Skip to content

Instantly share code, notes, and snippets.

@sawall

sawall/ike2cert-osx-ss.md

Last active September 26, 2021 17:25
Show Gist options
  • Save sawall/5d346385d9650923388e64f6d339801c to your computer and use it in GitHub Desktop.
Save sawall/5d346385d9650923388e64f6d339801c to your computer and use it in GitHub Desktop.
Download ZIP
OS X certificate-based IKEv2 + strongSwan
Raw
ike2cert-osx-ss.md

##How to get OS X certificate-based IKEv2 working with strongSwan

Out of the box, El Capitan does not play nicely with strongSwan if you intend to use certificate-based login without EAP. OS X unfortunately does not provide a means of directly configuring the VPN parameters, so you have to leverage Apple's profile system to create a VPN configuration that will work with some strongSwan builds.

  • Download 'Apple Configurator 2' from the App Store. Load it then create a New Profile.
  • In 'General' give your profile a name.
  • In 'Certificates', 'Configure' a new certificate. Select the *.p12 file and type in the associated password when you 'Open' it.
  • In 'VPN', 'Configure' a new VPN:
  Connection Name:         [whatever you want]
  Connection Type:         IKEv2
  Server:                  [the IP address of the VPN endpoint]
  Remote Identifier:       ["]
  Local Identifier:        [The name of your certificate]
  Machine Authentication:  Certificate
  Identity Certificate:    [select the certificate from the drop down]
  Certificate Type:        RSA
  ...
  Encryption Algorithm:    3DES
  Integrity Algorithm:     SHA1-96
  Diffie-Hellman Group:    2
  ...

  • 'Save' the file, then double click on it. 'Continue', 'Install', then type your password. It should not be installed in System Preferences -> Profiles with the name you put in the General section.

  • In System Preferences -> Network you should now see a new VPN with the name you entered in VPN -> Connection Name. Click 'Connect' and you should be good to go.

common error ref: https://wiki.strongswan.org/issues/1308

Aug 17 14:38:03 mimsy nesessionmanager[503]: NESMIKEv2VPNSession[VBI test:8FAF2ACB-DABF-4C6F-AF19-A33B86573D0C]: Received a start command from SystemUIServer[310]
Aug 17 14:38:03 mimsy nesessionmanager[503]: NESMIKEv2VPNSession[VBI test:8FAF2ACB-DABF-4C6F-AF19-A33B86573D0C]: status changed to connecting
Aug 17 14:38:03 mimsy nesessionmanager[503]: Failed to find the VPN app for plugin type com.apple.neplugin.IKEv2
Aug 17 14:38:03 mimsy kernel[0]: ipsec_ctl_connect: creating interface ipsec0
Aug 17 14:38:03 mimsy configd[54]: network changed
Aug 17 14:38:03 mimsy neagent[1498]: Failed to create IKE Auth packet
Aug 17 14:38:03 mimsy nesessionmanager[503]: NESMIKEv2VPNSession[VBI test:8FAF2ACB-DABF-4C6F-AF19-A33B86573D0C]: status changed to disconnecting
Aug 17 14:38:03 mimsy neagent[1498]: BUG in libdispatch client: kevent[EVFILT_READ] delete: "Bad file descriptor" - 0x9
Aug 17 14:38:03 mimsy kernel[0]: SIOCPROTODETACH_IN6: ipsec0 error=6
Aug 17 14:38:03 mimsy nesessionmanager[503]: NESMIKEv2VPNSession[VBI test:8FAF2ACB-DABF-4C6F-AF19-A33B86573D0C]: status changed to disconnected, last stop reason Stop command received
Aug 17 14:38:03 mimsy configd[54]: network changed
Aug 17 14:38:03 mimsy symptomsd[244]: nw_interface_create_with_name netutil_ifname_to_ifindex(ipsec0) failed, dumping backtrace:

make sure it supports encryption + integrity:

  charon: 13[IKE] received proposals inacceptable
  received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_102
  charon: 15[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment