OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: payback007 on January 11, 2019, 01:17:18 am

Title: [SOLVED] IPsec VPN for iPhone Device
Post by: payback007 on January 11, 2019, 01:17:18 am
Dear all,

since a few days I'm trying to setup a working IPsec VPN connection to my iPhone. I tried it with several options, with certificate, with PSK, ... Always the same issue, I get no connection to my IPsec-VPN-server. At the meantime I think there are some firewall rules missing, due to the fact "VPN server does not answer". But I released all necessary ports like described in the wiki.

If I'm trying OpenVPN connection between iPhone and OPNsense does work without problems.

Does anybody have an idea what to do? Thanks very much!
Title: Re: IPsec VPN for iPhone Device
Post by: payback007 on January 19, 2019, 11:06:27 pm
Hi guys,

are there any ideas about this topic IPsec-road-warrior seem not working on OSX/iOS-devices? I think the main issue is that for the mobile-client the "peer identifier" seems to be missing?
Title: Re: IPsec VPN for iPhone Device
Post by: jeuler on January 21, 2019, 07:28:51 pm
From a pragmatical point of view: What's wrong with an OpenVPN setup (which seems to work fine)?

I haven't even tried to use IPsec for road warriors since years on either IPcop, sophos-utm and OPNsense due to various caveats I stumbled upon with the various clients (different Windows flavors, OSX, iOS, Android...).

My set-ups have been using IPsec for (static) site-2-site connections and OpenVPN for (dynamic) road warriors ever since, thus drastically reducing support overhead.

Title: Re: IPsec VPN for iPhone Device
Post by: payback007 on January 21, 2019, 09:22:58 pm
The "problem" is either I want to have authentication either by Xauth_PSK or by certificate with the IPsec-iOS-client. Don't want to install an additional APP only for VPN connections. So only "IPsec CISCO client" is natively supported by iOS device.

Meanwhile I found the issue IPsec was/is not working with the proposed solution in OPNsense-wiki with my iOS device (iOS version v12.1.2), maybe wiki is not up to date or what ever. I can't say, but here are the differences I found:

OPNsense-wiki:
a) IKEv1 to be set for VPN_iOS connection -> not working
b) peer_identifier -> no more available with "Mutual PSK + Xauth"

working configuration for my OPNsense now:
a) set IKE_auto (not v1 or v2 explicitly)
b) leave "group name" empty in iOS native IPsec CISCO client

What is not nice from my point of view is to provide only one PSK for all users and no individual PSK for each user, but for future I will see to identify by user_cert and transfer to iOS with profile. But for the moment the solution is working very well, so my tests can go on.  ;)
Title: Re: [SOLVED] IPsec VPN for iPhone Device
Post by: weust on June 28, 2019, 11:42:19 am
I was trying to get IPsec Road Warrior to work last weekend, and stumbled on this issue as well.
What I mainly missed was the ability to set the privileges on the user's groups for xauth, as you can only choose from GUI items.

I will try your two configuration settings. Hopefully it will work then.