Hello,
I'm trying to find the right config for the following server (strongSwan) config:
conn ikev2-eap-mschapv2
keyexchange=ikev2
leftauth=pubkey
leftcert=certificate.crt
rightauth=eap-radius
eap_identity=%identity
auto=addI need iOS/macOS to authentificate the server by a certificate it sends to the client. On the other hand, client must authenticate with username/password.
As suggested in other topics, I started with .mobileconfig. Here is what I have now:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadDisplayName</key>
<string>My Perfect Config</string>
<key>PayloadIdentifier</key>
<string>Yevhens-MacBook-Pro.8B33FCCA-1935-4A7F-ADFC-C655F0B92D85</string>
<key>PayloadUUID</key>
<string>1A339B6B-6C66-4F59-BF27-2D26B4E61A2C</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadIdentifier</key>
<string>com.apple.vpn.managed.66C60E0C-8D53-4E38-9F64-3D645E5F6246</string>
<key>PayloadUUID</key>
<string>66C60E0C-8D53-4E38-9F64-3D645E5F6246</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>UserDefinedName</key>
<string>My IKEv2</string>
<key>VPNType</key>
<string>IKEv2</string>
<key>IKEv2</key>
<dict>
<key>RemoteAddress</key>
<string>myvpnserver.example.com</string>
<key>RemoteIdentifier</key>
<string>myvpnserver.example.com</string>
<key>LocalIdentifier</key>
<string></string>
<key>ServerCertificateIssuerCommonName</key>
<string>AddTrust External CA Root</string>
<key>AuthenticationMethod</key>
<string>Certificate</string>
<key>ServerCertificateCommonName</key>
<string>*.example.com</string>
<key>ExtendedAuthEnabled</key>
<integer>1</integer>
<key>AuthName</key>
<string>myusername</string>
<key>AuthPassword</key>
<string>mypassword</string>
<key>IKESecurityAssociationParameters</key>
<dict>
<key>EncryptionAlgorithm</key>
<string>AES-128</string>
<key>IntegrityAlgorithm</key>
<string>SHA1-96</string>
<key>DiffieHellmanGroup</key>
<integer>14</integer>
</dict>
<key>ChildSecurityAssociationParameters</key>
<dict>
<key>EncryptionAlgorithm</key>
<string>AES-128</string>
<key>IntegrityAlgorithm</key>
<string>SHA1-96</string>
<key>DiffieHellmanGroup</key>
<integer>14</integer>
</dict>
</dict>
</dict>
</array>
</dict>
</plist>NOTE: I replaced the following values
- myvpnserver.example.com
- *.example.com
- myusername
- mypassword
In "real" config they correspond to real VPN server hostname, real server certificate common name, real user name and real passowrd, respectively.
For now, I'm strugling to move with forcing client to request the certificate from the server as well as validate it.
From Console.app I get this:
ikev2_crypto_copy_remote_certi:1727 BACKTRACE failed to retrieve remote CA cert data by CN (AddTrust External CA Root)I was able to figuring this out by doing two things:
#1 on the server-side, adjusting the config, making strongSwan to choose correct connection configuration
conn ikev2-eap-mschapv2
keyexchange=ikev2
leftcert=certificate.crt
leftid=@*.example.com
rightid=%any
leftsendcert=always
rightsendcert=never
rightauth=eap-radius
eap_identity=%identity
auto=add#2 On client-side, add Root CA via .mobileconfig that is missed from chain of trust.
It started to work which following logs proof:
ikev2_crypto_remote_cert_and_s:3097 Matching remote hostname *.example.com with remote certificate
...
ikev2_crypto_remote_cert_and_s:3191 Peer certificate is validThere is one more question left, which I want to ask in a dedicated thread.