##How to get OS X certificate-based IKEv2 working with strongSwan
Out of the box, El Capitan does not play nicely with strongSwan if you intend to use certificate-based login without EAP. OS X unfortunately does not provide a means of directly configuring the VPN parameters, so you have to leverage Apple's profile system to create a VPN configuration that will work with some strongSwan builds.
- Download 'Apple Configurator 2' from the App Store. Load it then create a New Profile.
- In 'General' give your profile a name.
- In 'Certificates', 'Configure' a new certificate. Select the *.p12 file and type in the associated password when you 'Open' it.
- In 'VPN', 'Configure' a new VPN:
Connection Name: [whatever you want]
Connection Type: IKEv2
Server: [the IP address of the VPN endpoint]
Remote Identifier: ["]
Local Identifier: [The name of your certificate]
Machine Authentication: Certificate
Identity Certificate: [select the certificate from the drop down]
Certificate Type: RSA
...
Encryption Algorithm: 3DES
Integrity Algorithm: SHA1-96
Diffie-Hellman Group: 2
...
-
'Save' the file, then double click on it. 'Continue', 'Install', then type your password. It should not be installed in System Preferences -> Profiles with the name you put in the General section.
-
In System Preferences -> Network you should now see a new VPN with the name you entered in VPN -> Connection Name. Click 'Connect' and you should be good to go.
common error ref: https://wiki.strongswan.org/issues/1308
Aug 17 14:38:03 mimsy nesessionmanager[503]: NESMIKEv2VPNSession[VBI test:8FAF2ACB-DABF-4C6F-AF19-A33B86573D0C]: Received a start command from SystemUIServer[310]
Aug 17 14:38:03 mimsy nesessionmanager[503]: NESMIKEv2VPNSession[VBI test:8FAF2ACB-DABF-4C6F-AF19-A33B86573D0C]: status changed to connecting
Aug 17 14:38:03 mimsy nesessionmanager[503]: Failed to find the VPN app for plugin type com.apple.neplugin.IKEv2
Aug 17 14:38:03 mimsy kernel[0]: ipsec_ctl_connect: creating interface ipsec0
Aug 17 14:38:03 mimsy configd[54]: network changed
Aug 17 14:38:03 mimsy neagent[1498]: Failed to create IKE Auth packet
Aug 17 14:38:03 mimsy nesessionmanager[503]: NESMIKEv2VPNSession[VBI test:8FAF2ACB-DABF-4C6F-AF19-A33B86573D0C]: status changed to disconnecting
Aug 17 14:38:03 mimsy neagent[1498]: BUG in libdispatch client: kevent[EVFILT_READ] delete: "Bad file descriptor" - 0x9
Aug 17 14:38:03 mimsy kernel[0]: SIOCPROTODETACH_IN6: ipsec0 error=6
Aug 17 14:38:03 mimsy nesessionmanager[503]: NESMIKEv2VPNSession[VBI test:8FAF2ACB-DABF-4C6F-AF19-A33B86573D0C]: status changed to disconnected, last stop reason Stop command received
Aug 17 14:38:03 mimsy configd[54]: network changed
Aug 17 14:38:03 mimsy symptomsd[244]: nw_interface_create_with_name netutil_ifname_to_ifindex(ipsec0) failed, dumping backtrace:
make sure it supports encryption + integrity:
charon: 13[IKE] received proposals inacceptable
received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_102
charon: 15[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, ...