Skip to content

Instantly share code, notes, and snippets.

@justvanbloom
Forked from zqqf16/IKEv2.mobileconfig
Created April 27, 2018 10:01
Show Gist options
  • Save justvanbloom/2531a42f0543644f042a34a38a049344 to your computer and use it in GitHub Desktop.
Save justvanbloom/2531a42f0543644f042a34a38a049344 to your computer and use it in GitHub Desktop.
strongSwan IKEv2 configurations for iOS without certificate
# Download strongSwan
wget https://download.strongswan.org/strongswan-5.3.3.tar.gz
# Extract and uncompress
tar -vzxf strongswan-5.3.3.tar.gz
cd strongswan-5.3.3
# Configure
./configure --prefix=/usr --sysconfdir=/etc --enable-openssl --enable-nat-transport --disable-mysql --disable-ldap --disable-static --enable-shared --enable-md4 --enable-eap-mschapv2 --enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-gtc --enable-eap-identity --enable-eap-md5 --enable-eap-peap --enable-eap-radius --enable-eap-sim --enable-eap-sim-file --enable-eap-simaka-pseudonym --enable-eap-simaka-reauth --enable-eap-simaka-sql --enable-eap-tls --enable-eap-tnc --enable-eap-ttls
# Make & install
make && make install
# IPSec start
ipsec start
# IPSec reload configuration
ipsec reload
# IPSec reload secrets
ipsec rereadsecrets
# IPSec stop
ipsec stop
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>IKEv2</key>
<dict>
<key>AuthName</key>
<string>{username}</string>
<key>AuthPassword</key>
<string>{password}</string>
<key>AuthenticationMethod</key>
<string>SharedSecret</string>
<key>ChildSecurityAssociationParameters</key>
<dict>
<key>DiffieHellmanGroup</key>
<integer>2</integer>
<key>EncryptionAlgorithm</key>
<string>3DES</string>
<key>IntegrityAlgorithm</key>
<string>SHA1-96</string>
<key>LifeTimeInMinutes</key>
<integer>1440</integer>
</dict>
<key>DeadPeerDetectionRate</key>
<string>Medium</string>
<key>DisableMOBIKE</key>
<integer>0</integer>
<key>DisableRedirect</key>
<integer>0</integer>
<key>EnableCertificateRevocationCheck</key>
<integer>0</integer>
<key>EnablePFS</key>
<integer>0</integer>
<key>ExtendedAuthEnabled</key>
<true/>
<key>IKESecurityAssociationParameters</key>
<dict>
<key>DiffieHellmanGroup</key>
<integer>2</integer>
<key>EncryptionAlgorithm</key>
<string>3DES</string>
<key>IntegrityAlgorithm</key>
<string>SHA1-96</string>
<key>LifeTimeInMinutes</key>
<integer>1440</integer>
</dict>
<key>LocalIdentifier</key>
<string>{rightid}</string>
<key>RemoteAddress</key>
<string>{your_server_address}</string>
<key>RemoteIdentifier</key>
<string>{leftid}</string>
<key>SharedSecret</key>
<string>{your_psk}</string>
<key>UseConfigurationAttributeInternalIPSubnet</key>
<integer>0</integer>
</dict>
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
<integer>1</integer>
</dict>
<key>PayloadDescription</key>
<string>Configures VPN settings</string>
<key>PayloadDisplayName</key>
<string>VPN</string>
<key>PayloadIdentifier</key>
<string>com.apple.vpn.managed.FBFBDEF8-5B16-4863-91C1-7E2A68F848A3</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadUUID</key>
<string>425A1628-E99B-4547-966E-5B967CF1F5EA</string>
<key>PayloadVersion</key>
<real>1</real>
<key>Proxies</key>
<dict>
<key>HTTPEnable</key>
<integer>0</integer>
<key>HTTPSEnable</key>
<integer>0</integer>
</dict>
<key>UserDefinedName</key>
<string>JP</string>
<key>VPNType</key>
<string>IKEv2</string>
<key>VendorConfig</key>
<dict/>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>IKEv2</string>
<key>PayloadIdentifier</key>
<string>C7918ABA-8DE8-40ED-A3AE-994CD40ACE22</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>9697F3C2-FF20-4981-A0C4-AA36BA78EEEA</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
#!/bin/bash
# Add ip tables
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.99.1.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -s 10.99.1.0/24 -j ACCEPT
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
strictcrlpolicy=no
uniqueids = no
# IKEv2 for iOS
conn iOS-IKEV2
auto=add
dpdaction=clear
keyexchange=ikev2
#left
left=%any
leftsubnet=0.0.0.0/0
leftauth=psk
leftid=im.zorro.ipsec.server
#right
right=%any
rightsourceip=10.99.1.0/24
rightauth=eap-mschapv2
rightid=im.zorro.ipsec.client
: PSK yourpresharedkey
u1 : EAP "password"
u2 : EAP "password"
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
load_modular = yes
dns1 = 8.8.8.8
dns2 = 8.8.4.4
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment