Strongswan IKEv2 VPN on OS X 10.11 and iOS 10 Clients


After many days of searching on Google, through Serverfault, and even on the StrongSwan website, I have been unsuccessful in attempting to get StrongSwan IPSec/IKEv2 VPN working on OS X 10.11.5 and iOS 10. I have been very successful in getting it to work on Windows 10 Pro Insider Preview and Android – neither of which are relevant to my travel arrangements where I will only have a Mac notebook and iOS 10 devices.

I have two StrongSwan VPN Servers setup – one in London and one in San Francisco, both with nearly identical configurations.

Having followed I was able to quickly setup both servers and issue a single client certificate for Windows 10 Pro Insider Preview and Android. However, when I copy the p12s of the two servers over to OS X and iOS to create the VPNs I am presented with questions I didn't get what the other two operating systems.

I can seem to find a definitive answer on what is a "Remote ID" and "Local ID" and how does this pertain to me establishing a certificate based authenticated connection to the SwanStrong VPN Server?

From what little I have been able to find I have learned the following:

  • Local ID must match the CN or SAN specified in the certificate (i.e.
  • Remote ID is required by both OS X and iOS but I have no idea what to put in this input field
  • Unlike Windows and Android which connected seamlessly with encryption, OS X and iOS both get stuck at "Connecting" or will quickly cycle to "Disconnecting" perpetually

This is one of the StrongSwan server configurations (the one I have been testing against):

# ipsec.conf - strongSwan IPsec configuration file

config setup
    charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"

conn %default

conn IPSec-IKEv2

How can I correctly provision the VPN Tunnel on OS X 10.11.5 and iOS 10 with the same certificates used by Windows and Android?

Best Answer

As it turns out, I needed to use the Apple Configurator to create the VPN Profile so I could set the cryptography to use DH Group 2 and 3DES.

I also had to change the Remote ID to the FQDN of the VPN Server as it is listed in the certificate's Common Name. OS X ignored the Subject Alternative Name (SAN).

However, while I can now establish the connection to the VPN, I cannot traverse traffic over it.

As that question is unrelated to this, I have posted another question at: