11 comments

[ 3.4 ms ] story [ 45.8 ms ] thread
Very interesting. Related: What's the recommended way to set up an IKEv2 server on Linux? I haven't kept up with the StrongSwan fork situation for a while now.
I have been using a StrongSwan server in conjunction with Windows certificate autoenrollment to allow my Windows clients to connect to StrongSwan via IKEv2 for a while. StrongSwan has a rough guide available on their wiki[1]. The only hangup I ran into was that Windows 7 is very particular about what OIDs need to be present in the certificates both on the server and client side[2].

[1]https://wiki.strongswan.org/projects/strongswan/wiki/Windows...

[2] https://wiki.strongswan.org/projects/strongswan/wiki/Win7Cer...

For somebody with no context - what makes this very interesting?
(comment deleted)
It is interesting because currently the built-in Apple VPN client in both, OS X and iOS, does not support IKEv2. Well, iOS 8 has support for it but not through the GUI. OS X only supports L2TP/IPsec and Cisco IPsec (both IKEv1). Cisco IPsec is just plain IPsec, using IKE(v1) to establish the tunnel.
We used StrongSwan (looked into it recently). Worked well, easy to setup.

It's a myriad of forks (LibreSwan, FreeSwan, OpenSwan) -- but it seemed like StrongSwan had most frequent updates and good backing.

Latest strongSwan from brew repository works good on OS X. But most painful thing is connection restart after changing WiFi network. I need to reset it manually in most cases. Even low Dead Peer Detection (dpd) timeouts didn't help.

Here is this part from my ipsec.conf:

  # Always up
  dpdaction = restart
  dpddelay = 5s 
  inactivity = 10s
  keyingtries=%forever
  auto=start
 
Any suggestions?
If you have the possibility to use a dedicated (virtual) server to setup a IPsec/IKEv2 VPN server, have a look at pfSense[1]. It is easy to manage through the webinterface, especially when using IPsec with certificate authentication for road warriors. The current pfSense stable release uses strongSwan 5.3.2 for IPsec VPN's.

Documentation for installing and setting up strongSwan from source is available on their own wiki[2]. There are also packages available for some Linux distributions.

This site/blog[3] explains very well how to install and setup strongSwan with certificate authentication. But most of the examples are probably also on the strongSwan wiki.

[1] https://www.pfsense.org/

[2] https://wiki.strongswan.org/projects/strongswan/wiki

[3] https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-...

Very cool. The last I researched this, OpenVPN was the "best" and "most secure" VPN solution, but it was a bit of a hassle to set up for iOS and OS X. But it appears IKEv2 compares quite nicely [1] and will now be built in, so I no longer have to jump through hoops getting it working on iOS and OS X. I can't wait to try it.

[1] https://www.bestvpn.com/blog/4147/pptp-vs-l2tp-vs-openvpn-vs...