Ich weiß nicht ob das schon bekannt ist, aber seit geraumer Zeit funktioniert weder mit dem Mac noch dem Iphone der Verbindungsaufbau via Ipsec.
Der Grund scheint mit den key exchange gruppen zusammenzuhängen.
IOS 18.1 und macOS Sequoia wollen scheinbar ECP_256 und kein MODP_2048.
forum.opnsense.org
Außerdem scheint der IOS/MacOS Client sein Cert nicht mehr automatisch zu senden:
It looks like the iOS device would like ECP_256 instead of MODP_2048.
Additionally it looks like a certificate error, the client doesnt send a certificate to the server and thus the authentication round fails.
It seems like both of these issues would need to be fixed, but its hard (with the certificate) without knowing what apple changed or expects now.
Lösung wird hier beschrieben:
github.com
(Tested on iOS 18)
By default, the server will only send CA certificates when requested for it. But, the iOS native client will not send CERTREQ when connecting(#). This will cause the certificate chain can not be verified since no CA certificate will be sent. The connection attempt will fail immediately.
To fix this, we simply need to set "Send certificate" under p1 settings to "Always".
Könnt ihr das anpassen, also bei den VPN Profilen für den MAC und die ECP_256 anstatt MODP_2048 als Key Exchange Gruppe?
LG
Der Grund scheint mit den key exchange gruppen zusammenzuhängen.
IOS 18.1 und macOS Sequoia wollen scheinbar ECP_256 und kein MODP_2048.
IPsec IKEv2 EAP-MSCHAPv2 stopped working with iOS 18.1 update
IPsec IKEv2 EAP-MSCHAPv2 stopped working with iOS 18.1 update
forum.opnsense.org
Außerdem scheint der IOS/MacOS Client sein Cert nicht mehr automatisch zu senden:
It looks like the iOS device would like ECP_256 instead of MODP_2048.
Additionally it looks like a certificate error, the client doesnt send a certificate to the server and thus the authentication round fails.
It seems like both of these issues would need to be fixed, but its hard (with the certificate) without knowing what apple changed or expects now.
Lösung wird hier beschrieben:
vpn/ipsec: Add additional information to swanctl roadwarrior docs · Issue #639 · opnsense/docs
Important notices Before you add a new report, we ask you kindly to acknowledge the following: I have read the contributing guide lines at https://github.com/opnsense/docs/blob/master/CONTRIBUTING....
github.com
(Tested on iOS 18)
By default, the server will only send CA certificates when requested for it. But, the iOS native client will not send CERTREQ when connecting(#). This will cause the certificate chain can not be verified since no CA certificate will be sent. The connection attempt will fail immediately.
To fix this, we simply need to set "Send certificate" under p1 settings to "Always".
Könnt ihr das anpassen, also bei den VPN Profilen für den MAC und die ECP_256 anstatt MODP_2048 als Key Exchange Gruppe?
LG