I have a setup where I have a working IKEv2 using a certificate for the server and username/password (FreeRADIUS on the OPNsense side). This works for macOS and not for iOS. And it only works if I tell Phase 2 on the OPNsense side to tell the client to tunnel only to my OPNsense LAN network (Local Subnet)
I would like to be able to send all traffic through that IPsec link, for that I can enter Network 0.0.0.0/0 in Phase 2. But when I do that, the client cannot send or receive traffic from the internet at large. It only works with a partial VPN.
I have seen some information that I need to set that "send all traffic over VPN" at the macOS side as well, but the only way to do that is to create a .mobileconfig in Apple Configurator and edit that to include that setting (by hand) in the XML:
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
<integer>1</integer>
</dict>
But maybe that no longer works.
So, as a first step, I tried recreating the manually created IKEv2 VPN on the macOS client (the one that works). But if I try that, macOS (Monterey) complains that there is a 'configuration error' and it immediately fails without trying to set up the VPN.
So, exactly the same VPN connection, one entered by hand and one entered via a profile, one works, one not. I tried a lot of other things based on internet articles, but I haven't been able to create a .mobileconfig that works and that combines a certificate for IKEv2 in combination with Xauth (username password) so that I can use FreeRADIUS on the opnsense router.
Is there anyone who has a working .mobileconfig (even without 'all traffic over VPN') so that I can use that as a basis to solve the 'all traffic' issue?
Quote from: gctwnl on December 03, 2022, 05:15:56 PM
I have a setup where I have a working IKEv2 using a certificate for the server and username/password (FreeRADIUS on the OPNsense side). This works for macOS and not for iOS. And it only works if I tell Phase 2 on the OPNsense side to tell the client to tunnel only to my OPNsense LAN network (Local Subnet)
...
I was able to get IKEv2 EAP-RADIUS to work with iOS with all traffic over the VPN without a .mobileconfig file and macOS/iOS devices where each device gets its own IP based o the RADIUS User info. The key elements were:
- In FreeRADIUS Users:
- Provide the IP Address and the Subnet Mask
- In Routes, add the IP-range of your LAN
- In Mobile Clients:
- Do not provide a range in Virtual IPv4 Address Pool (if you do, it overrides the RADIUS settings)
- Provide a domain name and a list of split domain names (probably not important)
- In Phase 1:
- Connection method: default, Key Exchange V2
- Method EAP-RADIUS, My Identifier: Distinguished Name and name is the reverse resolvable FQDN
- encryption algorithms: AES256, hash algorithms: SHA1 & SHA256, DH: 14
- In Phase 2:
- set Local Network to "Network, 0.0.0.0/0" (all traffic over the tunnel)
- encryption algorithms: AES256, hash algorithms: SHA1 & SHA256
- In Firewall settings:
- Disable force gateway turned on
On the device (macOS, iOS) make sure the certificate and the 'certificate authority' certificate are installed. Make sure in macOS that they are trusted.