[strongSwan] strongSwan IKEv2 OS X and iOS Connectivity Issues

Avalon Thorne avalonoliviathorne at gmail.com
Mon Sep 19 19:19:58 CEST 2016

Good afternoon,

I have two strongSwan VPN Servers running; one to keep me connected to the
United Kingdom and one to protect data on hotel WiFi (etc.) in the United
States. Admittedly, I am not familiar with strongSwan; having not heard
about it until several days ago. In either case, I was successful in
configuring and installing strongSwan on two servers: an endpoint in SFO
and an endpoint in London.

I have been successful at connecting Windows 10 Pro clients to the VPN but
my OS X 10.11.5 and iOS 10 clients have been giving me issues when
attempting to connect.

Per the following resources:


I have generated the required certificates; enabled multi-device usage from
a single certificate; and was successful in creating both VPN Connections
for Windows 10 Pro.

For OS X, I have been successful in establishing the connection to the VPN
by using the Apple Configurator 2 app to create a VPN Configuration profile
that specified the p12 bundle and set the IKEv2 authentication mode to use
DH Group 2 with 3DES and SHA1-96. OS X presents the most interesting
prediciment: it connects, gets an IP address, and adds the default routes
(netstat -rn included below) but it doesn't send any data across the tunnel:

Destination        Gateway            Flags        Refs      Use   Netif Expire
default             UGSc           43        0     en1
default            link#8             UCSI            0        0  ipsec0
10/16              link#5             UCS             8        0
en110.0.0.1/32        link#5             UCS             1        0
 en1           <EDGE ROUTER MAC>  UHLWIir        47      194
en1      107610.0.143.243/32    link#5             UCS             1
     0     en1       <MBP MAC ADDRESS>  UHLWI           0        1     lo0           UGHS            0        0     en1
127                UCS             0        0     lo0          UH             18   781055     lo0
169.254            link#5             UCS             0        0     en1        UH              0        0  ipsec0
224.0.0            link#5             UmCS            1        0     en1
224.0.0            link#8             UmCSI           0        0  ipsec0        1:0:5e:0:0:fb      UHmLWI          0        0
en1255.255.255.255/32 link#5             UCS             0        0
 en1255.255.255.255/32 link#8             UCSI            0        0

 As you can see, link#8 is the IPSec route and 45.x.x.x is the VPN server
while is the private address space.

To further detail, this is the configuration for the UK VPN Endpoint
corresponding to the information above:

# ipsec.conf - strongSwan IPsec configuration file

config setup
    charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"

conn %default

conn IPSec-IKEv2

With the server configuration spelled out, the second most interesting
thing is that the certificate which works to connect OS X to the VPN
(although it doesn't send traffic over the VPN) does not work at all on iOS
10. iOS 10 simply starts the "Connecting" process and immediately
terminates back to "Disconnected."

How can I get the VPN to work as it does in Windows 10 Pro? OS X
establishes the link but won't send anything through the tunnel while iOS
won't connect at all - even with an Apple Configurator 2 Profile: the very
same one used by OS X.

The UK deployment is permanent while the US deployment is temporary and
thus why I provided the UK deployment. However, the US deployment is very
similarly setup and experiences the same issues.

I have circled around Google and the Wiki for days; now I can just use a
little user support feedback to get this deployment complete.

Thank You,
Avalon Thorne
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160919/a36bcd1c/attachment.html>

More information about the Users mailing list