iOS IPSec VPN Server on Ubuntu

I Google-ed a lot configuring IPSec VPN for iOS with OpenSwan, nothing useful but Iphone/Ipad/Mac OSX IPSEC VPN with Strongswan 5 on Centos/RHEL 6 which is on RHEL/CentOS and with strongswan found. I tried to configure openswan like strong swan, failed.

StrongSwan‘s official wiki helps a lot: http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)/23

iOS 4 and newer supports native IPsec VPN via IKEv1 (otherwise referred to as Cisco IPSec in iOS) and is able to interoperate with strongSwan.

Environment

Work station

OS X 10.9
openssl from macports(OpenSSL 1.0.1f 6 Jan 2014).
Apple Configurator

VPN Server

Ubuntu 13.10
StrongSwan

Client

iPhone
iOS 7.0.5

Certificate Authority

Preparement

# change CA.sh:

Create New CA

Create new request

Sign the request

Create The Server Certificate

As it’s said in the link:

Apple clients require that the servers certificate subjectAltName attribute contain either the server IP address or server DNS name. To ensure the server certificate contains the subjectAltName attribute edit the openssl.cnf and set it under the [ usr_cert ] section

And add

to vpnserver.openssl.cnf under [usr_cert]
Create certificate and sign like commands above

Generate crl

Add private key password to /etc/ipsec.secrets

replace “123456” with your private key password.
Error encountered: ‘“/etc/ipsec.secrets” line 12: error loading RSA private key file
Just remove the encryption of the private key:

and add this line:

Create Client Config

Create Client Certificates

Create another copy of openssl.cnf to vpnclient.openssl.cnf, use

Then create certificates

Deploy PKCS12 to iPhone

I tried iPhone Configuration Utility, but it seems IPCU does not support installing configurations to iOS 7. So let’s try Apple Configurator.

Run Apple Configurator, in this page choose Install Profiles…

Apple Configurator

Connect iPhone. Next

Connect iDevice

Click New… to create new profile

Click 'New...' to create new profile

Add some descriptions

Add some descriptions

Scroll on the left, choose Certificates

Choose Certificates on the left

Find the client certificate .p12 file, and fill the password

Find the client certificate .p12 file, and fill the password

Configure VPN:

Connection Type=’IPSec (Cisco)’
Server=’ipsec.sskaje.me’
Leave ‘Account’ empty
Machine Authentication=’Certificate’
Choose previously uploaded certificate
Configure VPN

Save profile, Save Anyway

Save profile, Save Anyway

Install Profile

Install Profile
Success

Configure Username/Password from iPhone

Configure Username/Password from iPhone

Configure VPN Server

/etc/ipsec.conf

/etc/strongswan.conf

Add User

Add a user/pass pair to /etc/ipsec.secrets

/etc/sysctl.conf

Trouble Shooting

If you see this in iOS console log:

copy cacert.pem to a web root and visit from iOS Safari, install your CA cert.

iOS IPSec VPN Server on Ubuntu by @sskaje: https://sskaje.me/2014/02/ios-ipsec-vpn-server-on-ubuntu/

Incoming search terms: