Very interesting. Related: What's the recommended way to set up an IKEv2 server on Linux? I haven't kept up with the StrongSwan fork situation for a while now.
I have been using a StrongSwan server in conjunction with Windows certificate autoenrollment to allow my Windows clients to connect to StrongSwan via IKEv2 for a while. StrongSwan has a rough guide available on their wiki[1]. The only hangup I ran into was that Windows 7 is very particular about what OIDs need to be present in the certificates both on the server and client side[2].
It is interesting because currently the built-in Apple VPN client in both, OS X and iOS, does not support IKEv2. Well, iOS 8 has support for it but not through the GUI. OS X only supports L2TP/IPsec and Cisco IPsec (both IKEv1). Cisco IPsec is just plain IPsec, using IKE(v1) to establish the tunnel.
Latest strongSwan from brew repository works good on OS X. But most painful thing is connection restart after changing WiFi network. I need to reset it manually in most cases. Even low Dead Peer Detection (dpd) timeouts didn't help.
If you have the possibility to use a dedicated (virtual) server to setup a IPsec/IKEv2 VPN server, have a look at pfSense[1]. It is easy to manage through the webinterface, especially when using IPsec with certificate authentication for road warriors. The current pfSense stable release uses strongSwan 5.3.2 for IPsec VPN's.
Documentation for installing and setting up strongSwan from source is available on their own wiki[2]. There are also packages available for some Linux distributions.
This site/blog[3] explains very well how to install and setup strongSwan with certificate authentication. But most of the examples are probably also on the strongSwan wiki.
Very cool. The last I researched this, OpenVPN was the "best" and "most secure" VPN solution, but it was a bit of a hassle to set up for iOS and OS X. But it appears IKEv2 compares quite nicely [1] and will now be built in, so I no longer have to jump through hoops getting it working on iOS and OS X. I can't wait to try it.
11 comments
[ 3.4 ms ] story [ 45.8 ms ] thread[1]https://wiki.strongswan.org/projects/strongswan/wiki/Windows...
[2] https://wiki.strongswan.org/projects/strongswan/wiki/Win7Cer...
It's a myriad of forks (LibreSwan, FreeSwan, OpenSwan) -- but it seemed like StrongSwan had most frequent updates and good backing.
Here is this part from my ipsec.conf:
Any suggestions?[1] https://wiki.strongswan.org/projects/strongswan/wiki/MobIke
[2] https://tools.ietf.org/html/rfc4555
Documentation for installing and setting up strongSwan from source is available on their own wiki[2]. There are also packages available for some Linux distributions.
This site/blog[3] explains very well how to install and setup strongSwan with certificate authentication. But most of the examples are probably also on the strongSwan wiki.
[1] https://www.pfsense.org/
[2] https://wiki.strongswan.org/projects/strongswan/wiki
[3] https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-...
[1] https://www.bestvpn.com/blog/4147/pptp-vs-l2tp-vs-openvpn-vs...