Valid configuration for IKEv2 VPN for iOS and OSX



  • https://forum.pfsense.org/index.php?topic=127457.0

    After having tried many times unsuccessfully it to work with the native client, that guide plus using Apple Configurator 2, finally worked for me. Its actually really easy to use Configurator.
    So its not necessary to use StrongSwan. I think the key difference is using DH2 instead of DH20 and Configurator which allows some more VPN options.



  • @netnewb:

    Can anyone confirm this is still working on iOS 10.3.2 and pFsense 2.3.4? I've been trying for a while and I can't make it work.

    Yes it's working, got it setup on my 10.3.2 iPhones / iPads and Sierra OSX with pfsense 2.3.4.

    The creation of the certificates was a little different in that there is no option to put an IP address to them I believe but besides that it works well.



  • Quick question here: have set up the IKEv2 VPN per instructions here and it works great. Only thing I've noticed is that I can still connect to the VPN even if the user certificate I'm using isn't actually associated with the pfSense local user account. Is that intentional?



  • Hi all,

    I was able to connect to my pfSense box via IKEv2 using the instructions provided here (thank you), but have a small issue which I hope is solvable.  The issue is when my iPhone goes from WiFi to LTE or vice versa, the VPN disconnects.  Is there a way to keep the tunnel up automatically during the switching?  Any help would be appreciated.  Thanks!



  • Peoples,

    I was able to set up IPSec from MacOS and iOS but something weird happened: I have two pfsense boxes in two locations, connected to each other by IPSec (no problems there).

    For mobile client, both boxes use AES 256 as encryption algorithms. However, one box uses SHA384 and DH/PFS group 20 while the other box refuses to connect with that setting (tested on the same Mac that has both connections setup) and will accept SHA256 and DH/PFS group 19. Both are in 2.3.4-RELEASE-p1.

    The SHA384 and PFS group 20 has always worked for box nº 1, but I just setup mobile clients on box nº2 and logs says that setting is not acceptable - MacOS doesn't seem to be proposing SHA384 for the second box:

    "configured proposals: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384"
    "received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024"

    Anyone has any clue why?

    Update: Nevermind, box nº 1 mobile client was setup through a profile from Apple Configurator. Box nº 2 was set up manually in system preferences.



  • @rnatalli:

    Hi all,

    I was able to connect to my pfSense box via IKEv2 using the instructions provided here (thank you), but have a small issue which I hope is solvable.  The issue is when my iPhone goes from WiFi to LTE or vice versa, the VPN disconnects.  Is there a way to keep the tunnel up automatically during the switching?  Any help would be appreciated.  Thanks!

    Anyone?  I'm pulling my hair.  I thought IKEv2 was very mobile friendly with the inclusion of MOBIKE, etc., but I can't seem to keep the tunnel up when my iPhone switches networking modes.



  • @jgiannakas:

    @netnewb:

    Can anyone confirm this is still working on iOS 10.3.2 and pFsense 2.3.4? I've been trying for a while and I can't make it work.

    Yes it's working, got it setup on my 10.3.2 iPhones / iPads and Sierra OSX with pfsense 2.3.4.

    The creation of the certificates was a little different in that there is no option to put an IP address to them I believe but besides that it works well.

    Thanks! Do you use static or dynamic IP?



  • Can anyone confirm this is still working on iOS 11.0.3 and pFsense 2.2.6-RELEASE (amd64)? I've been trying for a while and I can't make it work.

    Thanks.


  • LAYER 8 Netgate

    Seems to work OK on iOS 11.0.3. As for pfSense 2.2.6 you're on your own there. Upgrade.



  • I can confirm this works and was a huge help in troubleshooting my use case.

    Where I'm stuck is getting user-based auth to work too.

    Here's what I've determined:

    • anything with +xauth doesn't work. OSX and iOS seem to only do user/pass as EAP (makes sense) +xauth doesn't use EAP

    • EAP-MSCHAPv2 doesn't work - it seems to only authenticate against users defined in PF

    • EAP-Radius almost works for me. But apparently Apple's version of FreeRadius (2.2.9) does NOT return an MSK with the authentication payload, and IKE auth falls as a result.

