Instantly share code, notes, and snippets.

Embed
What would you like to do?
strongSwan IKEv2 configurations for iOS without certificate
# Download strongSwan
wget https://download.strongswan.org/strongswan-5.3.3.tar.gz
# Extract and uncompress
tar -vzxf strongswan-5.3.3.tar.gz
cd strongswan-5.3.3
# Configure
./configure --prefix=/usr --sysconfdir=/etc --enable-openssl --enable-nat-transport --disable-mysql --disable-ldap --disable-static --enable-shared --enable-md4 --enable-eap-mschapv2 --enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-gtc --enable-eap-identity --enable-eap-md5 --enable-eap-peap --enable-eap-radius --enable-eap-sim --enable-eap-sim-file --enable-eap-simaka-pseudonym --enable-eap-simaka-reauth --enable-eap-simaka-sql --enable-eap-tls --enable-eap-tnc --enable-eap-ttls
# Make & install
make && make install
# IPSec start
ipsec start
# IPSec reload configuration
ipsec reload
# IPSec reload secrets
ipsec rereadsecrets
# IPSec stop
ipsec stop
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>IKEv2</key>
<dict>
<key>AuthName</key>
<string>{username}</string>
<key>AuthPassword</key>
<string>{password}</string>
<key>AuthenticationMethod</key>
<string>SharedSecret</string>
<key>ChildSecurityAssociationParameters</key>
<dict>
<key>DiffieHellmanGroup</key>
<integer>2</integer>
<key>EncryptionAlgorithm</key>
<string>3DES</string>
<key>IntegrityAlgorithm</key>
<string>SHA1-96</string>
<key>LifeTimeInMinutes</key>
<integer>1440</integer>
</dict>
<key>DeadPeerDetectionRate</key>
<string>Medium</string>
<key>DisableMOBIKE</key>
<integer>0</integer>
<key>DisableRedirect</key>
<integer>0</integer>
<key>EnableCertificateRevocationCheck</key>
<integer>0</integer>
<key>EnablePFS</key>
<integer>0</integer>
<key>ExtendedAuthEnabled</key>
<true/>
<key>IKESecurityAssociationParameters</key>
<dict>
<key>DiffieHellmanGroup</key>
<integer>2</integer>
<key>EncryptionAlgorithm</key>
<string>3DES</string>
<key>IntegrityAlgorithm</key>
<string>SHA1-96</string>
<key>LifeTimeInMinutes</key>
<integer>1440</integer>
</dict>
<key>LocalIdentifier</key>
<string>{rightid}</string>
<key>RemoteAddress</key>
<string>{your_server_address}</string>
<key>RemoteIdentifier</key>
<string>{leftid}</string>
<key>SharedSecret</key>
<string>{your_psk}</string>
<key>UseConfigurationAttributeInternalIPSubnet</key>
<integer>0</integer>
</dict>
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
<integer>1</integer>
</dict>
<key>PayloadDescription</key>
<string>Configures VPN settings</string>
<key>PayloadDisplayName</key>
<string>VPN</string>
<key>PayloadIdentifier</key>
<string>com.apple.vpn.managed.FBFBDEF8-5B16-4863-91C1-7E2A68F848A3</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadUUID</key>
<string>425A1628-E99B-4547-966E-5B967CF1F5EA</string>
<key>PayloadVersion</key>
<real>1</real>
<key>Proxies</key>
<dict>
<key>HTTPEnable</key>
<integer>0</integer>
<key>HTTPSEnable</key>
<integer>0</integer>
</dict>
<key>UserDefinedName</key>
<string>JP</string>
<key>VPNType</key>
<string>IKEv2</string>
<key>VendorConfig</key>
<dict/>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>IKEv2</string>
<key>PayloadIdentifier</key>
<string>C7918ABA-8DE8-40ED-A3AE-994CD40ACE22</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>9697F3C2-FF20-4981-A0C4-AA36BA78EEEA</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
#!/bin/bash
# Add ip tables
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.99.1.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -s 10.99.1.0/24 -j ACCEPT
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
strictcrlpolicy=no
uniqueids = no
# IKEv2 for iOS
conn iOS-IKEV2
auto=add
dpdaction=clear
keyexchange=ikev2
#left
left=%any
leftsubnet=0.0.0.0/0
leftauth=psk
leftid=im.zorro.ipsec.server
#right
right=%any
rightsourceip=10.99.1.0/24
rightauth=eap-mschapv2
rightid=im.zorro.ipsec.client
: PSK yourpresharedkey
u1 : EAP "password"
u2 : EAP "password"
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
load_modular = yes
dns1 = 8.8.8.8
dns2 = 8.8.4.4
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
@zhovner

This comment has been minimized.

Copy link

zhovner commented Oct 19, 2015

Do you have any problems with LifeTimeInMinutes rekey?

@zqqf16

This comment has been minimized.

Copy link
Owner

zqqf16 commented Oct 20, 2015

@zhovner no, the default value seems all right.

@cuitao3000

This comment has been minimized.

Copy link

cuitao3000 commented Dec 31, 2015

可以连上pvn, 但是无法打开任何网页,请问可能是什么原因?
谢谢

@zqqf16

This comment has been minimized.

Copy link
Owner

zqqf16 commented Jan 5, 2016

@cuitao3000 IP table 配对了?

@goodgooodstudy

This comment has been minimized.

Copy link

goodgooodstudy commented May 10, 2016

ios leftid填什么?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment