Page History

...

Phase 2
Hash Algorithm	Encryption Algorithm	PFS Group
SHA1	AES-256-CBC	none
SHA1	AES-128-CBC	none
SHA1	3DES	none
SHA1	DES	none
SHA1	none	none

macOS client configuration

Open the PKCS12 format certificate file on the macOS computer and install the certificate in the "System" keychain. It is necessary to mark the CA certificate as trusted manually since it is self-signed. Locate the certificate macOS Keychain Access app under the System tab and mark it as Always Trust.

...

Phase 2
Hash Algorithm	Encryption Algorithm	PFS Group
SHA256	AES-256-CBC	none
SHA1	AES-128-CBC	none
SHA1	3DES	none

iOS client configuration

Typically PKCS12 bundle contains also a CA certificate, but iOS does not install this CA, so a self-signed CA certificate must be installed separately using PEM format. Open these files on the iOS device and install both certificates by following the instructions. It is necessary to mark the self-signed CA certificate as trusted on the iOS device. This can be done in Settings -> General -> About -> Certificate Trust Settings menu. When it is done, check whether both certificates are marked as "verified" under the Settings -> General -> Profiles menu.

...

Phase 2
Hash Algorithm	Encryption Algorithm	PFS Group
SHA256	AES-256-CBC	none
SHA1	AES-128-CBC	none
SHA1	3DES	none

Note
If you are connected to the VPN over WiFi, the iOS device can go into sleep mode and disconnect from the network.

Android (strongSwan) client configuration

Currently, there is no IKEv2 native support in Android, however, it is possible to use strongSwan from Google Play Store which brings IKEv2 to Android. StrongSwan accepts PKCS12 format certificates, so before setting up the VPN connection in strongSwan, make sure you download the PKCS12 bundle to your Android device. When it is done, create a new VPN profile in strongSwan, type in the server IP, and choose "IKEv2 Certificate" as VPN Type. When selecting a User certificate, press Install and follow the certificate extract procedure by specifying the PKCS12 bundle. Save the profile and test the connection by pressing on the VPN profile.

Image Added

It is possible to specify custom encryption settings in strongSwan by ticking the "Show advanced settings" checkbox. Currently, strongSwan by default is compatible with the following Phase 1 ( profiles) and Phase 2 ( proposals) proposal sets:

Phase 1
Hash Algorithm	Encryption Algorithm	DH Group
SHA*	AES-*-CBC	modp2048
SHA*	AES-*-CBC	ecp256
SHA*	AES-*-CBC	ecp384
SHA*	AES-*-CBC	ecp521
SHA*	AES-*-CBC	modp3072
SHA*	AES-*-CBC	modp4096
SHA*	AES-*-CBC	modp6144
SHA*	AES-*-CBC	modp8192
SHA*	AES-*-GCM	modp2048
SHA*	AES-*-GCM	ecp256
SHA*	AES-*-GCM	ecp384
SHA*	AES-*-GCM	ecp521
SHA*	AES-*-GCM	modp3072
SHA*	AES-*-GCM	modp4096
SHA*	AES-*-GCM	modp6144
SHA*	AES-*-GCM	modp8192

Phase 2
Hash Algorithm	Encryption Algorithm	PFS Group
none	AES-256-GCM	none
none	AES-128-GCM	none
SHA256	AES-256-CBC	none
SHA512	AES-256-CBC	none
SHA1	AES-256-CBC	none
SHA256	AES-192-CBC	none
SHA512	AES-192-CBC	none
SHA1	AES-192-CBC	none
SHA256	AES-128-CBC	none
SHA512	AES-128-CBC	none
SHA1	AES-128-CBC	none

Linux (strongSwan) client configuration

Download the PKCS12 certificate bundle and move it to /etc/ipsec.d/private directory.

Add exported passphrase for the private key to /etc/ipsec.secrets file where "strongSwan_client.p12" is the file name and "1234567890" is the passphrase.

Code Block

language	bash

: P12 strongSwan_client.p12 "1234567890"

Add a new connection to /etc/ipsec.conf file

Code Block

language	bash

conn "ikev2"
keyexchange=ikev2
ike=aes128-sha1-modp2048
esp=aes128-sha1
leftsourceip=%modeconfig
leftcert=strongSwan_client.p12
leftfirewall=yes
right=2.2.2.2
rightid="CN=2.2.2.2"
rightsubnet=0.0.0.0/0
auto=add

You can now restart (or start) the ipsec daemon and initialize the connection

Code Block

language	bash

$ ipsec restart
$ ipsec up ikev2

Page tree

Versions Compared

Old Version 19

New Version 20

Key

macOS client configuration

iOS client configuration

Android (strongSwan) client configuration

Linux (strongSwan) client configuration