Home / server / Questions / 803801
Accepted
Olivia
Asked: 2016-09-18 23:57:36 +0800 CST

Strongswan IKEv2 VPN on OS X 10.11 and iOS 10 Clients

  • 772

After many days of searching on Google, through Serverfault, and even on the StrongSwan website, I have been unsuccessful in attempting to get StrongSwan IPSec/IKEv2 VPN working on OS X 10.11.5 and iOS 10. I have been very successful in getting it to work on Windows 10 Pro Insider Preview and Android - neither of which are relevant to my travel arrangements where I will only have a Mac notebook and iOS 10 devices.

I have two StrongSwan VPN Servers setup - one in London and one in San Francisco, both with nearly identical configurations.

Having followed https://raymii.org/s/tutorials/IPSEC_vpn_with_Ubuntu_16.04.html I was able to quickly setup both servers and issue a single client certificate for Windows 10 Pro Insider Preview and Android. However, when I copy the p12s of the two servers over to OS X and iOS to create the VPNs I am presented with questions I didn't get what the other two operating systems.

I can seem to find a definitive answer on what is a "Remote ID" and "Local ID" and how does this pertain to me establishing a certificate based authenticated connection to the SwanStrong VPN Server?

From what little I have been able to find I have learned the following:

  • Local ID must match the CN or SAN specified in the certificate (i.e. [email protected])
  • Remote ID is required by both OS X and iOS but I have no idea what to put in this input field
  • Unlike Windows and Android which connected seamlessly with encryption, OS X and iOS both get stuck at "Connecting" or will quickly cycle to "Disconnecting" perpetually

This is one of the StrongSwan server configurations (the one I have been testing against):

# ipsec.conf - strongSwan IPsec configuration file

config setup
    charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"

conn %default
    keyexchange=ikev2
    ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-s$
    esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128$
    dpdaction=clear
    dpddelay=300s
    authby=pubkey
    left=%any
    leftid=subdomain5.subdomain4.subdomain3.subdomain2.subdomain.domain.net
    leftsubnet=0.0.0.0/0
    leftcert=vpnHostCert.der
    leftsendcert=always
    right=%any
    rightsourceip=172.11.22.0/24,2002:25f7:7489:3::/112
    rightdns=8.8.8.8,2001:4860:4860::8888

conn IPSec-IKEv2
    keyexchange=ikev2
    auto=add

How can I correctly provision the VPN Tunnel on OS X 10.11.5 and iOS 10 with the same certificates used by Windows and Android?

vpn mac-osx ipsec ios strongswan

1 Answers

  1. Best Answer

    As it turns out, I needed to use the Apple Configurator to create the VPN Profile so I could set the cryptography to use DH Group 2 and 3DES.

    I also had to change the Remote ID to the FQDN of the VPN Server as it is listed in the certificate's Common Name. OS X ignored the Subject Alternative Name (SAN).

    However, while I can now establish the connection to the VPN, I cannot traverse traffic over it.

    As that question is unrelated to this, I have posted another question at: https://apple.stackexchange.com/questions/253340/sending-all-traffic-over-vpn-tunnel-ikev2-in-os-x-10-11-5

    • 4