After many days of searching on Google, through Serverfault, and even on the StrongSwan website, I have been unsuccessful in attempting to get StrongSwan IPSec/IKEv2 VPN working on OS X 10.11.5 and iOS 10. I have been very successful in getting it to work on Windows 10 Pro Insider Preview and Android - neither of which are relevant to my travel arrangements where I will only have a Mac notebook and iOS 10 devices.
I have two StrongSwan VPN Servers setup - one in London and one in San Francisco, both with nearly identical configurations.
Having followed https://raymii.org/s/tutorials/IPSEC_vpn_with_Ubuntu_16.04.html I was able to quickly setup both servers and issue a single client certificate for Windows 10 Pro Insider Preview and Android. However, when I copy the p12s of the two servers over to OS X and iOS to create the VPNs I am presented with questions I didn't get what the other two operating systems.
I can seem to find a definitive answer on what is a "Remote ID
" and "Local ID
" and how does this pertain to me establishing a certificate based authenticated connection to the SwanStrong VPN Server?
From what little I have been able to find I have learned the following:
Local ID
must match theCN
orSAN
specified in the certificate (i.e.[email protected]
)Remote ID
is required by both OS X and iOS but I have no idea what to put in this input field- Unlike Windows and Android which connected seamlessly with encryption, OS X and iOS both get stuck at "Connecting" or will quickly cycle to "Disconnecting" perpetually
This is one of the StrongSwan server configurations (the one I have been testing against):
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
conn %default
keyexchange=ikev2
ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-s$
esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128$
dpdaction=clear
dpddelay=300s
authby=pubkey
left=%any
leftid=subdomain5.subdomain4.subdomain3.subdomain2.subdomain.domain.net
leftsubnet=0.0.0.0/0
leftcert=vpnHostCert.der
leftsendcert=always
right=%any
rightsourceip=172.11.22.0/24,2002:25f7:7489:3::/112
rightdns=8.8.8.8,2001:4860:4860::8888
conn IPSec-IKEv2
keyexchange=ikev2
auto=add
How can I correctly provision the VPN Tunnel on OS X 10.11.5 and iOS 10 with the same certificates used by Windows and Android?