Using IPsec VPNs with macOS and iOS is very simple to set up in IPFire since Core Update 158. Settings including certificates can be imported easily into the operating systems by using Apple's configuration profiles.
Apple supports both, PSK and certificate-based authentication.
The connection needs to be set up with a couple of parameters that are supported by macOS and iOS:
For each device, you will need to create an own connection. In this example, the connection is called MyConnection, the FQDN of my IPFire system is ipfire.example.org, and my device is called my-iphone.
Local ID must be set to the IPFire's FQDN prefixed by an "@" sign. Remote ID must be the system's hostname prefixed by an "@" sign and the hostname must also be added to the certificate as "Subject Alternative Name" prefixed with "DNS:".
Do not forget to set a password to protect the certificate.
Check the box to go to the advanced settings page after you clicked "Save".
Apple devices do not support all ciphers and other algorithms that IPFire supports. Only the first selection will be passed in the configuration profile. Supported are as follows:
This version is substantially less secure than using certificates and therefore not recommended, but works too. Make sure you are setting the Local ID and Remote ID with the
After you have created the connection, you can download the Apple configuration profile by clicking the Apple icon next to your new connection and transfer it to your device.
Optionally you can edit the profile with Apple Configurator 2 if you have need for some custom settings.
Import the profile where you will be asked for the password for the private key.
After the profile has been imported, the VPN will connect automatically and will remain established whenever possible.