Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OSX IKEv2 Mutual RSA

    Scheduled Pinned Locked Moved IPsec
    5 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      twx
      last edited by

      When using OSX IKEv2 with RSA authentication and IPsec in pfSense is set to Mutual RSA, clients are unable to connect because of a missing setting in ipsec.conf:

      leftsendcert = always
      

      As soon as i add that setting in ipsec.conf, clients are able to connect.

      I have found a bugfix from a few months ago [1], but as far as i can see this was only applied for EAP methods.

      Is there a reason why this setting was not added for (Mutual) RSA authentication?

      [1] https://redmine.pfsense.org/issues/5353

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Most likely because using mobile IKEv2 IPsec from OS X without EAP is very rare and not tested nor used much. Why Mutual RSA and not EAP-TLS?

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • T
          twx
          last edited by

          Most likely because using mobile IKEv2 IPsec from OS X without EAP is very rare and not tested nor used much.

          Well, i can at least confirm that it does work when using the leftsendcert setting.

          Why Mutual RSA and not EAP-TLS?

          I chose for RSA authentication because i once read this [1] strongSwan page. It states: "While EAP-TLS is a secure and very flexible protocol, it is rather slow when used over IKE." Ofcourse, i did not run any speedtests/benchmarks myself between both methods.

          Besides that EAP-TLS is more common and supported on clients, is there any advantage to use EAP-TLS instead of Mutual RSA ?

          I actually thought the RSA cert authentication was the default (less hassle) method to go with.ย  :)

          [1] https://wiki.strongswan.org/projects/1/wiki/EapTls

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Most people prefer security (though even more opt for EAP-RADIUS or EAP-MSCHAPv2 so they can have user auth)

            You can open a new redmine entry (target = 2.3.1) and we can look into adding that for the next version.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • T
              twx
              last edited by

              Most people prefer security

              Which is what i prefer as well. I was not aware that Mutual RSA would be a less secure authentication method, compared to EAP-TLS. Guess i need todo some more research.

              You can open a new redmine entry (target = 2.3.1) and we can look into adding that for the next version.

              Great! I just did: https://redmine.pfsense.org/issues/6082

              Thanks in advance!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.