On Sun, Aug 16, 2015 at 11:28:24PM +0300, Or Elimelech wrote:
> Hello misc,
>
> Has anyone connected successfully between the new OS X ikev2 impl. To an
> OpenBSD box?
>
> Thanks in advance.
>
I got the official update and I successfully connected from El Capitan
to OSX. I did it without using profiles, just with the GUI in network
settings.
ON OPENBSD:
- Get -current from yesterday (small fix went in)
- Configure an IP on enc0 directly (eg. 10.2.0.2 in this case), a dns
cache, forwarding, PF etc.
- Configure iked.conf, for example:
user "user1" "password123"
ikev2 "ios9" passive esp \
from 0.0.0.0/0 to 0.0.0.0/0 \
local any peer any \
childsa enc 3des \
eap "mschap-v2" \
config address 10.2.0.1/24 \
config name-server 10.2.0.2 \
tag "$name-$id"
- Yes, 3DES. As you see in your log, El Capitan currently only accepts
3DES by default. You can probably change it with the external
security profiles program. iOS9 uses AES-128 instead.
ON OSX:
- Use "ikectl ca" (or other CA tool) to create ca, keys and certs for
the gateway and peers. I recommend to use FQDNs for the certs.
- Install the ca.pfx and $CERT.pfx on OSX from keychain (import
objects). Trust the CA for EAP and IPsec.
- I tested different options in OSX, user-based, "without" auth + shared
secret, "without" auth + certificate. Certificate-based auth doesn't
work since it is two factor EAP-TLS. User-based is EAP-MSCHAPv2.
Select the installed certificate.
In summary, the GUI part is very easy but certificate configuration is
a bit difficult. It's the same complexity as in Windows. But much
better compared to earlier IPsec configurations.
Reyk
