I’m looking for resources on setting up an IPsec VPN for MacOS/iOS Road Warriors. I followed the OPNsense docs https://wiki.opnsense.org/manual/how-tos/ipsec-road.html for IKEv1 and PSK, and modified the settings to get IKEv2 and RSA working but with no luck.
I’m not sure if I am choosing the correct Authentication Method for Phase 1, but I would prefer to have the clients use certificates over passwords when connecting.
Does anyone have any good resources setting this up with OPNsense?
I finally managed to get IPsec Road Warrior VPN working with IKEv2 and RSA. Below is my configuration and some tricky points I hit trying to set it up. I have also included a bunch of links to posts and documentation that helped me along the way.
For illustration I will use example.com, feel free to substitute this with your domain.
Setup: OPNsense 18.1.13-amd64
Step 1: Certificate Authority
To use RSA authentication with IPsec, you require a PKI. The easiest is to create an internal Certificate Authority in OPNsense.
The Alternative Names is one of the most important fields to get this working on MacOS / iOS.
Step 2: IPsec VPN
The next is to setup the IPsec VPN with OPNsense. For this, I recommend following the OPNsense documentation for setting up IPsec Road-Warrior.
The documentation describes the firewall rules that need to be enabled and configuration for using PSK + Xauth. I recommend following the documentation, and using the changes below to configure RSA authentication.
VPN: IPsec: Mobile Clients:
User Authentication: Irrelevant because we’re not using Xauth
Enforce local group: (none) - This only gets enforced with Xauth
Virtual Address Pool: Make sure this doesn’t collide/overlap with your LAN network.
Lifetime: 1440 - this is the highest value that can be configured in Apple Profiles.
VPN: IPsec: Tunnel Settings: Phase 2:
PFS key group: 14 or higher
Step 3: DNS
Navigate to Services > Unbound DNS > Access Lists.
Here you need to include the VPN subnet (Virtual Address Pool above) in the ACL, otherwise the VPN clients will not be allowed to query the DNS server.
Step 4: User Access
The next step is to create or edit existing users by creating client certificates.
Navigate to System > Access > Users. You can either create a new user or edit an existing here. Here you need to scroll down to User Certificates and create a new client certificate.
There are various ways for handing out certificates. You can create one client certificate and link it to all your users; you can create a client certificate for each user; or you can create a client certificate for each device that belongs to a user. I opted for the later, because if a device is lost or stolen, I don’t have to reissue certificates to all the users or all the devices for a particular user. It’s important to keep this in mind when following my instructions below, because it influenced my configuration.
Click on create or link user certificate. Here we will follow the same process as that of the server certificate in step 1, except for the following important items:
Descriptive Name: Here I used the DNS valid device name. Example john-iphone, john-ipad
In my case the *.vpn.example.com doesn’t resolve and is only used as an identifier. This is one of the most important settings to get IPsec RSA working with MacOS / iOS.
Without the alternative name, the client will connect successfully and disconnect shortly afterwards with very little information in the logs.
Step 5: Generate Client Certificate Bundle
With the user certificate created, we need to create a PKCS12 certificate bundle for Apple Configurator.
Navigate to System > Trust > Certificates and find the newly created user certificate. Using the UI, export the user certificate and key.
Navigate to System > Trust > Authorities and export the CA certificate.
With the client and CA certificate, we can create a bundle:
Launch Apple Configurator 2. If you do not have this installed, you can get it for free from the Mac App Store.
Create a new profile File > New Profile
Select General Tab:
Name: device_name
Select Certificates Tab:
Click configure
Select the CA certificate file
Click the + icon to add another certificate
Select the client PKCS12 bundle created in step 5 (.p12 file)
Enter the passphrase for the PKCS12 bundle set in step 5
Select VPN Tab:
Click configure
Connection name: vpn.example.com
Connection Type: IKEv2
Server: vpn.example.com
Remote Identifier: vpn.example.com (alternative name used for the certificate in Step 1)
Local Identifier: The alternative name used in the client certificate (step 5)
Machine Authentication: Certificate
Identity Certificate: device_name.p12
Save the profile and quit
Once the profile is created you will have to open it in your favourite text editor (VIM, Nano) to adjust the DNS settings. This cannot be done through Apple Configurator.
Look for the following lines in the .mobileconfig file:
With the profile created, you can install it on either a MacOS device or an iOS device.
For MacOS it is case of double clicking on the .mobileconfig file and installing the profile.
For iOS you can plug in the iOS device and install the profile using Apple Configurator. I believe it is possible to email/share the file with an iOS device and then install it but I have not tested this.
With the profiles installed, the VPN configuration will appear in the settings of iOS or MacOS.
I hope this information helps. Feel free to comment if you have questions.