Project

General

Profile

iOS (Apple iPhone/iPad...) and Mac OS X Interoperability » History » Version 23

« Previous - Version 23/64 (diff) - Next » - Current version
Andreas Steffen, 15.06.2012 08:40
IKEv1 PFS default changed from enabled to disabled


iOS (Apple iPhone, iPad...)

iOS 4 and newer supports native IPsec VPN via IKEv1 (otherwise referred to as Cisco IPSec in iOS) and is able to interoperate with strongSwan.

Despite the Cisco reference, the configure option --enable-cisco-quirks is not required as the iOS client is not provided by Cisco but is actually a modified version of Racoon.

Authentication uses XAuth and certificates (authby=xauthrsasig). Authentication without certificates may fail due to an attempt on the iOS side to use aggressive mode. The described setup has been tested and confirmed working on an iPad 2 with iOS 4.3.1, but is expected to work on all other iOS devices (iPhone, iPad, iPod Touch) running an up to date iOS version.

Certificate requirements for iOS interoperability

The domain name or IP address of the server (strongSwan VPN gateway) MUST be contained either in the subjectDistinguishedName of the server certificate

subjectDistinguishedName = C=CH, O=strongSwan, CN=vpn.strongswan.org

or in a subjectAltName extension that can be added with the OpenSSL option

subjectAltName = DNS:vpn.strongswan.org

where in the above cases vpn.strongswan.org must exactly match the value entered in the Server field of the iOS client VPN configuration.

MacOSX 10.7.4, appears to require the just the hostname/address in subjectAltName

subjectAltName = vpn.strongswan.org

Certificate examples using strongSwan PKI tool

This example uses the strongSwan PKI tool to set up a certificate authority (CA), server, and client certificates. The openssl utility is used to package the CA certificate, client certificate, and client key in a PKCS#12 file.

CA certificate

ipsec pki --gen --outform pem > caKey.pem
ipsec pki --self --in caKey.pem --dn "C=CH, O=strongSwan, CN=strongSwan CA" --ca --outform pem > caCert.pem

Server (strongSwan VPN gateway) certificate

ipsec pki --gen --outform pem > serverKey.pem
ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem \
          --dn "C=CH, O=strongSwan, CN=vpn.strongswan.org" --san="vpn.strongswan.org" --flag serverAuth --outform pem > serverCert.pem

Note: the serverAuth flag is not required for authentication with an iOS client, but will allow Windows 7 and MacOSX clients to authenticate using the same server certificate.

Client (iOS) certificate

ipsec pki --gen --outform pem > clientKey.pem
ipsec pki --pub --in clientKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem \
          --dn "C=CH, O=strongSwan, CN=client" --outform pem > clientCert.pem

PKCS#12 file

openssl pkcs12 -export -inkey clientKey.pem -in clientCert.pem -name "client" \
               -certfile caCert.pem -caname "strongSwan CA" -out clientCert.p12

Install certificates

The certificates and keys should be placed in the appropriate directories under /etc/ipsec.d/

cp caCert.pem /etc/ipsec.d/cacerts/
cp serverCert.pem /etc/ipsec.d/certs/
cp serverKey.pem /etc/ipsec.d/private/

It is not necessary to keep the client certificate on the server, but it can be useful to use it as an ID (rightcert=clientCert.pem)

cp clientCert.pem /etc/ipsec.d/certs/
cp clientKey.pem /etc/ipsec.d/private/

The clientCert.p12 and caCert.pem files can either be placed on a web server for download to an iOS device using Safari or sent to an iOS device via email. Although the PKCS#12 file also includes the CA certificate, iOS does not use this CA certificate so it must be installed separately. The installed certificates will reside under Settings > General > Profiles on the iOS device.

For MacOSX, open Keychain.app and import the clientCert.p12 into the System keychain, then mark as "Always Trusted".

The caKey.pem file should be moved somewhere safe.

Final notes

The names server and client may be changed as desired. The Distinguished Name (DN) should be changed to relevant values for country (C), organization (O), and common name (CN) while keeping in mind the iOS requirements for the server certificate.

strongSwan configuration for a single iOS client

Connection definitions

# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
        plutostart=yes
        nat_traversal=yes

conn ios
        keyexchange=ikev1
        authby=xauthrsasig
        xauth=server
        left=%defaultroute
        leftsubnet=0.0.0.0/0
        leftfirewall=yes
        leftcert=serverCert.pem
        right=%any
        rightsubnet=10.0.0.0/24
        rightsourceip=10.0.0.2
        rightcert=clientCert.pem
        pfs=no
        auto=add

With the new strongswan 5.x branch the pfs parameter has been removed and the PFS default set to disabled.

Authentication with RSA and XAuth

# /etc/ipsec.secrets - strongSwan IPsec secrets file

: RSA serverKey.pem
somexauthaccountname : XAUTH "somexauthpassword" 

Assignment of internal DNS servers

# /etc/strongswan.conf - strongSwan configuration file

charon {
  # ...
}

pluto {
  dns1 = 192.168.0.1
}

iOS client VPN configuration

The root certificate (CA), client certificate, and client key should all be present on the iOS device. A PKCS#12 file should provide both the client certificate and key. A separate file will need to be used to install the CA certificate since iOS does not use the one included with the client PKCS#12. These certificate files can be transferred via email or downloaded from a web server using Safari. An alternative option is to use the Apple provided iPhone Configuration Utility which can package the VPN configuration, certificates, and key into a single file.

Here is a description for configuring the VPN connection from the device itself once the certificates have been installed:

  • Launch Settings then select General > Network > VPN > Add VPN Configuration
  • Toggle VPN type to IPSec
  • Fields:
    Description      strongSwan
    Server           vpn.strongswan.org
    Account          somexauthaccountname
    Password         somexauthpassword
    Use Certificate  ON
    Certificate      client
    

A VPN connection should now be possible by toggling VPN to ON under Settings > VPN.

External references