Search for a utility on the App Store, by Apple called: Apple Configurator. This lets you generate a profile that allows you to set more of the VPN configuration than is available via the Network preference utility. It says IKEv2 is only for IOS, but it successfully installs on OSX. I’ve been using the profiles on El Capitan 10.11.x and IOS 9.x. Unfortunately, it gets a lot further, but fails to complete due to ’no valid local certificate’ - I’ve not to find the fix for this, despite some links being posted to a patch in this list.
FWIW the profiles worked correctly with OpenSWAN on FreeBSD. > On 3 Oct 2015, at 05:40, matthew j weaver <[email protected]> wrote: > >> On Aug 17, 2015, at 5:39 AM, Reyk Floeter <[email protected]> wrote: >> >> On Sun, Aug 16, 2015 at 11:28:24PM +0300, Or Elimelech wrote: >>> Hello misc, >>> >>> Has anyone connected successfully between the new OS X ikev2 impl. >>> To an OpenBSD box? >>> >> >> No, we don't have the beta. >> >> Reyk > > I’ve put some hours into it. Doesn’t work out of the box (no surprises). > > Right now, as far as I can tell, OS X sends a real dubious proposal. That > results in iked (rightly) not sending an auth response. > > ———— > ikev2_pld_sa: more 0 reserved 0 length 36 proposal #1 protoid ESP spisize 4 > xforms 3 spi 0x00c7832b > ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 > ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE > [...] > ikev2_match_proposals: xform 1 <-> 2 (4): INTEGR HMAC_SHA1_96 (keylength 0 > <-> 0) > ikev2_match_proposals: xform 1 <-> 2 (2): ESN NONE (keylength 0 <-> 0) > ikev2_sa_negotiate: score 0 > ikev2_ike_auth_recv: no proposal chosen > ikev2_resp_recv: failed to send auth response > ———— > > I’ve not yet surfaced where the ikev2 proposal/policy configs hide in OS X. > > cheers > weaver
