Valid configuration for IKEv2 VPN for iOS and OSX
-
I'm trying to get this work with EAP-MSCHAPv2.
On Windows 10 it's working great but I have problems getting this to work on macOS/iOS with AppleConfigurator profiles.I did everything to generate the profile suggested in the first post but instead of eap-authentication: certificate I choose username/password.
When connecting with macOS/iOS with the profile installed I'm getting the exact same errors as pfsensepilot:Apr 4 17:13:27 charon 07[ENC] <bypasslan|54>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Apr 4 17:13:27 charon 07[IKE] <bypasslan|54>peer supports MOBIKE Apr 4 17:13:27 charon 07[IKE] <bypasslan|54>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Apr 4 17:13:27 charon 07[CFG] <bypasslan|54>no alternative config found Apr 4 17:13:27 charon 07[IKE] <bypasslan|54>peer requested EAP, config inacceptable Apr 4 17:13:27 charon 07[CFG] <bypasslan|54>selected peer config 'bypasslan'</bypasslan|54></bypasslan|54></bypasslan|54></bypasslan|54></bypasslan|54></bypasslan|54>Does anybody has an idea/hint?
EDIT: Now I tested with EAP-TLS and configured everything exactly as described in the first post.
And again, it's working on Windows 10 but when I try to connect with macOS I'm getting the same errors shown above.
Trying to modify certain settings (e.g. PFS off/on) changes nothing… -
I am also having trouble getting a connection. Here is the log. Can anyone give some insight as to what the problem might be?
Apr 4 14:33:08 charon 15[MGR] <con1|3>checkin of IKE_SA successful Apr 4 14:33:08 charon 15[MGR] <con1|3>checkin IKE_SA con1[3] Apr 4 14:33:08 charon 15[NET] <con1|3>sending packet: from x.x.x.x[4500] to y.y.y.y[4533] (1196 bytes) Apr 4 14:33:08 charon 15[NET] <con1|3>sending packet: from x.x.x.x[4500] to y.y.y.y[4533] (1244 bytes) Apr 4 14:33:08 charon 15[ENC] <con1|3>generating IKE_AUTH response 1 [ EF(2/2) ] Apr 4 14:33:08 charon 15[ENC] <con1|3>generating IKE_AUTH response 1 [ EF(1/2) ] Apr 4 14:33:08 charon 15[ENC] <con1|3>splitting IKE message with length of 2360 bytes into 2 fragments Apr 4 14:33:08 charon 15[ENC] <con1|3>generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] Apr 4 14:33:08 charon 15[IKE] <con1|3>sending end entity cert "C=CA, ST=ON, L=Home, O=z, E=admin@z.z, CN=zzz.com" Apr 4 14:33:08 charon 15[IKE] <con1|3>authentication of 'zzz.com' (myself) with RSA signature successful Apr 4 14:33:08 charon 15[IKE] <con1|3>peer supports MOBIKE Apr 4 14:33:08 charon 15[IKE] <con1|3>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Apr 4 14:33:08 charon 15[IKE] <con1|3>initiating EAP_IDENTITY method (id 0x00) Apr 4 14:33:08 charon 15[CFG] <con1|3>selected peer config 'con1' Apr 4 14:33:08 charon 15[CFG] <3> candidate "con1", match: 20/1/1052 (me/other/ike) Apr 4 14:33:08 charon 15[CFG] <3> candidate "bypasslan", match: 1/1/24 (me/other/ike) Apr 4 14:33:08 charon 15[CFG] <3> looking for peer configs matching x.x.x.x[xx.xx.com]...y.y.y.y[zzz] Apr 4 14:33:08 charon 15[ENC] <3> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] Apr 4 14:33:08 charon 15[ENC] <3> unknown