y.y.y[4533] to x.x.x.x[4500] (360 bytes)
Apr 4 14:33:08 	charon 		15[MGR] IKE_SA (unnamed)[3] successfully checked out
Apr 4 14:33:08 	charon 		15[MGR] checkout IKEv2 SA by message with SPIs b34bf46abdfd5380_i c93792bfd0b4d1d3_r
Apr 4 14:33:08 	charon 		15[MGR] <3> checkin of IKE_SA successful
Apr 4 14:33:08 	charon 		15[MGR] <3> checkin IKE_SA (unnamed)[3]
Apr 4 14:33:08 	charon 		15[NET] <3> sending packet: from x.x.x.x[500] to y.y.y.y[1446] (313 bytes)
Apr 4 14:33:08 	charon 		15[ENC] <3> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Apr 4 14:33:08 	charon 		15[IKE] <3> sending cert request for "C=CA, ST=ON, L=Home, O=z, E=admin@z.z, CN=XXX"
Apr 4 14:33:08 	charon 		15[IKE] <3> remote host is behind NAT
Apr 4 14:33:08 	charon 		15[CFG] <3> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384
Apr 4 14:33:08 	charon 		15[CFG] <3> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384
Apr 4 14:33:08 	charon 		15[CFG] <3> received proposals: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384
Apr 4 14:33:08 	charon 		15[CFG] <3> proposal matches
Apr 4 14:33:08 	charon 		15[CFG] <3> selecting proposal:
Apr 4 14:33:08 	charon 		15[IKE] <3> y.y.y.y is initiating an IKE_SA
Apr 4 14:33:08 	charon 		15[CFG] <3> found matching ike config: x.x.x.x...%any with prio 1052
Apr 4 14:33:08 	charon 		15[CFG] <3> candidate: x.x.x.x...%any, prio 1052
Apr 4 14:33:08 	charon 		15[CFG] <3> candidate: %any...%any, prio 24
Apr 4 14:33:08 	charon 		15[CFG] <3> looking for an ike config for x.x.x.x...y.y.y.y
Apr 4 14:33:08 	charon 		15[ENC] <3> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Apr 4 14:33:08 	charon 		15[NET] <3> received packet: from x.x.x.x [1446] to x.x.x.x[500] (280 bytes)
Apr 4 14:33:08 	charon 		15[MGR] created IKE_SA (unnamed)[3]
Apr 4 14:33:08 	charon 		15[MGR] checkout IKEv2 SA by message with SPIs b34bf46abdfd5380_i 0000000000000000_r</con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3> 

pfguy2017

I am popping back in to this thread to provide some additional info. I was able to get the IKEv2 VPN connection working following my previous post, by deleting everything and stepping through the instructions again. And I was able to leave out the "IP" and "DNS" fields (which as I noted upthread, do not seem to be enter-able any more). Thank you very much to the OP!

I was also able to turn the VPN connection into a VPN on demand connection, and I thought I would outline the steps involved in case anyone else wants to do this.  Apple Configurator 2 does not show the "VPN on demand" toggle when setting up a profile for IKEv2 (it seems to be present for L2TP and IPSEC only).  However, I was able to achieve this by manually editing (using Text Wrangler) the .mobileconfig profile as below. The relevant changes are near the bottom, where I was able to set things up so that if I am connected to my home Wifi, the VPN is turned off, but the VPN connection is enabled if connected to any other network.  Note that if you sign the profile in Configurator, it cannot be edited.  Note also that this does not require a supervised iOS device.