    So I think I'm close to concluding that:
    MacOS Server backend (LDAP, Radius) + iOS clients + IKEv2 with user-based auth  != possible


  • LAYER 8 Netgate

    What macOS server lacks is the RADIUS bits to do EAP.

    As far as I know you can't do EAP to LDAP.

    EAP-RADIUS works to a FreeRADIUS server, just not to macOS RADIUS as it is configured. You might be able to get it to work using a FreeRADIUS server backed by macOS LDAP for username/password but I have not tried it.

    It has been a while since I tried any of this.



  • @Derelict:

    What macOS server lacks is the RADIUS bits to do EAP.

    As far as I know you can't do EAP to LDAP.

    EAP-RADIUS works to a FreeRADIUS server, just not to macOS RADIUS as it is configured. You might be able to get it to work using a FreeRADIUS server backed by macOS LDAP for username/password but I have not tried it.

    It has been a while since I tried any of this.

    Thanks Derelict,

    In my case this is macOS Server 10.12

    Makes sense that EAP can’t do ldap.

    Is there a way to do xauth agains LDAP with Apple clients? It seems Apple clients only send user credentials as an EAP auth.

    Or if I stick with EAP - I’d love to hear if anyone knows how to (re)configure macOS server’s freeradius 2.2.x to support the MSK payload


  • LAYER 8 Netgate

    The problem isn't really Apple clients, it is the macOS server backend.

    I am about ready to give up on it here.



  • Hey,

    i want to reply to this old topic because I have some problems connecting.

    When I Try to connected the message appears, that there is an authorization error.

    Is here any way to debug the connection establishment?

    Have to ADD:

    I am trying this with OSX 10.14.1
    and pFSense latest stable build



  • Here something from my log... On mAc OSX is no log for ikev2 connections available.

    Pls Someone help me.....

