Apple Event: May 7th at 7 am PT

Learn more

Add to your calendar 

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: John Lockwood
John Lockwood Author
User level: Level 6
13,685 points

IKEv2 and iOS

While this is not about Apple's Server.app specifically I suspect the people best able to comment on it will be experienced server admins i.e. those who are following this forum.


I am trying to 'upgrade' my currently working StrongSwan5 IKEv1 configuration as used with iOS devices and certificate based authentication to use IKEv2 as well/instead. I have got partly there in that I have added an IKEv2 config to StrongSwan and I can see in the log the connection attempt by the iOS 9.2.1 client and the client seems to be able to partially connect but it seems that the client i.e. iPhone is for some reason trying to use IKEv2 with EAP rather than as I want plain IKEv2 with no EAP. Here is a snippet from the log


Mar 2 12:52:59 ubuntu charon: 02[CFG] selected peer config 'IPSec-IKEv2'

Mar 2 12:52:59 ubuntu charon: 02[IKE] peer requested EAP, config inacceptable

Mar 2 12:52:59 ubuntu charon: 02[CFG] switching to peer config 'IPSec-IKEv2-EAP'

Mar 2 12:52:59 ubuntu charon: 02[IKE] initiating EAP_IDENTITY method (id 0x00)

Mar 2 12:52:59 ubuntu charon: 02[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding


At the moment I am just using a manually entered IKEv2 configuration on the iPhone which is running iOS 9.2.1. I am not pushing the settings in a mobileconfig file. I know the certificates are correct and they do work in IKEv1 mode. In theory with plain IKEv2 and certificates there should be no use of username/password or a pre-shared-key. While in a mobileconfig there is a flag to set no extended authentication for IKEv2 i.e. no EAP, there is no option for this in the GUI, I am wondering if this is the problem, even though the GUI is not showing any boxes for a username/password.


I have entered valid details for Remote ID and Local ID.


On the iPhone itself when to ask it to connect it appears to immediately disconnect with no error shown on the iPhone screen, i.e. when you press the connect button to turn it green, it immediately unsets itself to not-green which is the disconnected state.

Posted on Mar 2, 2016 9:34 AM

Reply
7 replies
User profile for user: John Lockwood
John Lockwood Author
User level: Level 6
13,685 points

Mar 3, 2016 9:09 AM in response to John Lockwood

Ok since no-one else has replied yet I have had to struggle on myself. I think I have made some progress, it looks like the iOS 9.2.1 IKEv2 client is despite the lack of username/password options still asking for EAP if you create the profile in the GUI. If however you create a mobileconfig with supposedly the same settings then it does not ask for EAP and I have with a mobileconfig file managed to make a successful IKEv2 connection.


(If true this is not the first time I have found a bug in the iOS VPN GUI.)


I ultimately plan anyway to use only mobileconfig files to push these VPN settings out but I still need to tweak things as I believe there is still and issue with the leftid option in StrongSwan5 which is supposed to match the LocalID value.

Reply
User profile for user: John Lockwood
John Lockwood Author
User level: Level 6
13,685 points

Mar 18, 2016 1:20 PM in response to Remonli

I feel I have now got it working after finding two issues.


The first issue was as mentioned what I feel to be a bug in iOS 9.2 and still present in 9.2.1 which is that if you configure a VPN profile on the iPhone itself for IKEv2 with certificate authentication then it incorrectly still tells the VPN server it wants to use EAP which is for a username/password authentication.


The second issue is that Apple Configurator when it creates a mobileconfig file for an IKEv2 connection includes the following in the mobileconfig file.


     <key>IPv4</key>

     <dict>

     <key>OverridePrimary</key>

     <integer>1</integer>

     </dict>

Note: The older iPhone Configuration Utility cannot create IKEv2 settings but when used to create Cisco IPSec settings it also includes the above but set to 0 i.e. 'false'.


If OverridePrimary is set to 1 i.e. 'true' then this tells the iPhone to route all traffic via the VPN connection. There is nothing inherently wrong with this and in fact this is exactly what I want to happen. The issue seems to be that this conflicts with the standard setting of StrongSwan5 which I already have set at its end to force all VPN users to send all traffic via the VPN connection. This is done by including the following in /etc/ipsec.conf on the StrongSwan5 server.


leftsubnet=0.0.0.0/0


With the above setting as added by Apple Configurator as mentioned this seems to conflict with the StrongSwan5 setting and results in a failed connection. If however I change it by manually editing the mobileconfig file to be 0 i.e. 'false' then this removes the conflict and the iPhone successfully connects. StrongSwan5 still forces all the traffic to be sent via the VPN.


Unfortunately there is no option in Apple Configurator itself to change this setting. So for me the method is -


  • Use Apple Configurator to create an IKEv2 profile
  • Add the client certificate and private key as a .p12
  • Add separately the self-signed rootCA (cannot be in the client .p12)
  • Save the resulting mobileconfig
  • Manually edit the mobileconfig with a text editor and change the setting for OverridePrimary
  • Send the mobileconfig file to the iPhone
Reply
User profile for user: Remonli
Remonli
User level: Level 1
0 points

Mar 18, 2016 1:35 PM in response to John Lockwood

It seemed we have different problems,acturally IKEv2 with EAP is what I want , after trying a

few times, I found even bug if you choose ECC certificate for strongswan:


If you set up eap-mschapv2 with ECC cert, it works well on windows 10 and faild on iOS 9.2.1

if you set up eap-mschapv2 with RSA cert, it works well on both windows 10 and iOS 9.2.1


This really confuse me a lot.

Reply
User profile for user: John Lockwood
John Lockwood Author
User level: Level 6
13,685 points

May 15, 2016 12:02 AM in response to doug_b_nyc

doug_b_nyc wrote:


I am trying to configure an "always on" VPN between my iOS device and a FortiGate firewall, which requires an IKEv2 VPN. Although I'm very familiar with IPSec VPNs using IKEv1, the IKEv2 configuration on iOS is new to me. Any guidance on the use of the Remote ID and Local ID fields in IKEv2 would be greatly appreciated.


I have been using StrongSwan5 rather than Fortinet but here is what I found with that.


RemoteID is the name being used to identify the IKEv2 server, this can be the fully qualified DNS name of the VPN server but in theory could be some other identifier and would default to the 'Distinguished Name' of the SSL certificate. In the case of StrongSwan5 you also define this in the /etc/ipsec.conf configuration file using the line leftid=identifier so maybe this is also defined somewhere in the Fortninet settings. I did use the FQDN name i.e. leftid=host.domain.com.


LocalID is the identifier used by the client device e.g. an iPhone. I used the name defined in the security certificate being used by the client device. Now I seem to recall that for IKEv2 Apple do not support using a FQDN for client devices which is what I had been using as the Distinguished Name for my certificates so I have been defining as a subject alternative name an additional name in the format of a (fake) email address e.g. serialnumber@domain.com and I use that as the LocalID. I do not have to define this specifically on the StrongSwan5 server as I currently use in /etc/ipsec.conf the line rightid="*" with the asterisk meaning accept anything, I believe rightid=%any means the same thing. However something along the lines rightid=@domain.com might be better, I think the exact format to do this in StrongSwan is 'complex' and might be rightid=@*@domain.com which is why I started off with it completely open.


Note: If you do not define a LocalId on the iOS device it sends its IP address which would still be matched by my current rightid="*" but other than for site-to-site links with static IP addresses using an IP address would prevent you restricting values as a security measure due to iOS devices typically having dynamic i.e. random IP addresses.

Reply

IKEv2 and iOS

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up