You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Nutwood
Nutwood Author
User level: Level 1
8 points

IKEV2 Certificate Based VPN - iOS10 / StrongSwan

Hi All,


Hope you can help here ! - I have seen a few similar type of posts here so I'm hopeful..!!


So, I have setup a new VPN Server running on Mint 18 Linux, and based on StrongSwan 5.3.5.


This VPN uses certificate based authentication, and I have created public & private

keys for the server, as well as public & private keys for the client device.


Initially I used a Google Nexus 5X, running Android 7.1.1, with the StrongSwan VPN client

installed (1.8.2) - including the previously created client certificate (.p12). With this setup on

Android I was able to successfully connect and establish the VPN tunnel to the server.


Next, I moved on to iOS10 - and for this I used an iPhone 7 Plus, with iOS10.2.1, a Mac running OS-X10.12.3

with the Apple Configurator 2.3. I created a VPN profile for this connection and uploaded the same / above certificate (.p12) file. Initially I had some issues trying to get the IPSEC encryption settings to align, but managed to settle on AES-256 / SHA1-96 / DH2.


However, despite these new IPSEC settings, I'm still unable to successfully establish the VPN tunnel to the same server, based on the client using the same certificate (.p12) file. I'm not sure what the iPhone/iOS is doing differently with the certificate / handshake that is different to what Android is doing..?


The logs from StrongSwan are indicating that the server is not / does not verify the certificate - but I cant see why, any thoughts / input here, together with any Apple support documentation on iOS10 support of IKEV2 VPN's & Certificate handling would be gratefully received..! - Logs attached below...



Mar 14 17:53:10 Arrow charon: 13[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 192.168.0.37[4500] (1708 bytes)

Mar 14 17:53:10 Arrow charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr AUTH CERT CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]

Mar 14 17:53:10 Arrow charon: 13[IKE] received end entity cert "C=NL, O=Example Company, CN=ZZ@xxx.xxx.xxx.xxx"

Mar 14 17:53:10 Arrow charon: 13[CFG] looking for peer configs matching 192.168.0.37[xxx.xxx.xxx.xxx]...xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]

Mar 14 17:53:10 Arrow charon: 13[CFG] candidate "IPSec-IKEv2", match: 20/1/28 (me/other/ike)

Mar 14 17:53:10 Arrow charon: 13[CFG] selected peer config 'IPSec-IKEv2'

Mar 14 17:53:10 Arrow charon: 13[CFG] certificate "C=NL, O=Example Company, CN=xxx.xxx.xxx.xxx" key: 4096 bit RSA

Mar 14 17:53:10 Arrow charon: 13[CFG] using trusted ca certificate "C=NL, O=Example Company, CN=strongSwan Root CA"

Mar 14 17:53:10 Arrow charon: 13[CFG] checking certificate status of "C=NL, O=Example Company, CN=xxx.xxx.xxx.xxx7"

Mar 14 17:53:10 Arrow charon: 13[CFG] ocsp check skipped, no ocsp found

Mar 14 17:53:10 Arrow charon: 13[CFG] certificate status is not available

Mar 14 17:53:10 Arrow charon: 13[CFG] certificate "C=NL, O=Example Company, CN=strongSwan Root CA" key: 4096 bit RSA

Mar 14 17:53:10 Arrow charon: 13[CFG] reached self-signed root ca with a path length of 0

Mar 14 17:53:10 Arrow charon: 13[CFG] using trusted certificate "C=NL, O=Example Company, CN=xxx.xxx.xxx.xxx"

Mar 14 17:53:10 Arrow charon: 13[IKE] signature validation failed, looking for another key

Mar 14 17:53:10 Arrow charon: 13[IKE] processing INTERNAL_IP4_ADDRESS attribute

Mar 14 17:53:10 Arrow charon: 13[IKE] processing INTERNAL_IP4_DHCP attribute

Mar 14 17:53:10 Arrow charon: 13[IKE] processing INTERNAL_IP4_DNS attribute

Mar 14 17:53:10 Arrow charon: 13[IKE] processing INTERNAL_IP4_NETMASK attribute

Mar 14 17:53:10 Arrow charon: 13[IKE] processing INTERNAL_IP6_ADDRESS attribute

Mar 14 17:53:10 Arrow charon: 13[IKE] processing INTERNAL_IP6_DHCP attribute

Mar 14 17:53:10 Arrow charon: 13[IKE] processing INTERNAL_IP6_DNS attribute

Mar 14 17:53:10 Arrow charon: 13[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding

Mar 14 17:53:10 Arrow charon: 13[IKE] peer supports MOBIKE

Mar 14 17:53:10 Arrow charon: 13[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

Mar 14 17:53:10 Arrow charon: 13[NET] sending packet: from 192.168.0.37[4500] to xxx.xxx.xxx.xxx[4500] (76 bytes)

Mar 14 17:53:10 Arrow charon: 13[MGR] checkin and destroy IKE_SA IPSec-IKEv2[21]

Mar 14 17:53:10 Arrow charon: 13[IKE] IKE_SA IPSec-IKEv2[21] state change: CONNECTING => DESTROYING

Mar 14 17:53:10 Arrow charon: 13[MGR] check-in and destroy of IKE_SA successful

iPhone 7 Plus, iOS 10.2.1, IKEV2 VPN

Posted on Mar 14, 2017 11:09 AM

Reply

There are no replies.

IKEV2 Certificate Based VPN - iOS10 / StrongSwan

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up