Netgate SG-1000 microFirewall

Author Topic: IPsec IKEv2 Configuration and VPN initiation from a Apple iOS 8.x client  (Read 33019 times)

0 Members and 1 Guest are viewing this topic.

Offline harbord

  • Newbie
  • *
  • Posts: 2
  • Karma: +4/-0
    • View Profile
I updated my Internet Router / Firewall to pfSense Release Candidate 2.2 during this weekend. My primary purpose for was to use my pfSense instance as a VPN termination point for an Apple iOS 8 IPsec IKEv2 VPN.

I have successfully been able to initiate a IPsec IKEv2 VPN using mutual authentication with X.509 Machine Certificates using RSA signatures. So far I have successfully performed limited traffic testing using ping commands. I intend to perform more extensive traffic testing in due course.

My environment is as follows:
- PC Engines APU with pfSense Release Candidate 2.2
- OS X Yosemite with OS X Server App 4.x and Profile Manager to push iOS Configuration Profiles to test iPad
- iPad with iOS 8.x to test the VPN initialisation
- Xcode to view the console log of my test iPad
- Cloud based syslog server for easier viewing of the pfSense IPsec syslog

StrongSwan Wiki - IKEv2 Configuration Profile for Apple iOS 8 and newer
- The StrongSwan wiki provided the critical information that “Distinguished Names are currently not handled correctly"
- Within my pfSense configuration for Mutual RSA authentication, I utilised:
     - Local Identifier = IP Address
     - Remote / Peer Identifier = User distinguished name i.e. email address

IKEv2 Security Association Parameters used
- Encryption Algorithm
     - AES-128, AES-256
- Integrity Algorithm
     -SHA2-256, SHA2-384, SHA2-512
- Diffie Hellman Group
     - 2 (Default) - 1024

Configurations Steps

1 - Within pfSense > System > Cert Manager
     - Create self-signed Certificate Authority
          - Common Name = Example.com CA
     - Create a Server Certificate
          - Common = vpn.example.com
          - Subject alternative name - DNS - vpn.example.com
          - Subject alternative name - IP -  xx.xx.xx.xx - i.e. VPN public IP Address
     - Create a User Certificate
          - Common name = users.example.com
          - Subject alternative name - email - users@example.com
     - Export certificates for later creation of iOS Configuration Profiles
          - Use pfsense diagnostic command line to:
               - Upload user cert and key files
               - Utilise openssl to create encrypted PKCS#12 certificate identity for use later within iOS configuration profiles
               - openssl pkcs12 -passout pass:'<my-p12-file-password>' -export -in /tmp/<user-certificate>.crt -inkey /tmp/<user-key>.key -out /tmp/user-cert.p12

2 - Within pfSense > VPN > IPsec > Mobile Clients
     - Enable IPsec Mobile Client Support
     - Virtual Address Pool - 172.16.16.0/24
     - DNS Default Domain - example.com
     - DNS Server - 192.168.1.1

3 - Phase 1 Configuration
     - Key Exchange Version = 2
     - Internet Protocol = IPv4
     - Interface = WAN
     - Authentication Method = Mutual RSA
     - My Identifier = My IP Address
     - Peer Identifier = User distinguished name - users@example.com
     - My Certificate = vpn.example.com
     - My Certificate Authority = Example.com CA
     - Phase 1 proposal
          - Encryption - AES 256bits
          - Hash = SHA256
          - DH Key Group - 2 (1024 bit)

4 - Phase 2 Configuration
     - Protocol = ESP
     - Encryption = AES auto
     - Hash = SHA256, SHA384, SHA512

5 - Within pfSense > VPN > IPsec  > Advanced Settings
     - Enable diag logging as required

6 - Within pfSense > Status > System Logs > Settings
     - Enable syslog server as required

7 - Within OS X Server App - Profile Manager
     - Create Certificate payload
          - Example.com CA certificate
          - vpn.example.com certificate
          - users@example.com certificate identity
     - VPN Payload
          - Hostname - vpn.example.com
          - Local Identifier = users@example.com
          - Remote Identifier = xx.xx.xx.xx - i.e. VPN public IP Address
          - Credential =  users@example.com certificate identity
          - Server Certificate Issuer Common Name - Example.com CA
          - Server Certificate Common Name - vpn.example.com
          - IKE SA Params - As above IKEv2 Security Association Parameters
          - Child SA Params - As above IKEv2 Security Association Parameters
     - Push Configuration Profile to test iOS device

8 - Initiate VPN on test iOS device and debug as required.
         