    Dec 23 18:28:39 charon 12[CFG] vici client 34 disconnected
    Dec 23 18:28:39 charon 12[CFG] vici client 34 requests: list-sas
    Dec 23 18:28:39 charon 13[CFG] vici client 34 registered for: list-sa
    Dec 23 18:28:39 charon 13[CFG] vici client 34 connected
    Dec 23 18:28:35 charon 13[CFG] vici client 33 disconnected
    Dec 23 18:28:35 charon 13[CFG] vici client 33 requests: list-sas
    Dec 23 18:28:35 charon 12[CFG] vici client 33 registered for: list-sa
    Dec 23 18:28:35 charon 14[CFG] vici client 33 connected
    Dec 23 18:28:15 charon 12[IKE] <bypasslan|6> IKE_SA bypasslan[6] state change: CONNECTING => DESTROYING
    Dec 23 18:28:15 charon 12[NET] <bypasslan|6> sending packet: from xxx.xxx.xxx.xx[4500] to xx.xxx.xxx.xx[2324] (80 bytes)
    Dec 23 18:28:15 charon 12[ENC] <bypasslan|6> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    Dec 23 18:28:15 charon 12[IKE] <bypasslan|6> peer supports MOBIKE
    Dec 23 18:28:15 charon 12[IKE] <bypasslan|6> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Dec 23 18:28:15 charon 12[IKE] <bypasslan|6> processing (25) attribute
    Dec 23 18:28:15 charon 12[IKE] <bypasslan|6> processing INTERNAL_IP6_DNS attribute
    Dec 23 18:28:15 charon 12[IKE] <bypasslan|6> processing INTERNAL_IP6_DHCP attribute
    Dec 23 18:28:15 charon 12[IKE] <bypasslan|6> processing INTERNAL_IP6_ADDRESS attribute
    Dec 23 18:28:15 charon 12[IKE] <bypasslan|6> processing INTERNAL_IP4_NETMASK attribute
    Dec 23 18:28:15 charon 12[IKE] <bypasslan|6> processing INTERNAL_IP4_DNS attribute
    Dec 23 18:28:15 charon 12[IKE] <bypasslan|6> processing INTERNAL_IP4_DHCP attribute
    Dec 23 18:28:15 charon 12[IKE] <bypasslan|6> processing INTERNAL_IP4_ADDRESS attribute
    Dec 23 18:28:15 charon 12[CFG] <bypasslan|6> no alternative config found
    Dec 23 18:28:15 charon 12[IKE] <bypasslan|6> peer requested EAP, config unacceptable
    Dec 23 18:28:15 charon 12[CFG] <bypasslan|6> selected peer config 'bypasslan'
    Dec 23 18:28:15 charon 12[CFG] <6> ignore candidate 'con-mobile' without matching IKE proposal
    Dec 23 18:28:15 charon 12[CFG] <6> candidate "con-mobile", match: 20/1/1052 (me/other/ike)
    Dec 23 18:28:15 charon 12[CFG] <6> candidate "bypasslan", match: 1/1/24 (me/other/ike)
    Dec 23 18:28:15 charon 12[CFG] <6> looking for peer configs matching xx.xxx.xxx.xx[xxxx.dyndns.org]...xx.xxx.xxx.xx[tobi]
    Dec 23 18:28:15 charon 12[IKE] <6> received cert request for "CN=xxxxxxx.dyndns.org, C=DE, ST=xxxx, L=xxxx, O=Private"
    Dec 23 18:28:15 charon 12[ENC] <6> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CERTREQ CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
    Dec 23 18:28:15 charon 12[ENC] <6> unknown attribute type (25)
    Dec 23 18:28:15 charon 12[NET] <6> received packet: from xx.xxx.xxx.xx[2324] to xx.xxx.xxx.xx[4500] (384 bytes)
    Dec 23 18:28:15 charon 12[NET] <6> sending packet: from xx.xxx.xxx.xx[500] to xx.xxx.xxx.xx[500] (313 bytes)
    Dec 23 18:28:15 charon 12[ENC] <6> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
    Dec 23 18:28:15 charon 12[IKE] <6> sending cert request for "CN=internalVPNCA, C=DE, ST=xxxxx, L=xxxxx, O=Private"
    Dec 23 18:28:15 charon 12[IKE] <6> remote host is behind NAT
    Dec 23 18:28:15 charon 12[CFG] <6> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
    Dec 23 18:28:15 charon 12[CFG] <6> configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
    Dec 23 18:28:15 charon 12[CFG] <6> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
    Dec 23 18:28:15 charon 12[CFG] <6> proposal matches
    Dec 23 18:28:15 charon 12[CFG] <6> selecting proposal:
    Dec 23 18:28:15 charon 12[IKE] <6> no matching proposal found, trying alternative config
    Dec 23 18:28:15 charon 12[CFG] <6> candidate: xx.xxx.xxx.xx...%any, prio 1052
    Dec 23 18:28:15 charon 12[CFG] <6> candidate: %any...%any, prio 24
    Dec 23 18:28:15 charon 12[CFG] <6> looking for IKEv2 configs for xx.xxx.xxx.xx...xx.xxx.xxx.xx
    Dec 23 18:28:15 charon 12[CFG] <6> configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384
    Dec 23 18:28:15 charon 12[CFG] <6> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
    Dec 23 18:28:15 charon 12[CFG] <6> no acceptable ENCRYPTION_ALGORITHM found
    Dec 23 18:28:15 charon 12[CFG] <6> selecting proposal:
    Dec 23 18:28:15 charon 12[IKE] <6> IKE_SA (unnamed)[6] state change: CREATED => CONNECTING


  • LAYER 8 Netgate

    @imushroom said in Valid configuration for IKEv2 VPN for iOS and OSX:

    ignore candidate 'con-mobile' without matching IKE proposal

    Probably be better off posting a new thread. The forum tried to warn you. When you do post your IKEv2mobile configuration.



  • @imushroom Hey
    Create a new thread and I'll write there what to do
    Show the phase 1 and phase 2 IPSEC PFSense settings there and install Apple Configurator 2 from the App Store
    or
    https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients
    https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile



  • Hey,

    @Konstanti thanks for your reply. I try to find time after the holidays to create a new topic.

    I already installed the Apple Configurator 2.



  • This post is deleted!


  • @imushroom Hope this helps you
    https://grokdesigns.com/pfsense-ikev2-for-ios-macos-1/

    All well-written
    Part three - how to use Apple Configurator