attribute type (25) Apr 4 14:33:08 charon 15[NET] <3> received packet: from y.y.y.y[4533] to x.x.x.x[4500] (360 bytes) Apr 4 14:33:08 charon 15[MGR] IKE_SA (unnamed)[3] successfully checked out Apr 4 14:33:08 charon 15[MGR] checkout IKEv2 SA by message with SPIs b34bf46abdfd5380_i c93792bfd0b4d1d3_r Apr 4 14:33:08 charon 15[MGR] <3> checkin of IKE_SA successful Apr 4 14:33:08 charon 15[MGR] <3> checkin IKE_SA (unnamed)[3] Apr 4 14:33:08 charon 15[NET] <3> sending packet: from x.x.x.x[500] to y.y.y.y[1446] (313 bytes) Apr 4 14:33:08 charon 15[ENC] <3> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ] Apr 4 14:33:08 charon 15[IKE] <3> sending cert request for "C=CA, ST=ON, L=Home, O=z, E=admin@z.z, CN=XXX" Apr 4 14:33:08 charon 15[IKE] <3> remote host is behind NAT Apr 4 14:33:08 charon 15[CFG] <3> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384 Apr 4 14:33:08 charon 15[CFG] <3> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384 Apr 4 14:33:08 charon 15[CFG] <3> received proposals: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384 Apr 4 14:33:08 charon 15[CFG] <3> proposal matches Apr 4 14:33:08 charon 15[CFG] <3> selecting proposal: Apr 4 14:33:08 charon 15[IKE] <3> y.y.y.y is initiating an IKE_SA Apr 4 14:33:08 charon 15[CFG] <3> found matching ike config: x.x.x.x...%any with prio 1052 Apr 4 14:33:08 charon 15[CFG] <3> candidate: x.x.x.x...%any, prio 1052 Apr 4 14:33:08 charon 15[CFG] <3> candidate: %any...%any, prio 24 Apr 4 14:33:08 charon 15[CFG] <3> looking for an ike config for x.x.x.x...y.y.y.y Apr 4 14:33:08 charon 15[ENC] <3> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] Apr 4 14:33:08 charon 15[NET] <3> received packet: from x.x.x.x [1446] to x.x.x.x[500] (280 bytes) Apr 4 14:33:08 charon 15[MGR] created IKE_SA (unnamed)[3] Apr 4 14:33:08 charon 15[MGR] checkout IKEv2 SA by message with SPIs b34bf46abdfd5380_i 0000000000000000_r</con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3> -
I am popping back in to this thread to provide some additional info. I was able to get the IKEv2 VPN connection working following my previous post, by deleting everything and stepping through the instructions again. And I was able to leave out the "IP" and "DNS" fields (which as I noted upthread, do not seem to be enter-able any more). Thank you very much to the OP!
I was also able to turn the VPN connection into a VPN on demand connection, and I thought I would outline the steps involved in case anyone else wants to do this. Apple Configurator 2 does not show the "VPN on demand" toggle when setting up a profile for IKEv2 (it seems to be present for L2TP and IPSEC only). However, I was able to achieve this by manually editing (using Text Wrangler) the .mobileconfig profile as below. The relevant changes are near the bottom, where I was able to set things up so that if I am connected to my home Wifi, the VPN is turned off, but the VPN connection is enabled if connected to any other network. Note that if you sign the profile in Configurator, it cannot be edited. Note also that this does not require a supervised iOS device.
