Thanks, verified and works great!
> On 3 Oct 2015, at 3:32 PM, Reyk Floeter <r...@openbsd.org> wrote:
>
> On Sun, Aug 16, 2015 at 11:28:24PM +0300, Or Elimelech wrote:
>> Hello misc,
>>
>> Has anyone connected successfully between the new OS X ikev2 impl. To an
>> OpenBSD box?
>>
>> Thanks in advance.
>>
>
> I got the official update and I successfully connected from El Capitan
> to OSX. I did it without using profiles, just with the GUI in network
> settings.
>
> ON OPENBSD:
>
> - Get -current from yesterday (small fix went in)
>
> - Configure an IP on enc0 directly (eg. 10.2.0.2 in this case), a dns
> cache, forwarding, PF etc.
>
> - Configure iked.conf, for example:
>
> user "user1" "password123"
> ikev2 "ios9" passive esp \
> from 0.0.0.0/0 to 0.0.0.0/0 \
> local any peer any \
> childsa enc 3des \
> eap "mschap-v2" \
> config address 10.2.0.1/24 \
> config name-server 10.2.0.2 \
> tag "$name-$id"
>
> - Yes, 3DES. As you see in your log, El Capitan currently only accepts
> 3DES by default. You can probably change it with the external
> security profiles program. iOS9 uses AES-128 instead.
>
> ON OSX:
>
> - Use "ikectl ca" (or other CA tool) to create ca, keys and certs for
> the gateway and peers. I recommend to use FQDNs for the certs.
>
> - Install the ca.pfx and $CERT.pfx on OSX from keychain (import
> objects). Trust the CA for EAP and IPsec.
>
> - I tested different options in OSX, user-based, "without" auth + shared
> secret, "without" auth + certificate. Certificate-based auth doesn't
> work since it is two factor EAP-TLS. User-based is EAP-MSCHAPv2.
> Select the installed certificate.
>
> In summary, the GUI part is very easy but certificate configuration is
> a bit difficult. It's the same complexity as in Windows. But much
> better compared to earlier IPsec configurations.
>
> Reyk
