Using IPsec VPNs with macOS and iOS is very simple to set up in IPFire since Core Update 158. Settings including certificates can be imported easily into the operating systems by using Apple's configuration profiles.
Create a new Roadwarrior connection
Apple supports both, PSK and certificate-based authentication.
Using Certificates
The connection needs to be set up with a couple of parameters that are supported by macOS and iOS:
- The IPFire system should have a FQDN which resolves from the public Internet
- The CA certificate must contain a subjectAlternativeName with the system's FQDN which must be used for IPsec, too
For each device, you will need to create an own connection. In this example, the connection is called MyConnection, the FQDN of my IPFire system is ipfire.example.org, and my device is called my-iphone.
Local ID must be set to the IPFire's FQDN prefixed by an "@" sign. Remote ID must be the system's hostname prefixed by an "@" sign and the hostname must also be added to the certificate as "Subject Alternative Name" prefixed with "DNS:".
Do not forget to set a password to protect the certificate.
Check the box to go to the advanced settings page after you clicked "Save".
Apple devices do not support all ciphers and other algorithms that IPFire supports. Only the first selection will be passed in the configuration profile. Supported are as follows:
- iOS 14: AES-GCM-256-128 / SHA2-256 / MODP-2048
- iOS 13: AES-256/192/128-GCM/CBC, SHA512/384/256, MODP-1024 only
- Catalina 10.15.7: AES-GCM-256-128 / SHA2-256 / MODP-1024
- High Sierra 10.13.6: AES-GCM-16-256 / SHA2-512 / MODP-1024
Using Pre-Shared-Keys (PSK)
This version is substantially less secure than using certificates and therefore not recommended, but works too. Make sure you are setting the Local ID and Remote ID with the @ prefix.
Import the VPN configuration on your device
After you have created the connection, you can download the Apple configuration profile by clicking the Apple icon next to your new connection and transfer it to your device.
Optionally you can edit the profile with Apple Configurator 2 if you have need for some custom settings.
Import the profile where you will be asked for the password for the private key.
After the profile has been imported, the VPN will connect automatically and will remain established whenever possible.