Configuration Example Using IKEv1 With Apple Clients (iOS, Mac OS X)¶
- Table of contents
- Configuration Example Using IKEv1 With Apple Clients (iOS, Mac OS X)
Note: With recent Apple clients using IKEv2 is recommended.
More information (e.g. regarding certificates) may be found on AppleClients.
strongSwan configuration for a single client¶
Connection definitions¶
This is a basic configuration to allow a client authenticated with RSA/XAuth to connect. The IP address 10.0.0.2 will be assigned as virtual IP to the client. See below for changes required to accept multiple clients.
conn ios keyexchange=ikev1 leftauth=pubkey leftsubnet=0.0.0.0/0 leftfirewall=yes leftcert=serverCert.pem right=%any rightauth=pubkey rightauth2=xauth dpdaction=clear conn client also=ios rightsourceip=10.0.0.2 rightcert=clientCert.pem auto=add
Authentication with RSA and XAuth¶
# /etc/ipsec.secrets - strongSwan IPsec secrets file : RSA serverKey.pem somexauthaccountname : XAUTH "somexauthpassword"
Assignment of internal DNS servers¶
# /etc/strongswan.conf - strongSwan configuration file # for strongSwan 5.0.0+ charon { dns1 = 192.168.0.1 } # for strongSwan < 5.0.0 pluto { dns1 = 192.168.0.1 }
This uses the attr plugin, refer to VirtualIP for other options.
strongSwan configuration for multiple clients¶
For multiple clients you can either generate a private key/certificate pair for every client or you use a single private key/certificate pair for all clients. The client authentication will then only be based on XAuth. And even though the private key/certificate pair is "public" this still ensures proper authentication of the gateway, but might simplify deployment to clients.
If each client has its own certificate simply remove the rightcert line from the config above, any client providing a valid certificate will then be accepted. You may also specify a wildcard value for rightid to accept specific clients (e.g. if you have multiple configs), for instance:
rightid="C=CH, O=strongSwan, CN=*"
To assign each client its own virtual IP use a subnet for rightsourceip like:
rightsourceip=10.0.0.0/24
iOS client configuration¶
The root certificate (CA), client certificate, and client key should all be present on the iOS device. A PKCS#12 file should provide both the client certificate and key. A separate file will need to be used to install the CA certificate since iOS does not use the one included with the client PKCS#12. These certificate files can be transferred via email or downloaded from a web server using Safari. An alternative option is to use the Apple Configurator utility which can package the VPN configuration, certificates, and key into a single file.
Here is a description for configuring the VPN connection from the device itself once the certificates have been installed:
- Launch Settings then select General > Network > VPN > Add VPN Configuration
- Toggle VPN type to IPSec
- Fields:
Description strongSwan Server vpn.strongswan.org Account somexauthaccountname Password somexauthpassword Use Certificate ON Certificate client
A VPN connection should now be possible by toggling VPN to ON under Settings > VPN.
Mac OS X client configuration¶
Open System Preferences > Network > click the + sign to add the connection > Choose Interface "VPN" and VPN Type "Cisco IPSec".
Then enter the information
Server Address vpn.strongswan.org Account Name somexauthaccountname Password somexauthpassword
and select the installed system certificate under Authentication Settings.