<plist version="1.0"><dict><key>HasRemovalPasscode</key> <true><key>PayloadContent</key> <array><dict><key>PayloadCertificateFileName</key> <string>MyCA.cer</string> <key>PayloadContent</key> <data>abc123 (generated by Configurator)</data> <key>PayloadDescription</key> <string>Adds a CA root certificate</string> <key>PayloadDisplayName</key> <string>MyCA</string> <key>PayloadIdentifier</key> <string>com.apple.security.root.xxx (generated by Configurator)</string> <key>PayloadType</key> <string>com.apple.security.root</string> <key>PayloadUUID</key> <string>xxx (generated by Configurator)</string> <key>PayloadVersion</key> <integer>1</integer></dict> <dict><key>PayloadCertificateFileName</key> <string>MyVPN.cer</string> <key>PayloadContent</key> <data>xyz456 (generated by Configurator)</data> <key>PayloadDescription</key> <string>Adds a PKCS#1-formatted certificate</string> <key>PayloadDisplayName</key> <string>example.com</string> <key>PayloadIdentifier</key> <string>com.apple.security.pkcs1.xxx (generated by Configurator)</string> <key>PayloadType</key> <string>com.apple.security.pkcs1</string> <key>PayloadUUID</key> <string>xxx (generated by Configurator)</string> <key>PayloadVersion</key> <integer>1</integer></dict> <dict><key>PayloadDescription</key> <string>Configures a password for profile removal</string> <key>PayloadDisplayName</key> <string>Profile Removal</string> <key>PayloadIdentifier</key> <string>com.apple.profileRemovalPassword.xxx (generated by Configurator)</string> <key>PayloadType</key> <string>com.apple.profileRemovalPassword</string> <key>PayloadUUID</key> <string>xxx (generated by Configurator)</string> <key>PayloadVersion</key> <integer>1</integer> <key>RemovalPassword</key> <string>mypassword</string></dict> <dict><key>Password</key> <string>yyy</string> <key>PayloadCertificateFileName</key> <string>username.p12</string> <key>PayloadContent</key> <data>abc456 (generated by Configurator)</data> <key>PayloadDescription</key> <string>Adds a PKCS#12-formatted certificate</string> <key>PayloadDisplayName</key> <string>username.p12</string> <key>PayloadIdentifier</key> <string>com.apple.security.pkcs12.xxxx (generated by Configurator)</string> <key>PayloadType</key> <string>com.apple.security.pkcs12</string> <key>PayloadUUID</key> <string>xxx (generated by Configurator)</string> <key>PayloadVersion</key> <integer>1</integer></dict> <dict><key>IKEv2</key> <dict><key>AuthenticationMethod</key> <string>Certificate</string> <key>ChildSecurityAssociationParameters</key> <dict><key>DiffieHellmanGroup</key> <integer>20</integer> <key>EncryptionAlgorithm</key> <string>AES-256</string> <key>IntegrityAlgorithm</key> <string>SHA2-256</string> <key>LifeTimeInMinutes</key> <integer>60</integer></dict> <key>DeadPeerDetectionRate</key> <string>Medium</string> <key>DisableMOBIKE</key> <integer>0</integer> <key>DisableRedirect</key> <integer>0</integer> <key>EnableCertificateRevocationCheck</key> <integer>0</integer> <key>EnablePFS</key> <integer>0</integer> <key>ExtendedAuthEnabled</key> <true><key>IKESecurityAssociationParameters</key> <dict><key>DiffieHellmanGroup</key> <integer>20</integer> <key>EncryptionAlgorithm</key> <string>AES-256</string> <key>IntegrityAlgorithm</key> <string>SHA2-384</string> <key>LifeTimeInMinutes</key> <integer>480</integer></dict> <key>LocalIdentifier</key> <string>user</string> <key>PayloadCertificateUUID</key> <string>xxx (generated by Configurator)</string> <key>RemoteAddress</key> <string>example.com</string> <key>RemoteIdentifier</key> <string>example.com</string> <key>ServerCertificateCommonName</key> <string>example.com</string> <key>ServerCertificateIssuerCommonName</key> <string>MyCA</string> <key>UseConfigurationAttributeInternalIPSubnet</key> <integer>0</integer></true></dict> <key>IPv4</key> <dict><key>OverridePrimary</key> <integer>1</integer></dict> <key>PayloadDescription</key> <string>Configures VPN settings</string> <key>PayloadDisplayName</key> <string>VPN</string> <key>PayloadIdentifier</key> <string>com.apple.vpn.managed.xxx (generated by Configurator)</string> <key>PayloadType</key> <string>com.apple.vpn.managed</string> <key>PayloadUUID</key> <string>xxx (generated