 <plist version="1.0"><dict><key>HasRemovalPasscode</key>
	 <true><key>PayloadContent</key>
	 <array><dict><key>PayloadCertificateFileName</key>
			<string>MyCA.cer</string>
			<key>PayloadContent</key>
			 <data>abc123 (generated by Configurator)</data> 
			<key>PayloadDescription</key>
			<string>Adds a CA root certificate</string>
			<key>PayloadDisplayName</key>
			<string>MyCA</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.security.root.xxx (generated by Configurator)</string>
			<key>PayloadType</key>
			<string>com.apple.security.root</string>
			<key>PayloadUUID</key>
			<string>xxx (generated by Configurator)</string>
			<key>PayloadVersion</key>
			<integer>1</integer></dict> 
		 <dict><key>PayloadCertificateFileName</key>
			<string>MyVPN.cer</string>
			<key>PayloadContent</key>
			 <data>xyz456 (generated by Configurator)</data> 
			<key>PayloadDescription</key>
			<string>Adds a PKCS#1-formatted certificate</string>
			<key>PayloadDisplayName</key>
			<string>example.com</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.security.pkcs1.xxx (generated by Configurator)</string>
			<key>PayloadType</key>
			<string>com.apple.security.pkcs1</string>
			<key>PayloadUUID</key>
			<string>xxx (generated by Configurator)</string>
			<key>PayloadVersion</key>
			<integer>1</integer></dict> 
		 <dict><key>PayloadDescription</key>
			<string>Configures a password for profile removal</string>
			<key>PayloadDisplayName</key>
			<string>Profile Removal</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.profileRemovalPassword.xxx (generated by Configurator)</string>
			<key>PayloadType</key>
			<string>com.apple.profileRemovalPassword</string>
			<key>PayloadUUID</key>
			<string>xxx (generated by Configurator)</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>RemovalPassword</key>
			<string>mypassword</string></dict> 
		 <dict><key>Password</key>
			<string>yyy</string>
			<key>PayloadCertificateFileName</key>
			<string>username.p12</string>
			<key>PayloadContent</key>
			 <data>abc456 (generated by Configurator)</data> 
			<key>PayloadDescription</key>
			<string>Adds a PKCS#12-formatted certificate</string>
			<key>PayloadDisplayName</key>
			<string>username.p12</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.security.pkcs12.xxxx (generated by Configurator)</string>
			<key>PayloadType</key>
			<string>com.apple.security.pkcs12</string>
			<key>PayloadUUID</key>
			<string>xxx (generated by Configurator)</string>
			<key>PayloadVersion</key>
			<integer>1</integer></dict> 
		 <dict><key>IKEv2</key>
			 <dict><key>AuthenticationMethod</key>
				<string>Certificate</string>
				<key>ChildSecurityAssociationParameters</key>
				 <dict><key>DiffieHellmanGroup</key>
					<integer>20</integer>
					<key>EncryptionAlgorithm</key>
					<string>AES-256</string>
					<key>IntegrityAlgorithm</key>
					<string>SHA2-256</string>
					<key>LifeTimeInMinutes</key>
					<integer>60</integer></dict> 
				<key>DeadPeerDetectionRate</key>
				<string>Medium</string>
				<key>DisableMOBIKE</key>
				<integer>0</integer>
				<key>DisableRedirect</key>
				<integer>0</integer>
				<key>EnableCertificateRevocationCheck</key>
				<integer>0</integer>
				<key>EnablePFS</key>
				<integer>0</integer>
				<key>ExtendedAuthEnabled</key>
				 <true><key>IKESecurityAssociationParameters</key>
				 <dict><key>DiffieHellmanGroup</key>
					<integer>20</integer>
					<key>EncryptionAlgorithm</key>
					<string>AES-256</string>
					<key>IntegrityAlgorithm</key>
					<string>SHA2-384</string>
					<key>LifeTimeInMinutes</key>
					<integer>480</integer></dict> 
				<key>LocalIdentifier</key>
				<string>user</string>
				<key>PayloadCertificateUUID</key>
				<string>xxx (generated by Configurator)</string>
				<key>RemoteAddress</key>
				<string>example.com</string>
				<key>RemoteIdentifier</key>
				<string>example.com</string>
				<key>ServerCertificateCommonName</key>
				<string>example.com</string>
				<key>ServerCertificateIssuerCommonName</key>
				<string>MyCA</string>
				<key>UseConfigurationAttributeInternalIPSubnet</key>
				<integer>0</integer></true></dict> 
			<key>IPv4</key>
			 <dict><key>OverridePrimary</key>
				<integer>1</integer></dict> 
			<key>PayloadDescription</key>
			<string>Configures VPN settings</string>
			<key>PayloadDisplayName</key>
			<string>VPN</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.vpn.managed.xxx (generated by Configurator)</string>
			<key>PayloadType</key>
			<string>com.apple.vpn.managed</string>
			<key>PayloadUUID</key>
			<string>xxx (generated by Configurator)</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>Proxies</key>
			 <dict><key>HTTPEnable</key>
				<integer>0</integer>
				<key>HTTPSEnable</key>
				<integer>0</integer></dict> 
			<key>UserDefinedName</key>
			<string>MyVPN</string>
			<key>VPNType</key>
			<string>IKEv2</string>
			<key>OnDemandEnabled</key>
                <integer>1</integer>
                <key>OnDemandRules</key>
                <array><dict><key>InterfaceTypeMatch</key>
                        <string>WiFi</string>
                        <key>SSIDMatch</key>
                        <array><string>My Home Wifi Network name</string></array>                     
                        <key>Action</key>
                        <string>Disconnect</string></dict> 

                    <dict><key>Action</key>
                        <string>Connect</string></dict></array></dict></array> 
	<key>PayloadDisplayName</key>
	<string>MyVPN</string>
	<key>PayloadIdentifier</key>
	<string>MyVPN</string>
	<key>PayloadRemovalDisallowed</key>
	 <true><key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>xxx (generated by Configurator)2</string>
	<key>PayloadVersion</key>
	<integer>1</integer></true></true></dict></plist> 

References/credit:
https://medium.com/@cattyhouse/ios-ondemand-ipsec-vpn-setup-ebfb82b6f7a1
https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile
https://developer.apple.com/library/content/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html#//apple_ref/doc/uid/TP40010206-CH1-SW36

krolykke

@pfguy2017:

At my end, there does not seem to be any way to type in DNS or IP into the type field.  The type field is a drop down menu containing the following choices:
-FQDN or Hostname
-IP address
-URI
-email address

Am I missing something here?

