Project

General

Profile

Configuration Example Using IKEv1 With Apple Clients (iOS, Mac OS X)

Note: With recent Apple clients using IKEv2 is recommended.

More information (e.g. regarding certificates) may be found on AppleClients.

strongSwan configuration for a single client

Connection definitions

This is a basic configuration to allow a client authenticated with RSA/XAuth to connect. The IP address 10.0.0.2 will be assigned as virtual IP to the client. See below for changes required to accept multiple clients.

conn ios
    keyexchange=ikev1
    leftauth=pubkey
    leftsubnet=0.0.0.0/0
    leftfirewall=yes
    leftcert=serverCert.pem
    right=%any
    rightauth=pubkey
    rightauth2=xauth
    dpdaction=clear

conn client
    also=ios
    rightsourceip=10.0.0.2
    rightcert=clientCert.pem
    auto=add

Authentication with RSA and XAuth

# /etc/ipsec.secrets - strongSwan IPsec secrets file

: RSA serverKey.pem
somexauthaccountname : XAUTH "somexauthpassword" 

Assignment of internal DNS servers

# /etc/strongswan.conf - strongSwan configuration file

# for strongSwan 5.0.0+
charon {
  dns1 = 192.168.0.1
}

# for strongSwan < 5.0.0
pluto {
  dns1 = 192.168.0.1
}

This uses the attr plugin, refer to VirtualIP for other options.

strongSwan configuration for multiple clients

For multiple clients you can either generate a private key/certificate pair for every client or you use a single private key/certificate pair for all clients. The client authentication will then only be based on XAuth. And even though the private key/certificate pair is "public" this still ensures proper authentication of the gateway, but might simplify deployment to clients.

If each client has its own certificate simply remove the rightcert line from the config above, any client providing a valid certificate will then be accepted. You may also specify a wildcard value for rightid to accept specific clients (e.g. if you have multiple configs), for instance:

        rightid="C=CH, O=strongSwan, CN=*" 

To assign each client its own virtual IP use a subnet for rightsourceip like:

        rightsourceip=10.0.0.0/24

iOS client configuration

The root certificate (CA), client certificate, and client key should all be present on the iOS device. A PKCS#12 file should provide both the client certificate and key. A separate file will need to be used to install the CA certificate since iOS does not use the one included with the client PKCS#12. These certificate files can be transferred via email or downloaded from a web server using Safari. An alternative option is to use the Apple Configurator utility which can package the VPN configuration, certificates, and key into a single file.

Here is a description for configuring the VPN connection from the device itself once the certificates have been installed:

  • Launch Settings then select General > Network > VPN > Add VPN Configuration
  • Toggle VPN type to IPSec
  • Fields:
    Description      strongSwan
    Server           vpn.strongswan.org
    Account          somexauthaccountname
    Password         somexauthpassword
    Use Certificate  ON
    Certificate      client
    

A VPN connection should now be possible by toggling VPN to ON under Settings > VPN.

Mac OS X client configuration

Open System Preferences > Network > click the + sign to add the connection > Choose Interface "VPN" and VPN Type "Cisco IPSec".

Then enter the information

Server Address   vpn.strongswan.org
Account Name     somexauthaccountname
Password         somexauthpassword

and select the installed system certificate under Authentication Settings.

iOS_VPN_client.jpg View (22.4 KB) Lars Hjersted, 16.05.2011 00:33