by Configurator)</string> <key>PayloadVersion</key> <integer>1</integer> <key>Proxies</key> <dict><key>HTTPEnable</key> <integer>0</integer> <key>HTTPSEnable</key> <integer>0</integer></dict> <key>UserDefinedName</key> <string>MyVPN</string> <key>VPNType</key> <string>IKEv2</string> <key>OnDemandEnabled</key> <integer>1</integer> <key>OnDemandRules</key> <array><dict><key>InterfaceTypeMatch</key> <string>WiFi</string> <key>SSIDMatch</key> <array><string>My Home Wifi Network name</string></array> <key>Action</key> <string>Disconnect</string></dict> <dict><key>Action</key> <string>Connect</string></dict></array></dict></array> <key>PayloadDisplayName</key> <string>MyVPN</string> <key>PayloadIdentifier</key> <string>MyVPN</string> <key>PayloadRemovalDisallowed</key> <true><key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>xxx (generated by Configurator)2</string> <key>PayloadVersion</key> <integer>1</integer></true></true></dict></plist>References/credit:
https://medium.com/@cattyhouse/ios-ondemand-ipsec-vpn-setup-ebfb82b6f7a1
https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile
https://developer.apple.com/library/content/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html#//apple_ref/doc/uid/TP40010206-CH1-SW36 -
At my end, there does not seem to be any way to type in DNS or IP into the type field. The type field is a drop down menu containing the following choices:
-FQDN or Hostname
-IP address
-URI
-email addressAm I missing something here?
Look to the right of the dropdown, there is a field where you can enter the required data.
-
At my end, there does not seem to be any way to type in DNS or IP into the type field. The type field is a drop down menu containing the following choices:
-FQDN or Hostname
-IP address
-URI
-email addressAm I missing something here?
Look to the right of the dropdown, there is a field where you can enter the required data.
The field on the right is for the "value", not the "type" (which is on the left). There is no way (that I can see) to enter a "type" other than the 4 choices in the drop down menu (as in the instructions in the first post in this thread). I guess this changed with a recent pfSense update. However, it does not seem to matter. In my case, I was able to get everything working using the "FQDN or Hostname" and "email address" fields (for email I entered the same string as for the CN and SAN (i.e. the server address or the user name, depending on the cert)). The "DNS" and "IP" entries do not seem to be required in order to get everything working.
-
nice manual.
but…. i don't understand why this is not working on pfSense 2.3.3_1 and Mac OS Sierra?
-
Can anyone confirm this is still working on iOS 10.3.2 and pFsense 2.3.4? I've been trying for a while and I can't make it work.
-
https://forum.pfsense.org/index.php?topic=127457.0
After having tried many times unsuccessfully it to work with the native client, that guide plus using Apple Configurator 2, finally worked for me. Its actually really easy to use Configurator.
So its not necessary to use StrongSwan. I think the key difference is using DH2 instead of DH20 and Configurator which allows some more VPN options. -
Can anyone confirm this is still working on iOS 10.3.2 and pFsense 2.3.4? I've been trying for a while and I can't make it work.
Yes it's working, got it setup on my 10.3.2 iPhones / iPads and Sierra OSX with pfsense 2.3.4.
The creation of the certificates was a little different in that there is no option to put an IP address to them I believe but besides that it works well.
-
Quick question here: have set up the IKEv2 VPN per instructions here and it works great. Only thing I've noticed is that I can still connect to the VPN even if the user certificate I'm using isn't actually associated with the pfSense local user account. Is that intentional?
-
Hi all,
I was able to connect to my pfSense box via IKEv2 using the instructions provided here (thank you), but have a small issue which I hope is solvable. The issue is when my iPhone goes from WiFi to LTE or vice versa, the VPN disconnects. Is there a way to keep the tunnel up automatically during the switching? Any help would be appreciated. Thanks!