Offline catfish99

  • Jr. Member
  • **
  • Posts: 28
  • Karma: +1/-0
    • View Profile
Re: IPsec IKEv2 Configuration and VPN initiation from a Apple iOS 8.x client
« Reply #1 on: January 16, 2015, 07:30:03 pm »
I've tried setting up IKEv2 the way described, and it doesn't seem to work.

Any possibility you could include screenshots from the  iOS configurator side of things and PfSense setup. That way I could check my setup. Alternatively I could share my setup and ask for feedback.

Please advise.

thanks in advance.

Offline dstroot

  • Jr. Member
  • **
  • Posts: 80
  • Karma: +3/-0
    • View Profile
Re: IPsec IKEv2 Configuration and VPN initiation from a Apple iOS 8.x client
« Reply #2 on: January 17, 2015, 08:06:45 pm »
I have been trying for a while now to connect my families iOS devices (iOS 8.1.2) to pfsense 2.2.

My goals are:
1) ideally no additional software needed - sorry all you fans, OpenVPN is just clunky.  I want to just flip "VPN" on in general settings...
2) as securely as possible send ALL traffic into my pfsense box and either:
     a) back out to the Internet.
     b) or, interact with internal LAN resources
3) relatively simple setup.  Certs, OX server/profile manager seems to be overkill for my needs.  An account with a really long pswd is OK with me.

Does *anyone* have something like this working?  I'd be happy to document it for everyone else.  I think I am basically looking for the above without the profile/cert if that is possible.

Offline catfish99

  • Jr. Member
  • **
  • Posts: 28
  • Karma: +1/-0
    • View Profile
Re: IPsec IKEv2 Configuration and VPN initiation from a Apple iOS 8.x client
« Reply #3 on: January 17, 2015, 08:44:48 pm »
dstroot -

You might want to take a look at André Gasser's Blog. He has an posting on -  How To Configure IPSec VPN on pfSense For Use With iPhone, iPad, Android, Windows and Linux - It's quite helpful to setup IPSEC using IKEv1

https://blog.andregasser.net/how-to-configure-ipsec-vpn-on-pfsense-for-use-with-iphone-ipad-android-windows-and-linux/

Offline catfish99

  • Jr. Member
  • **
  • Posts: 28
  • Karma: +1/-0
    • View Profile
Re: IPsec IKEv2 Configuration and VPN initiation from a Apple iOS 8.x client
« Reply #4 on: January 17, 2015, 09:30:48 pm »
Further to my earlier message, let me share the settings I am using.

I ask that folks on here to review and let me know what to adjust (if anything) to get it to work..


Thanks in advance.

PFSENSE - IPsec IKEv2 Configuration

Code: [Select]
VPN: IPsec: Edit Phase 1: Mobile Client

Tunnels
---------

General information
Disabled [not selected]
Key Exchange version [v2]

Internet Protocol [IPv4]
Interface [WAN]

Description [IPSec Phase 1]

Phase 1 proposal (Authentication)
----------------------------------
Authentication method [Mutual RSA]

My Identifier [My IP address]

Peer identifier [User distinguished name] - vpn@privaterra.info

My Certificate [IPSec Server Cert] (Server Certificate created in the Certificate Manager)

My Certificate  Authority [PrivaterraCA] ( certificate authority previously configured in the Certificate Manager)

Phase 1 proposal (Algorithms)
----------------------------------

Encryption algorithm [AES] [256 bits]
Hash algorithm [SHA256]
DH key group [2 (1024 bit)]

Lifetime [1440]

Advanced Options
----------------------------------

Disable Rekey [not selected]
Disable Reauth [not selected]

NAT Traversal [Force]

Dead Peer Detection [Enabled]
Delay between requesting peer acknowledgement.  [10] seconds
Number of consecutive failures allowed before disconnect. [5] retries



Phase-2 entries


Disabled [not selected]
Mode [Tunnel IPv4]

Local Network
 - Type [LAN Subnet]
 -  In case you need NAT/BINAT on this network specify the address to be translated
     - Type [None]
     
Phase 2 proposal (SA/Key Exchange)
----------------------------------

Protocol [ESP]

Encryption algorithms [AES] [AUTO]

Hash algorithms
- MD5 [not selected]
- SHA1 [not selected]
- SHA256 [selected]
- SHA384 [selected]
- SHA512 [selected]

PFS key group [2 (1024 bit)]

Lifetime [1440] seconds

MOBILE CLIENTS

IKE Extensions
 - Enable IPsec Mobile Client Support [Selected]
 
Extended Authentication (Xauth)

- User Authentication [local database]
- Group  Authentication [system]

Client Configuration (mode-cfg)

Virtual Address Pool
- Provide a virtual IP address to clients [enabled]
- Network: 192.168.78.0/24
- Network List [not selected]
- Save Xauth Password [selected]
- DNS Default Domain [selected] - vpn.pvt
- Split DNS [not selected]
- DNS Servers [selected]
  Server #1 - 75.75.75.75
  Server #2 - 75.75.76.76



Apple Configurator - VPN Configuration

Code: [Select]

Connection Name [IPsec IKEv2]
Connection type [IKEv2 (iOS only)]

Server [vpn.xxx.xxx]
Local identifier [vpn@privaterra.info]
Remote identifier [vpn.xxx.xxx]

Machine Authentication [Certificate]
Identify Certificate [user x509 certificate]

Server certificate Issuer Common Name [blank]
Server certificate Common Name [blank]

Enable EAP [not selected]

Dead Pear Selection Rate [Medium]

IKE SA Params
-----------------

Encryption Algorithm [AES - 256]
Integrity Algorithm [SHA2 - 256]

Diffie Hellman Group [2]

Lifetime in Minutes [1440]

Proxy Setup [none]

Child SA Params
-----------------

Encryption Algorithm [AES - 256]
Integrity Algorithm [SHA2 - 256]

Diffie Hellman Group [2]

Lifetime in Minutes [1440]

Proxy Setup [none]



Apple Configurator - VPN Configuration - Certificates

Included 3 certificates in payload:

1. IPSEC server (Certificate, .crt)
2. Certificate Authority (used to create #1, .crt)
3. User certificate (.p12) 
« Last Edit: January 18, 2015, 11:28:05 am by catfish99 »

Offline virgiliomi

  • Sr. Member
  • ****
  • Posts: 556
  • Karma: +74/-4
    • View Profile
Re: IPsec IKEv2 Configuration and VPN initiation from a Apple iOS 8.x client
« Reply #5 on: January 18, 2015, 08:44:18 am »
dstroot -

You might want to take a look at André Gasser's Blog. He has an posting on -  How To Configure IPSec VPN on pfSense For Use With iPhone, iPad, Android, Windows and Linux - It's quite helpful to setup IPSEC using IKEv1

https://blog.andregasser.net/how-to-configure-ipsec-vpn-on-pfsense-for-use-with-iphone-ipad-android-windows-and-linux/

I actually went through his settings as a base (they're for an earlier version so a couple don't match 2.2 exactly) and found something that might work... except for one minor issue...

Code: [Select]
Jan 18 09:31:36 charon: 06[IKE] <33> 70.xxx.xxx.xxx is initiating a Aggressive Mode IKE_SA
Jan 18 09:31:36 charon: 06[IKE] 70.xxx.xxx.xxx is initiating a Aggressive Mode IKE_SA
Jan 18 09:23:46 charon: 15[IKE] <32> Aggressive Mode PSK disabled for security reasons
Jan 18 09:23:46 charon: 15[IKE] Aggressive Mode PSK disabled for security reasons

That appears in my IPSec log when I try to connect. This is rather unfortunate, as like dstroot, I don't want to deal with certificates and the like, but it seems that PSK is disabled as an option.

BTW... here are the Phase 1 proposals that iOS will accept, at least for a non-certificate setup directly on the device:
- Encryption: AES-256, AES-128, 3DES, or DES
- Hash: SHA1 or MD5
- DH Key Group: 2 (1024 bit)

I would assume Phase 2 is similar, but since I can't get past phase 1 authentication, I don't know that for certain.

EDIT: Oh also... I'm using IKEv1, not V2. V2 does not appear to work with the on-device settings like it does with the Apple Configurator.
« Last Edit: January 18, 2015, 08:58:22 am by virgiliomi »

Offline catfish99

  • Jr. Member
  • **
  • Posts: 28
  • Karma: +1/-0
    • View Profile
Re: IPsec IKEv2 Configuration and VPN initiation from a Apple iOS 8.x client
« Reply #6 on: January 18, 2015, 10:18:46 am »
Having issues connecting - seem to get no matching peer config found error.

Let me share below the following:

1. IPSEC server log entries that correspond to the configuration/setup I detailed in an earlier post.
2. /var/etc/ipsec/ipsec.conf

IPSEC server log
Quote
Last 300 IPsec log entries
Jan 18 11:07:52   charon: 12[NET] sending packet: from server.IP-address.com[4500] to ios-device.IP-address.com[10082] (80 bytes)
Jan 18 11:07:52   charon: 12[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jan 18 11:07:52   charon: 12[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jan 18 11:07:52   charon: 12[IKE] <3> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jan 18 11:07:52   charon: 12[CFG] no matching peer config found
Jan 18 11:07:52   charon: 12[CFG] looking for peer configs matching server.IP-address.com[server.domain-name.com]...ios-device.IP-address.com[vpn@privaterra.org]
Jan 18 11:07:52   charon: 12[IKE] received end entity cert "C=CA, ST=Ontario, L=Toronto, O=Privaterra, E=rguerra@privaterra.org, CN=rguerraPVT"
Jan 18 11:07:52   charon: 12[IKE] <3> received end entity cert "C=CA, ST=Ontario, L=Toronto, O=Privaterra, E=rguerra@privaterra.org, CN=rguerraPVT"
Jan 18 11:07:52   charon: 12[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CERT CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Jan 18 11:07:52   charon: 12[NET] received packet: from ios-device.IP-address.com[10082] to server.IP-address.com[4500] (2576 bytes)
Jan 18 11:07:51   charon: 12[NET] sending packet: from server.IP-address.com[500] to ios-device.IP-address.com[10094] (337 bytes)
Jan 18 11:07:51   charon: 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jan 18 11:07:51   charon: 12[IKE] sending cert request for "C=CA, ST=Ontario, L=Toronto, O=Privaterra, E=admin@privaterra.ca, CN=internal-ca"
Jan 18 11:07:51   charon: 12[IKE] <3> sending cert request for "C=CA, ST=Ontario, L=Toronto, O=Privaterra, E=admin@privaterra.ca, CN=internal-ca"
Jan 18 11:07:51   charon: 12[IKE] remote host is behind NAT
Jan 18 11:07:51   charon: 12[IKE] <3> remote host is behind NAT
Jan 18 11:07:51   charon: 12[IKE] ios-device.IP-address.com is initiating an IKE_SA
Jan 18 11:07:51   charon: 12[IKE] <3> ios-device.IP-address.com is initiating an IKE_SA
Jan 18 11:07:51   charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jan 18 11:07:51   charon: 12[NET] received packet: from ios-device.IP-address.com[10094] to server.IP-address.com[500] (288 bytes)

/var/etc/ipsec/ipsec.conf
Quote
# This file is automatically generated. Do not edit
config setup
   uniqueids = yes
   charondebug="dmn 2,mgr 2,ike 2,chd 2,job 2,cfg 2,knl 2,net 2,asn 2,enc 2,imc 2,imv 2,pts 2,tls 2,esp 2,lib 2"

conn con1
   fragmentation = yes
   keyexchange = ikev2
   reauth = yes
   forceencaps = yes
   rekey = yes
   installpolicy = yes
   type = tunnel
   dpdaction = clear
   dpddelay = 10s
   dpdtimeout = 60s
   auto = add
   left = server-ip-address
   right = %any
   leftid = server-ip-address
   ikelifetime = 86400s
   lifetime = 1440s
   rightsourceip = 192.168.78.0/24
   ike = aes256-sha256-modp1024!
   esp = aes256-sha256-modp1024,aes256-sha384-modp1024,aes256-sha512-modp1024,aes192-sha256-modp1024,aes192-sha384-modp1024,aes192-sha512-modp1024,aes128-sha256-modp1024,aes128-sha384-modp1024,aes128-sha512-modp1024!
   leftauth = pubkey
   rightauth = pubkey
   leftcert=/var/etc/ipsec/ipsec.d/certs/cert-1.crt
   rightsubnet = 192.168.78.0/24
   leftsubnet = 192.168.3.0/24
« Last Edit: January 18, 2015, 10:22:59 am by catfish99 »

Offline ermal

  • Hero Member
  • *****
  • Posts: 3832
  • Karma: +85/-5
    • View Profile
Re: IPsec IKEv2 Configuration and VPN initiation from a Apple iOS 8.x client
« Reply #7 on: January 18, 2015, 10:53:18 am »


I actually went through his settings as a base (they're for an earlier version so a couple don't match 2.2 exactly) and found something that might work... except for one minor issue...

