Archive > 18.7 Legacy Series

[SOLVED] IPsec VPN for iPhone Device

(1/1)

payback007:
Dear all,

since a few days I'm trying to setup a working IPsec VPN connection to my iPhone. I tried it with several options, with certificate, with PSK, ... Always the same issue, I get no connection to my IPsec-VPN-server. At the meantime I think there are some firewall rules missing, due to the fact "VPN server does not answer". But I released all necessary ports like described in the wiki.

If I'm trying OpenVPN connection between iPhone and OPNsense does work without problems.

Does anybody have an idea what to do? Thanks very much!

payback007:
Hi guys,

are there any ideas about this topic IPsec-road-warrior seem not working on OSX/iOS-devices? I think the main issue is that for the mobile-client the "peer identifier" seems to be missing?

jeuler:
From a pragmatical point of view: What's wrong with an OpenVPN setup (which seems to work fine)?

I haven't even tried to use IPsec for road warriors since years on either IPcop, sophos-utm and OPNsense due to various caveats I stumbled upon with the various clients (different Windows flavors, OSX, iOS, Android...).

My set-ups have been using IPsec for (static) site-2-site connections and OpenVPN for (dynamic) road warriors ever since, thus drastically reducing support overhead.

payback007:
The "problem" is either I want to have authentication either by Xauth_PSK or by certificate with the IPsec-iOS-client. Don't want to install an additional APP only for VPN connections. So only "IPsec CISCO client" is natively supported by iOS device.

Meanwhile I found the issue IPsec was/is not working with the proposed solution in OPNsense-wiki with my iOS device (iOS version v12.1.2), maybe wiki is not up to date or what ever. I can't say, but here are the differences I found:

OPNsense-wiki:
a) IKEv1 to be set for VPN_iOS connection -> not working
b) peer_identifier -> no more available with "Mutual PSK + Xauth"

working configuration for my OPNsense now:
a) set IKE_auto (not v1 or v2 explicitly)
b) leave "group name" empty in iOS native IPsec CISCO client

What is not nice from my point of view is to provide only one PSK for all users and no individual PSK for each user, but for future I will see to identify by user_cert and transfer to iOS with profile. But for the moment the solution is working very well, so my tests can go on.  ;)

weust:
I was trying to get IPsec Road Warrior to work last weekend, and stumbled on this issue as well.
What I mainly missed was the ability to set the privileges on the user's groups for xauth, as you can only choose from GUI items.

I will try your two configuration settings. Hopefully it will work then.

Navigation

[0] Message Index

Go to full version