Project

General

Profile

iOS (Apple iPhone/iPad...) and Mac OS X Interoperability » History » Version 9

« Previous - Version 9/62 (diff) - Next » - Current version
Lars Hjersted, 14.05.2011 18:15


iOS (Apple)

iOS 4 has quasi-support of IKEv1 for IPSec VPN (otherwise referred to as Cisco IPSec in iOS) and is able to interoperate with strongSwan when the latter is built with:

--enable-cisco-quirks

Authentication uses XAUTH and certificates (authby=xauthrsasig). Authentication without certificates may fail due to an attempt on the iOS side to use aggressive mode. The described setup has been tested and confirmed working on an iPad 2 with iOS 4.3.1, but is expected to work on all other iOS devices (iPhone, iPad, iPod Touch) running an up to date iOS version.

Certificate requirements for iOS interoperability

The domain name or IP address of the server (strongSwan VPN gateway) MUST be contained either in the subjectDistinguishedName of the server certificate

C=CH, O=strongSwan, CN=vpn.strongswan.org

or in a subjectAltName extension that can be added with the option

subjectAltName = DNS:vpn.strongswan.org

where in the above cases vpn.strongswan.org must exactly match the value entered in the Server field of the iOS client VPN configuration.

Certificate examples using strongSwan PKI tool

This example uses the strongSwan PKI tool to set up a certificate authority (CA), server, and client certificates. The openssl utility is used to package the CA, client certificate, and client key in a PKCS12 file.

CA certificate

ipsec pki --gen --outform pem > caKey.pem
ipsec pki --self --in caKey.pem --dn "C=CH, O=strongSwan, CN=strongSwan CA" --ca --outform pem > caCert.pem

Server (strongSwan VPN gateway) certificate

ipsec pki --gen --outform pem > serverKey.pem
ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem \
          --dn "C=CH, O=strongSwan, CN=vpn.strongswan.org" --flag serverAuth --outform pem > serverCert.pem

Note: the serverAuth flag is not required for authentication with an iOS client, but will allow both iOS and Windows 7 clients to authenticate using the same server certificate.

Client (iOS) certificate

ipsec pki --gen --outform pem > clientKey.pem
ipsec pki --pub --in clientKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem \
          --dn "C=US, O=strongSwan, CN=client" --outform pem > clientCert.pem

PKCS12 file

openssl pkcs12 -export -inkey clientKey.pem -in clientCert.pem -name "client" \
               -certfile caCert.pem -caname "strongSwan CA" -out clientCert.p12

Install certificates

The certificates and keys should be placed in the appropriate directories under /etc/ipsec.d/

cp caCert.pem /etc/ipsec.d/cacerts/
cp serverCert.pem /etc/ipsec.d/certs/
cp serverKey.pem /etc/ipsec.d/private/

It is not necessary to keep the client certificate on the server, but it can be useful to use it as an ID (rightcert=clientCert.pem)
cp clientCert.pem /etc/ipsec.d/certs/
cp clientKey.pem /etc/ipsec.d/private/

The clientCert.p12 and caCert.pem files can either be placed on a web server for download to an iOS device using Safari or sent to an iOS device via email. Although the PKCS12 file also includes the CA certificate, iOS does not utilize this CA so it must be installed separately. The installed certificates will reside under Settings > General > Profiles on the iOS device.

The caKey.pem file should be moved somewhere safe.

Final notes

The names server and client may be changed as desired. The Distinguished Name (DN) should be changed to relevant values for country (C), organization (O), and common name (CN) while keeping in mind the iOS requirements for the server certificate.

strongSwan configuration for a single iOS client

Connection definitions

# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
        plutostart=yes
        nat_traversal=yes

conn ios
        keyexchange=ikev1
        authby=xauthrsasig
        xauth=server
        left=%defaultroute
        leftsubnet=0.0.0.0/0
        leftfirewall=yes
        leftcert=serverCert.pem
        right=%any
        rightsubnet=10.0.0.0/24
        rightsourceip=10.0.0.2
        rightcert=clientCert.pem
        pfs=no
        auto=add

Authentication with RSA and XAUTH

# /etc/ipsec.secrets - strongSwan IPsec secrets file

: RSA serverKey.pem
ios : XAUTH "somepassword" 

Assignment of internal DNS servers

# /etc/strongswan.conf - strongSwan configuration file

charon {
  # ...
}

pluto {
  dns1 = 192.168.0.1
}

iOS client VPN configuration

The root certificate (CA), client certificate, and client key should all be present on the iOS device. These can be transferred via email or downloaded from a web server using Safari. An alternative is to use the Apple provided iPhone Configuration Utility which can package the VPN configuration, certificates, and key into a single file.

Here is a description for configuring the VPN connection from the device itself once the certificates have been installed:

  • Launch Settings then select General > Network > VPN > Add VPN Configuration
  • Toggle VPN type to IPSec
  • Fields:
    Description      strongSwan
    Server           vpn.strongswan.org
    Account          ios
    Password         somepassword
    Use Certificate  ON
    Certificate      client
    

A VPN connection should now be possible by toggling VPN to ON under Settings > VPN.

Enjoy the nice welcome message.

External references