iOS (Apple iPhone, iPad...) and macOS¶
- Table of contents
- iOS (Apple iPhone, iPad...) and macOS
IKEv2 on iOS 9 & macOS 10.11 and newer¶
With the release of iOS 9 and macOS 10.11 ("El Capitan"), IKEv2 is now supported by three different methods:
- Manually through the Settings app on iOS or System Preferences on macOS
- With a custom configuration profile
- Through an app that has the NetworkExtension entitlement
The Windows IKEv2 configurations can be used with some small changes.
- For manual configurations, specify only DH group 2 (modp1024) in the ike configuration. Although the iOS client claims to support modp1536, an unfixed bug prevents these connections from succeeding. An appropriate configuration for Windows and iOS might look like:
ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! # Win7 is aes256, sha-1, modp1024; iOS is aes256, sha-256, modp1024; macOS is 3DES, sha-1, modp1024 esp=aes256-sha256,aes256-sha1,3des-sha1! # Win 7 is aes256-sha1, iOS is aes256-sha256, macOS is 3des-shal1
As of iOS 14 (maybe earlier) modp2048 and sha2 are supported. Use ike=aes256-sha2_256-modp2048 and esp=aes256-sha2_256 instead.
- The client does not send a certificate request (
CERTREQ) unless ServerCertificateIssuerCommonName is configured in a configuration profile, and strongSwan does not send certificates without it with the default value of leftsendcert=ifasked. Therefore, set leftsendcert=always (assuming your responder is
- At least macOS clients require that the ID of the server is authenticated by the CN field of the server certificate's DN, as well as a subjectAlternativeName (SAN) value (since iOS 13 and macOS 10.15 a SAN is required, the CN field is not relevant anymore). Additionally, the TLS Server Authentication flag has to be set in its certificate (
--flag serverAuthin ipsec pki).
- If a rightsourceip IPv6 pool is specified, leftsubnet must include a default IPv6 route (
::/0) or no routes will be correctly added.
- Under certain hibernation-related conditions, macOS clients may forget a child SA without closing it. Setting a short dpd delay can clear these SAs before the waking client builds another child SA and thus aid in retaining the same virtual IP address.
- Split-DNS can be implemented for iOS 10.3.1 and newer with the INTERNAL_DNS_DOMAIN attribute and the INTERNAL_IP4_DNS or INTERNAL_IP6_DNS attributes.
Support for macOS isn't known at the moment.
For older versions, all traffic has to be tunneled (full-tunnel).
However, the latter doesn't work for any application, because none honor scoped DNS servers. A magic number for the INTERNAL_DNS_DOMAIN has been assigned by IANA and is supported by iOS 10.3.1 and newer.
Alternatively, the the DNS domains can be supplied in the client configuration.
- Assigning DNS servers without full-tunnel can only be achieved by sending an INTERNAL_DNS_DOMAIN to the responder (for iOS 10.3.1 and nwer) or
by supplying it in the client configuration.
- iOS and MacOS support EAP-MSCHAPv2, EAP-TLS, but not EAP-GTC
IKEv2 on iOS 9 and iOS 10¶
When MOBIKE and DPD are enabled, charon piggybacks
NAT-D notifications onto the
DPD messages (empty informationals). iOS 9 and 10 do not respond to such messages.
This causes charon to regard the peer as unreachable and trigger the dpdaction. This can cause charon to delete the
IKE_SA and associated
therefore closing the tunnel.
Available workarounds are to disable either DPD or MOBIKE by using
If dpd is disabled, an unreachable peer is not detected as such until it reconnects and the uniqueness policy (
uniqueids in ipsec.conf,
connections.<conn>.unique in swanctl.conf)
is set to replace the old connection of an identity with the new connection.
If an unreachable peer is not detected and a roadwarrior connection with a virtual IP pool i used, the pool will inadvertently fill up.
If mobike is disabled, the roaming experience of a peer can suffer.
This problem is fixed in the 2126-mobike-dpd branch in the git repository and in version 5.5.1 and later.
IKEv2 on iOS 8¶
Since iOS 8 (but not macOS 10.10) IKEv2 is natively supported on Apple clients. For such devices the roadwarrior responder IKEv2 configurations from the sane examples page or the Windows IKEv2 configurations we provide can be used.
Unfortunately, Apple has not yet updated the GUI, so IKEv2 connections have to be installed with a custom configuration profile.
iOS 4 and newer, and macOS 10.7 and newer support native IPsec VPN via IKEv1 (otherwise referred to as Cisco IPSec in these clients) and are able to interoperate with strongSwan.
