iOS (Apple iPhone, iPad...)¶
- iOS (Apple iPhone, iPad...)
iOS 4 and newer supports native IPsec VPN via IKEv1 (otherwise referred to as Cisco IPSec in iOS) and is able to interoperate with strongSwan.
Despite the Cisco reference, the configure option --enable-cisco-quirks is not required as the iOS client is not provided by Cisco but is actually a modified version of Racoon.
Authentication uses XAuth and certificates (authby=xauthrsasig). Authentication without certificates may fail due to an attempt on the iOS side to use aggressive mode. The described setup has been tested and confirmed working on an iPad 2 with iOS 4.3.1, but is expected to work on all other iOS devices (iPhone, iPad, iPod Touch) running an up to date iOS version.
Certificate requirements for iOS interoperability¶
The domain name or IP address of the server (strongSwan VPN gateway) MUST be contained either in the subjectDistinguishedName of the server certificate
C=CH, O=strongSwan, CN=vpn.strongswan.org
or in a subjectAltName extension that can be added with the OpenSSL option
subjectAltName = DNS:vpn.strongswan.org
where in the above cases vpn.strongswan.org must exactly match the value entered in the Server field of the iOS client VPN configuration.
Certificate examples using strongSwan PKI tool¶
This example uses the strongSwan PKI tool to set up a certificate authority (CA), server, and client certificates. The openssl utility is used to package the CA certificate, client certificate, and client key in a PKCS#12 file.
CA certificate¶
ipsec pki --gen --outform pem > caKey.pem ipsec pki --self --in caKey.pem --dn "C=CH, O=strongSwan, CN=strongSwan CA" --ca --outform pem > caCert.pem
Server (strongSwan VPN gateway) certificate¶
ipsec pki --gen --outform pem > serverKey.pem
ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem \
--dn "C=CH, O=strongSwan, CN=vpn.strongswan.org" --flag serverAuth --outform pem > serverCert.pem
Note: the serverAuth flag is not required for authentication with an iOS client, but will allow both iOS and Windows 7 clients to authenticate using the same server certificate.
Client (iOS) certificate¶
ipsec pki --gen --outform pem > clientKey.pem
ipsec pki --pub --in clientKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem \
--dn "C=US, O=strongSwan, CN=client" --outform pem > clientCert.pem
PKCS#12 file¶
openssl pkcs12 -export -inkey clientKey.pem -in clientCert.pem -name "client" \
-certfile caCert.pem -caname "strongSwan CA" -out clientCert.p12
Install certificates¶
The certificates and keys should be placed in the appropriate directories under /etc/ipsec.d/
cp caCert.pem /etc/ipsec.d/cacerts/ cp serverCert.pem /etc/ipsec.d/certs/ cp serverKey.pem /etc/ipsec.d/private/
It is not necessary to keep the client certificate on the server, but it can be useful to use it as an ID (rightcert=clientCert.pem)
cp clientCert.pem /etc/ipsec.d/certs/ cp clientKey.pem /etc/ipsec.d/private/
The clientCert.p12 and caCert.pem files can either be placed on a web server for download to an iOS device using Safari or sent to an iOS device via email. Although the PKCS#12 file also includes the CA certificate, iOS does not use this CA certificate so it must be installed separately. The installed certificates will reside under Settings > General > Profiles on the iOS device.
The caKey.pem file should be moved somewhere safe.
Final notes¶
The names server and client may be changed as desired. The Distinguished Name (DN) should be changed to relevant values for country (C), organization (O), and common name (CN) while keeping in mind the iOS requirements for the server certificate.
strongSwan configuration for a single iOS client¶
Connection definitions¶
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
plutostart=yes
nat_traversal=yes
conn ios
keyexchange=ikev1
authby=xauthrsasig
xauth=server
left=%defaultroute
leftsubnet=0.0.0.0/0
leftfirewall=yes
leftcert=serverCert.pem
right=%any
rightsubnet=10.0.0.0/24
rightsourceip=10.0.0.2
rightcert=clientCert.pem
pfs=no
auto=add
Authentication with RSA and XAuth¶
# /etc/ipsec.secrets - strongSwan IPsec secrets file : RSA serverKey.pem somexauthaccountname : XAUTH "somexauthpassword"
Assignment of internal DNS servers¶
# /etc/strongswan.conf - strongSwan configuration file
charon {
# ...
}
pluto {
dns1 = 192.168.0.1
}
iOS client VPN configuration¶
The root certificate (CA), client certificate, and client key should all be present on the iOS device. A PKCS#12 file should provide both the client certificate and key. A separate file will need to be used to install the CA certificate since iOS does not use the one included with the client PKCS#12. These certificate files can be transferred via email or downloaded from a web server using Safari. An alternative option is to use the Apple provided iPhone Configuration Utility which can package the VPN configuration, certificates, and key into a single file.
Here is a description for configuring the VPN connection from the device itself once the certificates have been installed:
- Launch Settings then select General > Network > VPN > Add VPN Configuration
- Toggle VPN type to IPSec
- Fields:
Description strongSwan Server vpn.strongswan.org Account somexauthaccountname Password somexauthpassword Use Certificate ON Certificate client
A VPN connection should now be possible by toggling VPN to ON under Settings > VPN.
