On 30 September 2015 at 17:17, Reyk Floeter <r...@openbsd.org> wrote: > Hi, > > the following diffs allows to use iked/OpenIKED with iOS9 IKEv2 > clients. You will be able to connect your super-large iPad Pro or > premium iPhone 6s+ via OpenBSD :) I don't have El Capitan yet, but it > might fix it for your super-light MacBook as well. > > Problem: iOS doesn't send a CERTREQ but just a CERT and expects us to > respond with a CERT as well. Without the diff, iked does not send > back a CERT without a CERTREQ payload in the request (list of CA SHA1 > hashes). RFC 7296 (yep, they updated the IKEv2 RFC again) says in > section 3.7 that the CERTREQ payload is optional and only a > suggestion. The implementation is allowed to select its certificate > based on other policies. Apple's implementation (btw., what is it > based on?) seems to interpret it as "select and send a CERT even if > the CERTREQ is missing". > > The attached diff always responds with a CERT or public key. If the > peer didn't send a CERTREQ, iked now picks a cert based on its own > trusted CAs (which usually includes the CA that signed your local > cert). > > In the iOS VPN configuration, I successfully tested it with User > Authentication "Username" (EAP-MSCHAPv2), "None" + "Use Certificate", > and "None" + "Secret" (psk). Take care to configure the "Remote ID" > and "Local ID" correctly (it should be (U)FQDN or IPv4/6, not > ASN1_DN). I also had to import .pfx cert+key and a .crt CA via Safari > on the device. User Authentication "Certificate" is not supported, as > it is EAP-TLS. The matching "Username" iked.conf follows: > > user "user1" "password123" > ikev2 "ios9" passive esp \ > from 0.0.0.0/0 to 0.0.0.0/0 \ > local any peer any \ > eap "mschap-v2" \ > config address 10.2.0.1/24 \ > config name-server 10.2.0.2 \ > tag "$name-$id" > > The iOS9 client currently only advertises enc aes-128 auth hmac-sha1 > group modp1024, which is fairly vintage crypto, but there was a hint > that we could potentially get it to send better proposals by > responding with "no proposal chosen" at some point. Will try it later. > > > OK? >
Looks good to me. OK mikeb
