PFsense and IPsec VPNs with iOS/OSX

VPN
1

I’e read through no less than 40 blog/guide posts on how to do this and still cannot get it to work. I managed to get IKEv2 working just fine with Windows 10, but I tried the whole lot of IKEv1 posts such as:

https://blog.andregasser.net/how-to-configure-ipsec-vpn-on-pfsense-for-use-with-iphone-ipad-android-windows-and-linux/

https://cetre.co.uk/blog/setting-up-an-ipsec-vpn-on-pfsense-for-mobile-os-x-and-ios-clients/

https://www.netgate.com/docs/pfsense/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev1-xauth.html

https://cetre.co.uk/blog/setting-up-an-ipsec-vpn-on-pfsense-for-mobile-os-x-and-ios-clients/

https://yaleman.org/post/2017/2017-03-02-roadwarrior-with-pfsense/

https://www.thegeekpub.com/5855/pfsense-road-warrior-ipsec-config-works/

ALL of which simply do not work with iOS 12. Can someone please save my soul so I can avoid going back to OpenVPN and help me find a working solution for iOS/OSX with IKEv2 or IKEv1?

I’ve tried nearly every combination of cipher, setting, and PF group possible surely, and also the numerous methods for PSK and Xauth config. Nothing works. If you can help me understand why you’ll be my hero.

2

Older video with an older pfsense but same instructions, used it multiple times with no issues (and I have a mac/iphone connected to the vpn)

Clear all your settings out and try it with the instructions above

3

I have IKEv2 working concurrently on Win 10, iOS, and Android. I too took forever to get mine working. I’ll gather some screenshots and post them. One thing you don’t mention is what identifier you use. If you want to avoid installing certificates, you’ll need to use a lets encrypt cert.

4

Please post your IPSec logs/config and firewall/NAT rules. Please remove any personally identifiable information. This would help people troubleshoot your issue better. I have IKEv2 using EAP-TLS (self-signed certs) working on macOS 10.12.x-10.13.x and iOS 11.x-12.x. This is the guide that I followed, albeit with a few tweaks.

5

Just curious, why no OpenVPN for iOS?

6

Thank you for posting this. I’ve been stressing over this for the past couple of days too. I’ve tried all those guides too haha

7

Getting it to work natively in iOS is way too much work.

If you can get this working without losing sleep and not wasting your time, please post here for posterity!

8

I tried this one too, still didn’t work. I’m not sure if its a limitation of iOS or what…which is why my plea for help.

9

That would be fantastic. I have my own CA and wildcard cert I can use, but I could also do lets encrypt. That would be super helpful if I could see some references from your environment. Thank you!

10

This

Thanks, I’ll give it a shot and if its still giving me trouble I’ll post some data for everyone to review and spot my mistake hopefully.

11

Thank you sir/mam! this guide worked great for me.

Can I ask what tweaks you did?

12

I did most of this, would love you to review it!

13

Because why install an app when iOS supports IPSEC out of the box? One less app to install/update. Plus the openvpn app is garbage

14

I don’t like the client. I want to use native. Personal preference.

15

This worked for me…pasting this comment again.

After looking at https://grokdesigns.com/pfsense-ikev2-for-ios-macos-1/ and combining that with https://www.netgate.com/docs/pfsense/vpn/ipsec/ikev2-with-eap-tls.html#Import_the_CA_to_the_Client_PC, I was able to get Win10 and iOS working. Note the comment on setting the connection algorithms on part of of the first link! This was the formula for me to get it working.

16

Here’s what I did to finally solve this!

After looking at https://grokdesigns.com/pfsense-ikev2-for-ios-macos-1/ and combining that with https://www.netgate.com/docs/pfsense/vpn/ipsec/ikev2-with-eap-tls.html#Import_the_CA_to_the_Client_PC, I was able to get Win10 and iOS working. Note the comment on setting the connection algorithms on part of of the first link! This was the formula for me to get it working.

17

It isnt a limitation of iOS, I am currently using IPSEC with my iPhone right now. Literally just logged into a second ago.

Post your configs and some of your ipsec error logs

18

Here you go. Hope I clipped all my PII out…

I have only done it with lets encrypt, so I can’t help much with rolling your own CA for this.

One issue I ran into along the way was with wildcards. I can’t remember if it was only on android strongswan client, or all clients. But it wouldn’t accept a wild card. I had to use a cert with the domain/sub-domain explicitly as a SAN.

Good luck. Happy to help with any more questions

19

Use your own self-signed, it’d be much easier that way. I have this all completely working on all 3 OSs as well, would definitely be willing to help. You can PM me and we can set up a time to go over everything.

One thing to note, you’ll need to use the Apple Configurator to make a VPN profile that works on iOS, which means you’ll need to have access to a computer running OS X. Apple doesn’t distribute/stopped supporting a windows compatible version of the Configurator.

20

I’m glad it worked! Nothing major, just SHA2-512 and additions for IPv6.