For StrongSwan version 4.6 and below: Despite the Cisco reference, the configure option
--enable-cisco-quirks is not required as the client is not provided by Cisco but is actually a modified version of Racoon.
Authentication uses XAuth and certificates. Authentication without certificates may fail due to an attempt on the iOS side to use aggressive mode (which is possible to configure since 5.0.0 but is discouraged).
Behaviour with several subnets¶
Recent versions of iOS and macOS will only establish SAs for the first subnet. The SAs for the other subnets are created on demand with separate Quick Mode exchanges, when the traffic matches the traffic selector.
Certificate requirements for interoperability¶
The domain name or IP address of the server (strongSwan VPN gateway) MUST be contained either in the subject Distinguished Name (DN) of the server certificate
C=CH, O=strongSwan, CN=vpn.strongswan.org
or in a subjectAltName extension that can be added with the OpenSSL option
subjectAltName = DNS:vpn.strongswan.org
where in the above cases vpn.strongswan.org must exactly match the value entered in the Server field of the iOS client configuration.
If the certificate contains any subjectAltNames at all, one of them must match that value (a matching DN is not enough in this case).
macOS appears to require the hostname/address in subjectAltName. To support versions before 10.7.4 the certificate must contain the iKEIntermediate extended key usage flag.
It is not necessary to keep the client certificate(s) on the server, but it can be useful to use it as an ID (rightcert=clientCert.pem).
When using IKEv2 with EAP authentication (username/password) the CA certificate is required on the clients to verify the server certificate. If a certificate issued by CA that the clients already trust is used (e.g. one by Let's Encrypt) nothing has to be installed on the clients.
When using certificates to authenticate the clients, with either IKE version, they will need their certificate and private key, packaged into a PKCS#12 container, in addition to the CA certificate.
These files can either be placed on a web server for download to a client device using Safari or sent to it via email. Although the PKCS#12 file may also include the CA certificate, not all Apple clients will use it so it must usually be installed separately. On iOS devices the installed certificates will reside under Settings > General > Profiles.
For macOS, open Keychain.app and import the PKCS#12 (or CA certificate) file into the System keychain (not login), then mark as "Always Trusted". If you're running into trouble with the negotiation, make sure that in the Access Control tab of the private key, all applications are allowed to access it.
IKEv1/ISAKMP reauthentication issues¶
Note: At least on macOS 10.10 this seems not to be a problem anymore.
Both iOS and macOS trigger a ISAKMP reauthentication after a tunnel is up for ~45 minutes. When using XAuth, strongSwan re-requests username/password during ISAKMP reauthentication. The native client in some versions of macOS / iOS does not expect that and deletes the ISAKMP SA upon that request. In some versions it was caused by the client's inability to access the password originally used for XAuth authentication when reauthenticating the SA.
strongSwan insists on redoing XAuth during ISAKMP reauth. There is no cryptographic binding between the old and the new ISAKMP SA, so an attacker can take over a tunnel easily without knowledge of the XAuth password. One could argue that the client RSA private key is sufficient to validate the client, but it then makes no sense to use an additional username/password to authenticate the client in the first place. Additionally, some scenarios consider the client private key as public knowledge, and rely solely on the XAuth exchange, which is encrypted under a session securely authenticated by the server certificate.
As reauthentication can not be disabled on the client, there is no simple work-around for this issue. But at least on Mac macOS 10.10 this issue seems to have been fixed by Apple.
One feasible solution is to use xauth-noauth. It uses a fake XAuth exchange by sending just a success message, which the client also accepts during ISAKMP reauthentication. This implies that no password is required during the initial setup, but only the client RSA private key is used for authentication. The preferred solution is to use IKEv2.
IKEv2 reauthentication issues¶
macOS seems to be unable to deal with responder initiated IKEv2 reauthentications if certificate authentication is used. If the responder tries to reauthenticate the IKE_SA, the initiator (macOS) will fail to reauthenticate itself, finally leading to the IKE_SA being deleted when it expires according to its lifetime. In order to work around the issue, reauthentication has to be turned off on the responder (it is disabled by default) (
Troubleshooting IKEv1 on macOS¶
sudo vi /etc/racoon/racoon.conf
Add in the top section:
log debug; path logfile "/var/log/racoon.log";
Then, follow the logs:
tail -f /var/log/racoon.log