Code: [Select]
Jan 18 09:31:36 charon: 06[IKE] <33> 70.xxx.xxx.xxx is initiating a Aggressive Mode IKE_SA
Jan 18 09:31:36 charon: 06[IKE] 70.xxx.xxx.xxx is initiating a Aggressive Mode IKE_SA
Jan 18 09:23:46 charon: 15[IKE] <32> Aggressive Mode PSK disabled for security reasons
Jan 18 09:23:46 charon: 15[IKE] Aggressive Mode PSK disabled for security reasons


You have an advanced setting to allow that since Agreesive mode + PSK is a security risk in general which can be exploited.

Offline ermal

  • Hero Member
  • *****
  • Posts: 3832
  • Karma: +85/-5
    • View Profile
Re: IPsec IKEv2 Configuration and VPN initiation from a Apple iOS 8.x client
« Reply #8 on: January 18, 2015, 10:54:11 am »
Having issues connecting - seem to get no matching peer config found error.

Let me share below the following:

1. IPSEC server log entries that correspond to the configuration/setup I detailed in an earlier post.
2. /var/etc/ipsec/ipsec.conf

IPSEC server log
Quote
Last 300 IPsec log entries
Jan 18 11:07:52   charon: 12[NET] sending packet: from server.IP-address.com[4500] to ios-device.IP-address.com[10082] (80 bytes)
Jan 18 11:07:52   charon: 12[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jan 18 11:07:52   charon: 12[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jan 18 11:07:52   charon: 12[IKE] <3> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jan 18 11:07:52   charon: 12[CFG] no matching peer config found
Jan 18 11:07:52   charon: 12[CFG] looking for peer configs matching server.IP-address.com[server.domain-name.com]...ios-device.IP-address.com[vpn@privaterra.org]
Jan 18 11:07:52   charon: 12[IKE] received end entity cert "C=CA, ST=Ontario, L=Toronto, O=Privaterra, E=rguerra@privaterra.org, CN=rguerraPVT"
Jan 18 11:07:52   charon: 12[IKE] <3> received end entity cert "C=CA, ST=Ontario, L=Toronto, O=Privaterra, E=rguerra@privaterra.org, CN=rguerraPVT"
Jan 18 11:07:52   charon: 12[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CERT CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Jan 18 11:07:52   charon: 12[NET] received packet: from ios-device.IP-address.com[10082] to server.IP-address.com[4500] (2576 bytes)
Jan 18 11:07:51   charon: 12[NET] sending packet: from server.IP-address.com[500] to ios-device.IP-address.com[10094] (337 bytes)
Jan 18 11:07:51   charon: 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jan 18 11:07:51   charon: 12[IKE] sending cert request for "C=CA, ST=Ontario, L=Toronto, O=Privaterra, E=admin@privaterra.ca, CN=internal-ca"
Jan 18 11:07:51   charon: 12[IKE] <3> sending cert request for "C=CA, ST=Ontario, L=Toronto, O=Privaterra, E=admin@privaterra.ca, CN=internal-ca"
Jan 18 11:07:51   charon: 12[IKE] remote host is behind NAT
Jan 18 11:07:51   charon: 12[IKE] <3> remote host is behind NAT
Jan 18 11:07:51   charon: 12[IKE] ios-device.IP-address.com is initiating an IKE_SA
Jan 18 11:07:51   charon: 12[IKE] <3> ios-device.IP-address.com is initiating an IKE_SA
Jan 18 11:07:51   charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jan 18 11:07:51   charon: 12[NET] received packet: from ios-device.IP-address.com[10094] to server.IP-address.com[500] (288 bytes)

/var/etc/ipsec/ipsec.conf
Quote
# This file is automatically generated. Do not edit
config setup
   uniqueids = yes
   charondebug="dmn 2,mgr 2,ike 2,chd 2,job 2,cfg 2,knl 2,net 2,asn 2,enc 2,imc 2,imv 2,pts 2,tls 2,esp 2,lib 2"

conn con1
   fragmentation = yes
   keyexchange = ikev2
   reauth = yes
   forceencaps = yes
   rekey = yes
   installpolicy = yes
   type = tunnel
   dpdaction = clear
   dpddelay = 10s
   dpdtimeout = 60s
   auto = add
   left = server-ip-address
   right = %any
   leftid = server-ip-address
   ikelifetime = 86400s
   lifetime = 1440s
   rightsourceip = 192.168.78.0/24
   ike = aes256-sha256-modp1024!
   esp = aes256-sha256-modp1024,aes256-sha384-modp1024,aes256-sha512-modp1024,aes192-sha256-modp1024,aes192-sha384-modp1024,aes192-sha512-modp1024,aes128-sha256-modp1024,aes128-sha384-modp1024,aes128-sha512-modp1024!
   leftauth = pubkey
   rightauth = pubkey
   leftcert=/var/etc/ipsec/ipsec.d/certs/cert-1.crt
   rightsubnet = 192.168.78.0/24
   leftsubnet = 192.168.3.0/24

From what i can tell this comes from the fact that both sides are pubkey authentication and something is not matching the RSA/Cert keys correctly.

