This post is to show the basic settings I needed to get this working. I am not including certificate creation or firewall setup. I use zone-policy anyway and most of the examples around here don't. Also, I used XCA to create my certificates, it's a GUI based program that really simplifies the process. I have offloading enabled.
While I skipped a bunch of the basic setup stuff, I am willing to answer questions.
You NEED to include a subject alternate name (SAN) in the device certificates.
EdgeMAX:
vpn:
vpn {
ipsec {
include-ipsec-conf /config/auth/ipsec.conf
include-ipsec-secrets /config/auth/ipsec.secrets
}
}
/config/auth/ipsec.conf:
#StrongSwan config for iPhone
ca [CA_NAME]
cacert=/config/auth/[CA_FILE.EXT]
auto=add
conn iOS-IKEv2
auto=add
dpdaction=none
keyexchange=ikev2
ike=aes128-sha1-modp1024 #not strictly needed, but I wanted to choose
left=%any
leftsubnet=0.0.0.0/0,::/0 #remove IPv6 if not needed
leftcert=/config/auth/[DEVICE_CERT_FILE.EXT]
leftsendcert=always
leftid=[DEVICE_CERT_SAN] #ex: erl.domain.com
right=%any
rightsourceip=192.168.10.100-192.168.10.199,2001:DB8::100-2001:DB8::199
#I chose the ranges, but will also accept a subnet: 192.168.10.0/24,2001:DB8::/97
rightdns=8.8.8.8,2001:4860:4860::8888
/config/auth/ipsec.secrets
: RSA /config/auth/[DEVICE_CERT_PRIVATE_KEY.EXT]
iPhone:
I emailed the [CA_FILE.CRT] and also a [IPHONE_CERT.P12] file with the private key included to myself so I could install them on my phone.
