One-click IPsec VPNs for Apple iOS

Virtual Private Networks
1

Hi

I followed the guide here:

And here:
https://wiki.ipfire.org/configuration/services/ipsec/apple

EDIT by mod (old link for reference only):
https://wiki.ipfire.org/configuration/services/ipsec/apple?revision=2020-05-28T17:47:37.220125

I installed the profile in my iPad (requires safari to download)
Activate the certificate (unless won’t work)

One thing I’m not 100% sure about is if my DNS settings is correct. I left it blank.
(My DNS service is OpenDNS).

Does the field need to have an assigned value?

On local subnet I used the suggested values. In my case 192.168.20.0/255.255.255.0

Any other possible error that may be easy to do during configuration?
I did add the @ :grinning: where required.

image
image1871×571 84.9 KB

I may not fully understand the FQDN requirement.
The two names that have to match I did.

Guide says:
Local ID must be set to the IPFire’s FQDN prefixed by an “@” sign. Remote ID must be the system’s hostname prefixed by an “@” sign and the hostname must also be added to the certificate as “Subject Alternative Name” prefixed with “DNS:”

Disable WiFi on my iPad to test. Won’t work.
Any suggestions what’s wrong with my settings ?

I think I may not fully understand this requirement:

  • The IPFire system should have a FQDN which resolves from the public Internet

How do I obtain that ?
Isn’t this the same name as the header on top when accessing the web interface

My address is:
https://ipfire.xxxx.zzz:444/cgi-bin/vpnmain.cgi (where x and z is something else).

I’m using “@ipfire.xxx.zzz” as local ID, so I guess I’m correct.

Remote ID must be the system’s hostname
Can’t I just call it “my iPad” or equal ? Does it have to match with any setting on my iPad ?

2

So, in the host certificate and as the local ID, you will have to use the FQDN under which that IPFire system is reachable from the internet. That usually is something like example.dyndns.org unless you have your own domain and a static IP address.

Apple macOS and iOS validate this when they check the certificate and so does IPFire.

For the remote ID, you can use whatever hostname you like. It does not need to resolve, but it needs to be the same in the ID field and further down in the SAN field.

The documentation is unfinished and I have been spending some time on it, so please raise your hand if anything is unclear.

3

Where do I find that information?
The FQDN

4

The FQDN is the hostname of your firewall. If I would type "ping " into my console, it will resolve to your IP address and send an ICMP echo request.

So it is a DNS hostname that can be resolved from the internet pointing at your firewall.

5

I ping my firewall name that appears on top on the web interface.
It returns 192.168.20.1 as expected.

So I guess I will have to troubleshoot somewhere else. Any suggestions?

image
image1920×830 74.2 KB

6

This is technically not what your FQDN is. It could be, but in the PM you sent me, the domain wasn’t anything globally resolvable like “.com”.

Do you have a dynamic DNS host name configured? Or a static IP address?

7

I did believe so, but now I’m not sure. I was expecting opendns.com to work, but now I think I’ve been fooled.

8

No, opendns.com is not dynamic DNS.

It is more like this:

9

Yes, or even just chose a service from your supported option :grinning::

image
image1920×1252 110 KB

So I went with no-ip.com
I assume the free version requires me to login and renew every 30 days. Paid is a fair price around $25 a year.

Anyway. Still not working. It was obviously an error by me how I configure first time.
Now I can ping my in-ip (ddns.net) easily.
So this was great help.

What’s your next suggestion in order to locate the problem I have ?
Where to look ?

I deleted previous iPad profiles, so I think no problem there. Actually one more or less have to, in order to install a new profile.

Edit
Seems I should create a new certificate.

  • The CA certificate must contain a subjectAlternativeName with the system’s FQDN which must be used for IPsec, too“
10

@ms

Please confirm this correct in your guide. Remote ID equals SubjectAlternativeName.

image
image1591×1232 184 KB

I did also test with Local ID. Didn’t work.

11

So I added global setting like this:

image
image1994×514 107 KB

Does this address need to be added somewhere else ?

Your latest guide may suggest so, but an example with a screenshot would be nice.

I also tried to add the FQDN in Global setting. That wasn’t accepted.

12

@ms

My DHCP is like this:

image
image1728×566 116 KB

Based on that information, how to implement correct parameters in IPSec in my case ?

Also, when creating the certificate, is FQND a requirement?
What parameters in certificate need to comply with iPfire settings ?

I have a working xxxx.ddns.net that I can ping, so FQND should be OK.
The local subnet settings must be wrong ? This is what was predefined by iPfire. (Shown in picture below).

Also I think DNS Servers should be 192.168.20.1 in my case. Correct ?
Or leave blank ?

image
image2012×1377 251 KB

13

So for a road warrior IOS, is these steps correct ?

  1. Create a global setting
  2. Generate a certificate
  3. Create a connection

(I leave out the iOS settings for now).

I’m asking, cause it seems during creating a connection, you seems to also be able to generate the certificate, but not with a PW I think.

14

Yes, those are correct…

15

And my other questions above. Where do you think the error is, since it’s not working?

16

Sadly, I am not getting it… :frowning_face:

Andreas and are must be in similar boats (situations).

I tried getting a certificate setup and that failed. Then I hoped pre-shared-key (PSK) must be easier. Ha! I was wrong! I cannot get either to work! :stuck_out_tongue_winking_eye:

Since I cannot connect via Cert or PSK I am wildly guessing I setup the Global Configuration incorrectly OR I setup the Certificate Authorities and -Keys incorrectly.

So my setup is an iPhone SE (2 gen) connected to LTE. And talking to an IPFire box on CU 158 (IPFire 2.25 (x86_64) - Core Update 158).

iPhoneSE via LTE → Internet → IPFire box.

This is the only error-ish entry on the IPFire box in the messages log:

...
Jul 22 21:25:10 ipfire charon: 05[IKE] remote host is behind NAT 
Jul 22 21:25:10 ipfire charon: 05[IKE] received proposals unacceptable 
Jul 22 21:25:10 ipfire charon: 05[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ] 
...

So let me start with the Global:

ipsec_global_settings-1
ipsec_global_settings-1920×140 16.4 KB

The Host-to-Net Endpoint in my Dynamic DNS hostname. I am almost positive this is correct. Is it?!?

The Host-to-Net Virtual Private Network (RoadWarrior): is a made up (new) IP subnet using CIDR notation.

Is this correct? Or is the Host-to-Net Virtual Private Network (RoadWarrior): subnet suppose to match my GREEN zone -or- my BLUE zone?

EDIT: Here is the only error I see on the iPhone side.

IMG_0177
IMG_0177640×836 67.4 KB

EDIT2: I am currently testing in PSK mode hoping it will be simpiler.

17

Deleted
10/ car

18

You can’t generate certificate in iPfire? That’s working fine for me. Of cause I also don’t know if I’ve done all settings correctly.

Remember to activate the certificate on your phone, after importing profile.

19

Wouldn’t that depend on which subnet you like to access ? Also I think documentation says you can specify both.

20

If I leave the Host-to-Net Endpoint blank then the server becomes ipfire.localdomain and there is no connection via the Internet to my IPFire box. So this doesn’t sound right…