Offline virgiliomi

  • Sr. Member
  • ****
  • Posts: 556
  • Karma: +74/-4
    • View Profile
Re: IPsec IKEv2 Configuration and VPN initiation from a Apple iOS 8.x client
« Reply #9 on: January 18, 2015, 12:04:35 pm »
You have an advanced setting to allow that since Agreesive mode + PSK is a security risk in general which can be exploited.

I don't see an advanced IPSec setting that is related to Aggressive Mode and PSK.  But I looked in the main system log and saw...

Code: [Select]
Jan 18 09:22:07 php-fpm[8492]: /vpn_ipsec.php: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
That would tell me that a setting is being set automatically based on my configuration choices, even though it doesn't appear to have done anything since the connection is still not permitted.

EDIT: Never mind... after stopping and restarting the IPSec service, I'm able to connect. So IKEv1 PSK is no problem with iOS 8.1.2. Sorry about the slight hijack away from the IKEv2/certificate setup. :)
« Last Edit: January 18, 2015, 01:52:56 pm by virgiliomi »

Offline miken32

  • Jr. Member
  • **
  • Posts: 60
  • Karma: +3/-0
    • View Profile
    • Website
Re: IPsec IKEv2 Configuration and VPN initiation from a Apple iOS 8.x client
« Reply #10 on: January 19, 2015, 12:12:45 pm »
You have an advanced setting to allow that since Agreesive mode + PSK is a security risk in general which can be exploited.

I don't see an advanced IPSec setting that is related to Aggressive Mode and PSK.  But I looked in the main system log and saw...

Code: [Select]
Jan 18 09:22:07 php-fpm[8492]: /vpn_ipsec.php: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
That would tell me that a setting is being set automatically based on my configuration choices, even though it doesn't appear to have done anything since the connection is still not permitted.

EDIT: Never mind... after stopping and restarting the IPSec service, I'm able to connect. So IKEv1 PSK is no problem with iOS 8.1.2. Sorry about the slight hijack away from the IKEv2/certificate setup. :)

Can you confirm that you're able to reach hosts on your LAN subnet from your iOS 8.1.2 device, and also that your internet traffic is routing through the remote pfSense?

If so, can you post a detailed list of your configs? I cannot get this working on 2.2; the connection works great but internet does not route through the VPN, and the only thing on the LAN I can reach is the pfSense itself. Thanks!

Offline virgiliomi

  • Sr. Member
  • ****
  • Posts: 556
  • Karma: +74/-4
    • View Profile
Re: IPsec IKEv2 Configuration and VPN initiation from a Apple iOS 8.x client
« Reply #11 on: January 19, 2015, 01:38:25 pm »
Can you confirm that you're able to reach hosts on your LAN subnet from your iOS 8.1.2 device, and also that your internet traffic is routing through the remote pfSense?

If so, can you post a detailed list of your configs? I cannot get this working on 2.2; the connection works great but internet does not route through the VPN, and the only thing on the LAN I can reach is the pfSense itself. Thanks!
I can confirm that I can reach hosts on my LAN from my iOS device. Name resolution doesn't appear to be going over the VPN connection by default; I have an app that can specify a custom DNS server and it works there just fine specifying my pfSense box. Internet traffic does not seem to be going over the VPN either.

I noticed an option on my iPhone that appears with L2TP and PPTP, but not with IPSec, that allows "Send all traffic" over the VPN connection. On the other side, it could be something related to the default domain and/or split DNS settings on pfSense. I don't have time right now to experiment, unfortunately. Maybe later tonight.



Offline virgiliomi

  • Sr. Member
  • ****
  • Posts: 556
  • Karma: +74/-4
    • View Profile
Re: IPsec IKEv2 Configuration and VPN initiation from a Apple iOS 8.x client
« Reply #12 on: January 20, 2015, 11:03:54 am »
I've decided to give up on IPSec IKEv1 with just the settings on my phone, and instead focus on L2TP/IPSec instead, which is also done from just the phone. At least there's an option there to send all traffic over the connection. There's already a separate thread about that.