Example Configuration - Roadwarrior with MacOS

  • This configuration should work with MacOS 10.12 (Sierra) or newer, perhaps "El Capitan" as well. Older versions do not support strong cryptography and should be avoided as insecure. Using a third-party VPN client may resolve this issue.

The server's host certificate must have a Subject Alt Name that is the same as the server's hostname. If you previously created your server's certificates and did not add a Subject Alt Name when you created them, then you will need to delete them (and any connections using them) and re-create them.

Step 1 - Global IPSec Settings

  • Go to "Services > IPSec"
  • Edit the "Global Settings"
    • "Public IP or FQDN":
    • If you have a static IP: Enter your public domain name or IP.
    • If you have a dynamic IP: Enter "%defaultroute".
    • "Host-to-Net Virtual Private Network (RoadWarrior)"
    • Enter the IP range that clients from which clients should receive an IP.
    • Make sure that this range does not conflict with your LAN DHCP scope.
    • I generally use a subset of the Green network, such as 192.168.0.0/28. This includes the addresses 192.168.0.240-254.
    • Check "Enabled"
    • Click "Save"

Step 2 - Generate Server Certificates

  • Click "Generate root/host certificates"
    • Fill in the form to generate the certificates
    • "Organization Name": Choose a name
    • "IPFire's Hostname": DNS-Name of the IPFire device
    • Complete "Your e-Mail Address", "Your Department", "City", "State", and "Country" with your information.
    • "Subject Alt Name": Enter "DNS:" and the IPFire hostname. i.e.: "DNS:myhost.mydomain.dom"
    • Click "Generate root/host certificate"

Step 3 - Create the Connection on IPFire

  • "Connection Status and -Control"
    • Click "Add" and choose "Host-to-Net Virtual Private Network (RoadWarrior)"
    • "Name": Enter a descriptive name for this connection (no spaces allowed).
    • "Local Subnet": enter "0.0.0.0/0"
    • "Local ID": Enter the hostname of the IPFire host. This must match what you entered when generating the root/host certificates above. You can use the IP Address, too, but this must match the certificate.
    • "Remote ID": Enter an e-mail address for the user. You will use this below when creating the certificate, and it does not need to be a valid e-mail address.
    • Check the "Edit advanced settings when done." checkbox.
    • Choose "Generate a certificate"
    • "User's full name or system hostname": Enter the name you chose above for the connection name.
    • "User's E-mail address": Enter the e-mail address you used for "Remote ID", above.
    • Provide your information for Department, Organization, City, State, and Country.
    • "Subject Alt Name": enter "email:" followed by the e-mail address you used above and as the remoteID.
    • Enter an export password. You will need this when importing the certificate on the client.
    • Click "Save"
  • Edit the connection's advanced settings
  • "Keyexchange": Select "IKEv2"
  • "Encryption": Select "256 bit AES-CBC"
  • "Integrity": Select "SHA2 384 bit" and "SHA2 256 bit"
  • "Grouptype": Select "ECP-384 (NIST)" and "ECP-256 (NIST)"; for MacOSX Sierra (10.12.x) ESP Grouptype should be set to "none", otherwise when the client will try to rekey after 8 min, the connection will drop: see http://www.openradar.appspot.com/29821241

  • In the "Connection Status and -Control" click the "Download PKCS12 file" (diskette) icon and download the certificates to your local PC. You will need to copy that file to the client PC.

Step 4 - Modify the Configuration created by IPFire

  • Connect to the IPFire via SSH (Putty) or the local console
  • Add the following to /etc/ipsec.user.conf ("leftsendcert" is required for Macs, "leftallowany" will allow the client to also access the Internet when connected (This needs to be confirmed, it does not seem accurate); Setting "rekey" and "reauth" to no prevents problems where the IPsec-daemon would try to connect to the client (which would probably fail as most roadwarriors are behind NAT))
  • "CONNECTION_NAME" should be replaced with the name you chose for the connection above.
conn CONNECTION_NAME
      leftsendcert=always
      leftallowany=yes
      rightdns=10.100.2.1
      rekey=no
      reauth=no
  • Restart the ipsec daemon, type ipsec restart - !! This will drop any active connections !!

Step 5 - Install the certificate on the Mac

  • Import the certificates
    • Open Applications:Utilities:Keychain Access
    • Select the "System" keychain.
    • From the File menu, select "Import Items..."
    • Browse to the downloaded PKCS12 file and click "Open".
    • Enter your MacOS password when prompted.
    • Enter the password for the PKCS12 certificate file (the one you input when creating the tunnel).
  • Trust the CA Certificate
    • Locate the CA Certificate in the list, right-click, and choose "Get Info"
    • Expand the "Trust" section (above "Details")
    • Change the setting for "When using this certificate:" to "Always Trust".
    • Enter your MacOS password when prompted.
  • Allow access to the private key
    • Locate the private key in the list, right-click, and choose "Get Info".
    • Select "Access Control" at the top.
    • Enter your MacOS password when prompted.
    • Select the "Allow all applications to access this item:"
    • This step is optional, but it avoids your having to type your MacOS username and password every time you connect the VPN.

Step 6 - Create the connection on the Mac

  • Open System Preferences:Network.
  • Click the "+" icon to add a new connection.
    • Interface: "VPN"
    • VPN Type: "IKEv2
    • Service Name: Choose a descriptive name for this connection
    • Configure the connection settings.
    • Server Address: Enter the IP Address or Hostname of the IPFire host.
    • Remote ID: Enter the hostname of the IPFire host. This must match what you entered when creating the root/host certificates, and also the "Local ID" field you entered in IPFire when you configured the tunnel.
    • Local ID: Enter the e-mail you used as the "Remote ID" when configuring the tunnel on IPFire.
    • Click on "Authentication Settings".
      • Choose "None" from the first drop-down menu.
      • Select the "Certificate" radio button.
      • Click "Select" and choose the certificate you imported earlier. The name should be the same as what you specified when creating the certificate/tunnel.
      • Click "OK" and then "Apply"
Edit Page ‐ Yes, you can edit!

Older Revisions • January 15 at 11:33 pm • Jon