Look to the right of the dropdown, there is a field where you can enter the required data.

pfguy2017

@krolykke:

@pfguy2017:

At my end, there does not seem to be any way to type in DNS or IP into the type field.  The type field is a drop down menu containing the following choices:
-FQDN or Hostname
-IP address
-URI
-email address

Am I missing something here?

Look to the right of the dropdown, there is a field where you can enter the required data.

The field on the right is for the "value", not the "type" (which is on the left).  There is no way (that I can see) to enter a "type" other than the 4 choices in the drop down menu (as in the instructions in the first post in this thread).  I guess this changed with a recent pfSense update.  However, it does not seem to matter.  In my case, I was able to get everything working using the "FQDN or Hostname" and "email address" fields (for email I entered the same string as for the CN and SAN (i.e. the server address or the user name, depending on the cert)).  The "DNS" and "IP" entries do not seem to be required in order to get everything working.

mrpsycho

nice manual.

but…. i don't understand why this is not working on pfSense 2.3.3_1 and Mac OS Sierra?

netnewb

Can anyone confirm this is still working on iOS 10.3.2 and pFsense 2.3.4? I've been trying for a while and I can't make it work.

isaack

https://forum.pfsense.org/index.php?topic=127457.0

After having tried many times unsuccessfully it to work with the native client, that guide plus using Apple Configurator 2, finally worked for me. Its actually really easy to use Configurator.
So its not necessary to use StrongSwan. I think the key difference is using DH2 instead of DH20 and Configurator which allows some more VPN options.

jgiannakas

@netnewb:

Can anyone confirm this is still working on iOS 10.3.2 and pFsense 2.3.4? I've been trying for a while and I can't make it work.

Yes it's working, got it setup on my 10.3.2 iPhones / iPads and Sierra OSX with pfsense 2.3.4.

The creation of the certificates was a little different in that there is no option to put an IP address to them I believe but besides that it works well.

myms

Quick question here: have set up the IKEv2 VPN per instructions here and it works great. Only thing I've noticed is that I can still connect to the VPN even if the user certificate I'm using isn't actually associated with the pfSense local user account. Is that intentional?

rnatalli

Hi all,

I was able to connect to my pfSense box via IKEv2 using the instructions provided here (thank you), but have a small issue which I hope is solvable.  The issue is when my iPhone goes from WiFi to LTE or vice versa, the VPN disconnects.  Is there a way to keep the tunnel up automatically during the switching?  Any help would be appreciated.  Thanks!

Eara

Peoples,

I was able to set up IPSec from MacOS and iOS but something weird happened: I have two pfsense boxes in two locations, connected to each other by IPSec (no problems there).

For mobile client, both boxes use AES 256 as encryption algorithms. However, one box uses SHA384 and DH/PFS group 20 while the other box refuses to connect with that setting (tested on the same Mac that has both connections setup) and will accept SHA256 and DH/PFS group 19. Both are in 2.3.4-RELEASE-p1.

The SHA384 and PFS group 20 has always worked for box nº 1, but I just setup mobile clients on box nº2 and logs says that setting is not acceptable - MacOS doesn't seem to be proposing SHA384 for the second box:

"configured proposals: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384"
"received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024"

Anyone has any clue why?

Update: Nevermind, box nº 1 mobile client was setup through a profile from Apple Configurator. Box nº 2 was set up manually in system preferences.

rnatalli

@rnatalli:

Hi all,

I was able to connect to my pfSense box via IKEv2 using the instructions provided here (thank you), but have a small issue which I hope is solvable.  The issue is when my iPhone goes from WiFi to LTE or vice versa, the VPN disconnects.  Is there a way to keep the tunnel up automatically during the switching?  Any help would be appreciated.  Thanks!

Anyone?  I'm pulling my hair.  I thought IKEv2 was very mobile friendly with the inclusion of MOBIKE, etc., but I can't seem to keep the tunnel up when my iPhone switches networking modes.

netnewb

@jgiannakas:

@netnewb:

Can anyone confirm this is still working on iOS 10.3.2 and pFsense 2.3.4? I've been trying for a while and I can't make it work.

Yes it's working, got it setup on my 10.3.2 iPhones / iPads and Sierra OSX with pfsense 2.3.4.

The creation of the certificates was a little different in that there is no option to put an IP address to them I believe but besides that it works well.

Thanks! Do you use static or dynamic IP?

nicolai

Can anyone confirm this is still working on iOS 11.0.3 and pFsense 2.2.6-RELEASE (amd64)? I've been trying for a while and I can't make it work.

Thanks.

Derelict

Seems to work OK on iOS 11.0.3. As for pfSense 2.2.6 you're on your own there. Upgrade.