DIY Cisco IPSec compatible server for use with iPhones etc.
I am currently returning to a topic I previously started investigating sometime ago now that I have the time and resources to do so, first some background.
iOS devices (and Macs) have built-in support for three different types of VPN client, PPTP, L2TP and Cisco IPSec. I am aware other types can be installed e.g. OpenVPN or one of various SSL VPN solutions, but I am only interested in using a built-in VPN client. It is possible with some types of VPN client to also utilise a function called 'VPN on Demand' whereby you can configure the client device to automatically connect to the VPN server based on need e.g. when it needs to access a server on your private LAN. This function is limited to either Cisco IPSec or SSL VPN clients. As I want to both use a built-in client and use VPN on Demand it should be obvious there is only one suitable choice which meets my criteria which is Cisco IPSec.
The next issue is what VPN server to use, Apple's own VPN server in Server.app is limited to only PPTP or L2TP so it is not suitable. This is actually surprising since Apple do (mostly) use the open-source Racoon software which does support Cisco IPSec. However Apple have heavily modified their version of Racoon and I have already tried a manual configuration using normal Racoon commands and it definately does not work for Cisco IPSec. I happen to have a SonicWALL box and while it can do a Cisco IPSec tunnel for site to site links, it does not work for client VPN connections via Cisco IPSec. I don't want to pay the considerable sum for a genuine Cisco appliance. I am therefore at the moment looking at running a Linux virtual machine and genuine unadulterated Racoon software. 🙂
I have already successfully got Racoon working for Cisco IPSec with a pre-shared-key and even used LDAP to authenticate against Open Directory, however in order to do VPN on Demand you cannot use pre-shared-keys but must instead use client certificates. I then was able to get Racoon (and and iPhone) working with client certificates instead of a pre-shared-key using authentication_method xauth_rsa_server and still also authenticating the user against LDAP.
Note: The client certificates authenticate the device i.e. the iPhone, the user is then authenticated against LDAP.
This might be enough to achieve my full goal of Cisco IPSec and VPN on Demand. However the documentation I have seen is not clear whether for VPN on Demand you should only use device authentication and skip user authentication - something that is in theory possible. Could someone therefore clarify for me whether VPN on Demand has to be only client certificates (and no user authentication), or whether it can be both.
If it has to be only client certificates with no user authentication then I am not quite there yet. I have tried using authentication_method rsasig instead which is supposed to be a certificate only authentication method but then it fails to negotiate a phase 1 part of the connection and therefore is not working.
Any suggestions from Racoon experts out there?