[strongSwan] strongSwan IKEv2 OS X and iOS Connectivity Issues

Avalon Thorne avalonoliviathorne at gmail.com
Mon Sep 19 19:19:58 CEST 2016 

Good afternoon,

I have two strongSwan VPN Servers running; one to keep me connected to the
United Kingdom and one to protect data on hotel WiFi (etc.) in the United
States. Admittedly, I am not familiar with strongSwan; having not heard
about it until several days ago. In either case, I was successful in
configuring and installing strongSwan on two servers: an endpoint in SFO
and an endpoint in London.

I have been successful at connecting Windows 10 Pro clients to the VPN but
my OS X 10.11.5 and iOS 10 clients have been giving me issues when
attempting to connect.

Per the following resources:

https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients
https://raymii.org/s/tutorials/IPSEC_vpn_with_Ubuntu_16.04.html
https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/

I have generated the required certificates; enabled multi-device usage from
a single certificate; and was successful in creating both VPN Connections
for Windows 10 Pro.

For OS X, I have been successful in establishing the connection to the VPN
by using the Apple Configurator 2 app to create a VPN Configuration profile
that specified the p12 bundle and set the IKEv2 authentication mode to use
DH Group 2 with 3DES and SHA1-96. OS X presents the most interesting
prediciment: it connects, gets an IP address, and adds the default routes
(netstat -rn included below) but it doesn't send any data across the tunnel:

    Internet:
Destination        Gateway            Flags        Refs      Use   Netif Expire
default            10.0.0.1           UGSc           43        0     en1
default            link#8             UCSI            0        0  ipsec0
10/16              link#5             UCS             8        0
en110.0.0.1/32        link#5             UCS             1        0
 en1
10.0.0.1           <EDGE ROUTER MAC>  UHLWIir        47      194
en1      107610.0.143.243/32    link#5             UCS             1
     0     en1
10.0.143.243       <MBP MAC ADDRESS>  UHLWI           0        1     lo0
45.32.180.111      10.0.0.1           UGHS            0        0     en1
127                127.0.0.1          UCS             0        0     lo0
127.0.0.1          127.0.0.1          UH             18   781055     lo0
169.254            link#5             UCS             0        0     en1
172.11.22.1        172.11.22.1        UH              0        0  ipsec0
224.0.0            link#5             UmCS            1        0     en1
224.0.0            link#8             UmCSI           0        0  ipsec0
224.0.0.251        1:0:5e:0:0:fb      UHmLWI          0        0
en1255.255.255.255/32 link#5             UCS             0        0
 en1255.255.255.255/32 link#8             UCSI            0        0
ipsec0

 As you can see, link#8 is the IPSec route and 45.x.x.x is the VPN server
while 172.11.22.1/24 is the private address space.

To further detail, this is the configuration for the UK VPN Endpoint
corresponding to the information above:

# ipsec.conf - strongSwan IPsec configuration file

config setup
    charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"

conn %default
    keyexchange=ikev2
    ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
    esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!
    dpdaction=clear
    dpddelay=300s
    authby=pubkey
    left=%any
    leftid=claraoswald.bbr01.lon.uk.ini.arendellenet.net
    leftsubnet=0.0.0.0/0
    leftcert=vpnHostCert.der
    leftsendcert=always
    right=%any
    rightsourceip=172.11.22.0/24,2002:25f7:7489:3::/112
    rightdns=8.8.8.8,2001:4860:4860::8888

conn IPSec-IKEv2
    keyexchange=ikev2
    auto=add

With the server configuration spelled out, the second most interesting
thing is that the certificate which works to connect OS X to the VPN
(although it doesn't send traffic over the VPN) does not work at all on iOS
10. iOS 10 simply starts the "Connecting" process and immediately
terminates back to "Disconnected."

How can I get the VPN to work as it does in Windows 10 Pro? OS X
establishes the link but won't send anything through the tunnel while iOS
won't connect at all - even with an Apple Configurator 2 Profile: the very
same one used by OS X.

The UK deployment is permanent while the US deployment is temporary and
thus why I provided the UK deployment. However, the US deployment is very
similarly setup and experiences the same issues.

I have circled around Google and the Wiki for days; now I can just use a
little user support feedback to get this deployment complete.

Thank You,
Avalon Thorne
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160919/a36bcd1c/attachment.html>

More information about the Users mailing list