-
Peoples,
I was able to set up IPSec from MacOS and iOS but something weird happened: I have two pfsense boxes in two locations, connected to each other by IPSec (no problems there).
For mobile client, both boxes use AES 256 as encryption algorithms. However, one box uses SHA384 and DH/PFS group 20 while the other box refuses to connect with that setting (tested on the same Mac that has both connections setup) and will accept SHA256 and DH/PFS group 19. Both are in 2.3.4-RELEASE-p1.
The SHA384 and PFS group 20 has always worked for box nº 1, but I just setup mobile clients on box nº2 and logs says that setting is not acceptable - MacOS doesn't seem to be proposing SHA384 for the second box:
"configured proposals: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384"
"received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024"Anyone has any clue why?
Update: Nevermind, box nº 1 mobile client was setup through a profile from Apple Configurator. Box nº 2 was set up manually in system preferences.
-
Hi all,
I was able to connect to my pfSense box via IKEv2 using the instructions provided here (thank you), but have a small issue which I hope is solvable. The issue is when my iPhone goes from WiFi to LTE or vice versa, the VPN disconnects. Is there a way to keep the tunnel up automatically during the switching? Any help would be appreciated. Thanks!
Anyone? I'm pulling my hair. I thought IKEv2 was very mobile friendly with the inclusion of MOBIKE, etc., but I can't seem to keep the tunnel up when my iPhone switches networking modes.
-
Can anyone confirm this is still working on iOS 10.3.2 and pFsense 2.3.4? I've been trying for a while and I can't make it work.
Yes it's working, got it setup on my 10.3.2 iPhones / iPads and Sierra OSX with pfsense 2.3.4.
The creation of the certificates was a little different in that there is no option to put an IP address to them I believe but besides that it works well.
Thanks! Do you use static or dynamic IP?
-
Can anyone confirm this is still working on iOS 11.0.3 and pFsense 2.2.6-RELEASE (amd64)? I've been trying for a while and I can't make it work.
Thanks.
-
Seems to work OK on iOS 11.0.3. As for pfSense 2.2.6 you're on your own there. Upgrade.
-
I can confirm this works and was a huge help in troubleshooting my use case.
Where I'm stuck is getting user-based auth to work too.
Here's what I've determined:
-
anything with +xauth doesn't work. OSX and iOS seem to only do user/pass as EAP (makes sense) +xauth doesn't use EAP
-
EAP-MSCHAPv2 doesn't work - it seems to only authenticate against users defined in PF
-
EAP-Radius almost works for me. But apparently Apple's version of FreeRadius (2.2.9) does NOT return an MSK with the authentication payload, and IKE auth falls as a result.
So I think I'm close to concluding that:
MacOS Server backend (LDAP, Radius) + iOS clients + IKEv2 with user-based auth != possible -
-
What macOS server lacks is the RADIUS bits to do EAP.
As far as I know you can't do EAP to LDAP.
EAP-RADIUS works to a FreeRADIUS server, just not to macOS RADIUS as it is configured. You might be able to get it to work using a FreeRADIUS server backed by macOS LDAP for username/password but I have not tried it.
It has been a while since I tried any of this.
-
What macOS server lacks is the RADIUS bits to do EAP.
As far as I know you can't do EAP to LDAP.
EAP-RADIUS works to a FreeRADIUS server, just not to macOS RADIUS as it is configured. You might be able to get it to work using a FreeRADIUS server backed by macOS LDAP for username/password but I have not tried it.
It has been a while since I tried any of this.
Thanks Derelict,
In my case this is macOS Server 10.12
Makes sense that EAP can’t do ldap.
Is there a way to do xauth agains LDAP with Apple clients? It seems Apple clients only send user credentials as an EAP auth.
Or if I stick with EAP - I’d love to hear if anyone knows how to (re)configure macOS server’s freeradius 2.2.x to support the MSK payload
-
The problem isn't really Apple clients, it is the macOS server backend.
I am about ready to give up on it here.
