Good afternoon, I have two strongSwan VPN Servers running; one to keep me connected to the United Kingdom and one to protect data on hotel WiFi (etc.) in the United States. Admittedly, I am not familiar with strongSwan; having not heard about it until several days ago. In either case, I was successful in configuring and installing strongSwan on two servers: an endpoint in SFO and an endpoint in London.
I have been successful at connecting Windows 10 Pro clients to the VPN but my OS X 10.11.5 and iOS 10 clients have been giving me issues when attempting to connect. Per the following resources: https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients https://raymii.org/s/tutorials/IPSEC_vpn_with_Ubuntu_16.04.html https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/ I have generated the required certificates; enabled multi-device usage from a single certificate; and was successful in creating both VPN Connections for Windows 10 Pro. For OS X, I have been successful in establishing the connection to the VPN by using the Apple Configurator 2 app to create a VPN Configuration profile that specified the p12 bundle and set the IKEv2 authentication mode to use DH Group 2 with 3DES and SHA1-96. OS X presents the most interesting prediciment: it connects, gets an IP address, and adds the default routes (netstat -rn included below) but it doesn't send any data across the tunnel: Internet: Destination Gateway Flags Refs Use Netif Expire default 10.0.0.1 UGSc 43 0 en1 default link#8 UCSI 0 0 ipsec0 10/16 link#5 UCS 8 0 en110.0.0.1/32 link#5 UCS 1 0 en1 10.0.0.1 <EDGE ROUTER MAC> UHLWIir 47 194 en1 107610.0.143.243/32 link#5 UCS 1 0 en1 10.0.143.243 <MBP MAC ADDRESS> UHLWI 0 1 lo0 45.32.180.111 10.0.0.1 UGHS 0 0 en1 127 127.0.0.1 UCS 0 0 lo0 127.0.0.1 127.0.0.1 UH 18 781055 lo0 169.254 link#5 UCS 0 0 en1 172.11.22.1 172.11.22.1 UH 0 0 ipsec0 224.0.0 link#5 UmCS 1 0 en1 224.0.0 link#8 UmCSI 0 0 ipsec0 224.0.0.251 1:0:5e:0:0:fb UHmLWI 0 0 en1255.255.255.255/32 link#5 UCS 0 0 en1255.255.255.255/32 link#8 UCSI 0 0 ipsec0 As you can see, link#8 is the IPSec route and 45.x.x.x is the VPN server while 172.11.22.1/24 is the private address space. To further detail, this is the configuration for the UK VPN Endpoint corresponding to the information above: # ipsec.conf - strongSwan IPsec configuration file config setup charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2" conn %default keyexchange=ikev2 ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024! esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1! dpdaction=clear dpddelay=300s authby=pubkey left=%any leftid=claraoswald.bbr01.lon.uk.ini.arendellenet.net leftsubnet=0.0.0.0/0 leftcert=vpnHostCert.der leftsendcert=always right=%any rightsourceip=172.11.22.0/24,2002:25f7:7489:3::/112 rightdns=8.8.8.8,2001:4860:4860::8888 conn IPSec-IKEv2 keyexchange=ikev2 auto=add With the server configuration spelled out, the second most interesting thing is that the certificate which works to connect OS X to the VPN (although it doesn't send traffic over the VPN) does not work at all on iOS 10. iOS 10 simply starts the "Connecting" process and immediately terminates back to "Disconnected." How can I get the VPN to work as it does in Windows 10 Pro? OS X establishes the link but won't send anything through the tunnel while iOS won't connect at all - even with an Apple Configurator 2 Profile: the very same one used by OS X. The UK deployment is permanent while the US deployment is temporary and thus why I provided the UK deployment. However, the US deployment is very similarly setup and experiences the same issues. I have circled around Google and the Wiki for days; now I can just use a little user support feedback to get this deployment complete. Thank You, Avalon Thorne
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users