Apple macOS & iOS

Using IPsec VPNs with macOS and iOS is very simple to set up in IPFire since Core Update 158. Settings including certificates can be imported easily into the operating systems by using Apple's configuration profiles.

Create a new Roadwarrior connection

Apple supports both, PSK and certificate-based authentication.

Using Certificates

The connection needs to be set up with a couple of parameters that are supported by macOS and iOS:

  • The IPFire system should have a FQDN which resolves from the public Internet
  • The CA certificate must contain a subjectAlternativeName with the system's FQDN which must be used for IPsec, too

For each device, you will need to create an own connection. In this example, the connection is called MyConnection, the FQDN of my IPFire system is ipfire.example.org, and my device is called my-iphone.

Local ID must be set to the IPFire's FQDN prefixed by an "@" sign. Remote ID must be the system's hostname prefixed by an "@" sign and the hostname must also be added to the certificate as "Subject Alternative Name" prefixed with "DNS:".

Do not forget to set a password to protect the certificate.

None

Check the box to go to the advanced settings page after you clicked "Save".

None

Apple devices do not support all ciphers and other algorithms that IPFire supports. Only the first selection will be passed in the configuration profile. Supported are as follows:

  • iOS 14: AES-GCM-256-128 / SHA2-256 / MODP-2048
  • iOS 13: AES-256/192/128-GCM/CBC, SHA512/384/256, MODP-1024 only

Using Pre-Shared-Keys (PSK)

This version is substantially less secure than using certificates and therefore not recommended, but works too. Make sure you are setting the Local ID and Remote ID with the @ prefix.

Import the VPN configuration on your device

After you have created the connection, you can download the Apple configuration profile by clicking the Apple icon next to your new connection and transfer it to your device.

Optionally you can edit the profile with Apple Configurator 2 if you have need for some custom settings.

Import the profile where you will be asked for the password for the private key.

None

After the profile has been imported, the VPN will connect automatically and will remain established whenever possible.

Edit Page ‐ Yes, you can edit!

Older Revisions • Tuesday at 8:11 pm • Jon