macOS and iOS clients puking when connecting to IKEv2 server

[2984839]

I have an IKEv2 server that works fine with Apple clients with DH Group 2 (aka, modp1024). However, changing this on the server side to use any other Diffie Hellman group results in an "Unexpected error occurred" message from both macOS Mojave and iOS 12 clients. No info shows up in client logs that I can find.

I don't want to use modp1024. How can I find out the list of cipher suites supported by macOS and iOS and/or force it to use something that is actually secure?

 

[Mikael H]

You'll need to create a config profile. I documented the process for pfSense + macOS/iOS a while ago:
https://www.oxcrag.net/2018/08/24/ikev2-ipsec-vpn-with-pfsense-and-apple-devices-2/
See from the section "Create an Apple Configuration Profile".

 

[2984839]

You'll need to create a config profile. I documented the process for pfSense + macOS/iOS a while ago:
https://www.oxcrag.net/2018/08/24/ikev2-ipsec-vpn-with-pfsense-and-apple-devices-2/
See from the section "Create an Apple Configuration Profile".

That was helpful, thanks. I now have it working with ecp384 using a profile generated with Apple Configurator 2, but weirdly, it still says an unexpected error occurred before successfully connecting. I'll have to check tcpdump to see what is actually going on.

 

[Mikael H]

That was helpful, thanks. I now have it working with ecp384 using a profile generated with Apple Configurator 2, but weirdly, it still says an unexpected error occurred before successfully connecting. I'll have to check tcpdump to see what is actually going on.

I’m glad it helped.
One gotcha where I don’t know whether it’s pfSense or iOS/macOS that were the weird party, is that when creating the server and client certs I couldn’t get the tunnel to work properly without defining identical contents for the CN and AN fields. I only mentioned it in passing in my posts, but it was something that had me stumped for a while.