折腾搬瓦工–06–配置IKEv2 VPN

尘归尘，土归土，特么再也不想弄VPN了

IKEv2已经成了iOS 9的默认VPN方案了，优点说不尽，但千言万语，不如一个一键配置脚本，需要注意的只有

• 远程ID（Remote ID）就是CN
• san值要与CN相同
• CN是服务器域名，如wbuntu.com或它对应的IP地址
• no matching config？肯定是ipsec.conf中的配置不正确

脚本中也配置好了客户端证书，使用Cisco IPSec时，采用证书代替预共享密钥配置成功，但使用IKEv2配置证书验证时失败，暂且搁置，如果有小伙伴尝试成功，请务必告诉我

一键配置脚本：IPSecAndIKEv2VPNWithStrongswan

更新后支持iOS 9上的

Cisco IPSec VPN，使用帐号密码+预共享密钥

IKEv2，服务器端使用证书验证，客户端使用EAP-MSCHAPv2，帐号+密码验证，必须安装根证书caCert.pem

更新

脚本现在基本支持所有常用平台了,包括windows，OS X， iOS， Android了， 对于从源代码编译的strongSwan，已经自带了所有加密算法，而直接安装二进制程序的话，需要eap-md5，eap-machapv2，xauth-generic等插件，感觉使用十分稳定，没有特殊需求的话，下次更新，也许就是新协议出现或者strongswan的代替品出现的时候了

iOS 9支持的网络安全方案如下

地址：https://help.apple.com/deployment/ios/#/apd1775f8cbb

内容如下，存档防爆~

Network security

Network security technologies built into iOS ensure that users are authorized and that their data is protected during transmission over Wi-Fi and cellular connections.

iOS network security supports:

• Built-in Cisco IPSec, IKEv2, L2TP, PPTP
• SSL VPN via App Store apps
• Transport Layer Security (TLS v1.0, TLS v1.1, TLS v1.2) and DTLS
• SSL/ with X.509 certificates
• WPA/WPA2 Enterprise with 802.1X
• Certificate-based authentication
• RSA SecurID, CRYPTOCard

VPN

Many enterprise environments have some form of virtual private network (VPN). These VPN services typically require minimal setup and configuration to work with Apple devices, which integrate with many commonly used VPN technologies.

For more information, see the VPN overview section of this reference.

IPSec

iOS and OS X support IPSec protocols and authentication methods. For more information, see the Supported protocols and authentication methods section of this reference.

SSL/TLS

iOS supports SSL v3 and Transport Layer Security (TLS v1.0, 1.1, and 1.2). Safari, Calendar, Mail, and other Internet apps automatically use these to enable an encrypted communication channel between iOS and OS X and corporate services.

iOS 9 or later and OS X El Capitan or later requires a 1024 or larger bit group when negotiating a TLS/SSL connection with Diffie-Hellman key exchange.

iOS 9 or later and OS X El Capitan or later also adds support for TLS v1.2 in 8021.X authentication. Authentication servers that support TLS v1.2 may require updates for compatibility:

• FreeRADIUS: Update to version 2.2.7 or 3.0.8
• Aruba ClearPass: Update to version 6.5.2
• Other Aruba products: Update to ArubaOS 6.4.2.9

For more information about SSL and TLS, go to the Apple Support article Use modern cryptographic practices when setting up SSL and TLS services on your server

WPA/WPA2

Apple devices support WPA2 Enterprise to provide authenticated access to your enterprise wireless network. WPA2 Enterprise uses 128-bit Advanced Encryption Standard (AES) encryption, so user data is protected when communicating over a Wi-Fi network.

With support for 802.1X, iOS devices can be integrated into a broad range of RADIUS authentication environments. iOS supports 802.1X wireless authentication protocols, including:

• IKEv2
• EAP-TLS
• EAP-TTLS (MSCHAPv2)
• EAP-FAST
• EAP-AKA
• EAP-SIM (carrier only)
• PEAPv0 (EAP-MSCHAPv2, the most common form of PEAP)
• PEAPv1 (EAP-GTC, less common and created by Cisco)
• LEAP

For more information, see the Wi-Fi section of this reference.

FaceTime and iMessage encryption

iOS and OS X create a unique ID for each FaceTime and iMessage user, ensuring communications are encrypted, routed, and connected properly.

另外根据终端输出，iOS使用的加密和认证算法如下：

IKE

1IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, 
2IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, 
3IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536,
4IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, 
5IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

ESP

1ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, 
2ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, 
3ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, 
4ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, 
5ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