On Friday 19 Feb 2016 16:23:22 Daniel Quinn wrote: > The problem is that the names of the fields on iThings are different > from the fields I see in NetworkManager, so I don’t know what correlates > to what. > > I have just uninstalled libreswan and installed strongswan, but I can’t > find evidence of a networkmanager plugin for strongswan in Portage. |eix > stronswan| only returns one record: |net-misc/strongswan|, which is > installed. Can I use it without NetworkManager while using > NetworkManager for basic connectivity?
I don't know for sure because I don't use NM. The strongswan plugin is called ... "networkmanager" and you install this with the flag USE="networkmanager", which I assume is already set in your system. > Here’s the .mobileconfig file, with the juicy-bits redacted: > |<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC > > "-//Apple//DTD PLIST 1.0//EN" > "http://www.apple.com/DTDs/PropertyList-1.0.dtd";> <!-- Read more: > https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile > --> <plist version="1.0"> <dict> <!-- Set the name to whatever you like, > it is used in the profile list on the device --> > <key>PayloadDisplayName</key> <string>My IKEv2 VPN Profile</string> "My IKEv2 VPN Profile" is used as the name of these VPN settings. In strongswan's /etc/ipsec.conf you would set it as: conn "My IKEv2 VPN Profile" > <!-- > This is a reverse-DNS style unique identifier used to detect duplicate > profiles --> <key>PayloadIdentifier</key> <string>REDACTED</string> This would be the domain name of the server, or relevant domain name which will be queried on a reverse-DNS resolution to match the remote IP address to domain name. Not sure if this is needed by strongswan. > <!-- > A globally unique identifier, use uuidgen on Linux/Mac OS X to generate > it --> <key>PayloadUUID</key> <string>REDACTED</string> > <key>PayloadType</key> <string>Configuration</string> > <key>PayloadVersion</key> <integer>1</integer> <key>PayloadContent</key> > <array> <!-- It is possible to add multiple VPN payloads with different > identifiers/UUIDs and names --> <dict> <!-- This is an extension of the > identifier given above --> <key>PayloadIdentifier</key> > <string>REDACTED</string> <!-- A globally unique identifier for this > payload --> <key>PayloadUUID</key> <string>REDACTED</string> > <key>PayloadType</key> <string>com.apple.vpn.managed</string> > <key>PayloadVersion</key> <integer>1</integer> <!-- This is the name of > the VPN connection as seen in the VPN application later --> > <key>UserDefinedName</key> <string>My IKEv2 VPN</string> > <key>VPNType</key> <string>IKEv2</string> <key>IKEv2</key> This tells you that you should configure IKEv2 in strongswan/NM. IKEv2 is the default, or you can set: keyexchange=ike ##will initate a connection as IKEv2 but will accept both IKEv1 and IKEv2 as a response. If you only want IKEv2 use: keyexchange=ikev2 > <dict> <!-- > Hostname or IP address of the VPN server --> <key>RemoteAddress</key> > <string>REDACTED</string> The above is the IP address of the Ubuntu VPN gateway. In strongswan terms you would set it as: right=123.456.78.9 ##Replace the digits with the Ubuntu public IP address > <!-- Remote identity, can be a FQDN, a > userFQDN, an IP or (theoretically) a certificate's subject DN. Can't be > empty. IMPORTANT: DNs are currently not handled correctly, they are > always sent as identities of type FQDN --> <key>RemoteIdentifier</key> > <string>REDACTED</string> FQDN used as the VPN gateway identifier. In strongswan: rightid=REDACTED ##use here the RemoteIdentifier above. > <!-- Local IKE identity, same restrictions as > above. If it is empty the client's IP address will be used --> > <key>LocalIdentifier</key> <string></string> <!-- OnDemand references: > http://www.v2ex.com/t/137653 If there is no LocalIdentifier provided in the .mobileconfig, then it will use the IP address of the client. Set it as: left=%defaultroute > https://developer.apple.com/library/mac/featuredarticles/iPhoneConfiguration > ProfileRef/Introduction/Introduction.html Continue reading: > https://github.com/iphoting/ovpnmcgen.rb --> > <key>OnDemandEnabled</key> <integer>1</integer> <key>OnDemandRules</key> > <array> <dict> <key>Action</key> <string>Connect</string> </dict> > </array> <!-- The server is authenticated using a certificate --> > <key>AuthenticationMethod</key> <string>SharedSecret</string> > <key>SharedSecret</key> <string>REDACTED</string> authby=psk The value of the secret passphrase you will need to add in /etc/ipsec.secrets: <your_client_ID_goes_here> 123.456.78.9 : PSK "xY9LLZvwj4qCC2o/gGrWD" > <!-- Turn off EAP --> > <key>ExtendedAuthEnabled</key> <integer>0</integer> <!-- AuthName key is > required to dismiss the Enter Username screen on iOS 9, even if > ExtendedAuthEnabled is false --> <key>AuthName</key> <string></string> > <!-- AuthPassword key is required to dismiss the Enter Password screen > on iOS 9, even if ExtendedAuthEnabled is false --> > <key>AuthPassword</key> <string></string> </dict> </dict> </array> > </dict> </plist> | I can't tell from the above if the server has XAUTH configured. If it does then you need to add this in your /etc/ipsec.secrets file: Daniel : XAUTH "Daniel's account passwd" I also can't see above any ciphers set by the server, so I guess all that have been compiled in the client's OS kernel will be tried out in turn. The strongswan documentation and ipsec.conf man page has the rest you will need to configure your client. Keep an eye in the logs for errors so that you can find out what settings you should experiment with and if you got the syntax correct. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
