Bug 11621

Summary: REQUEST: Creation of IPSec IKEv2 Client Installation Files for Roadwarriors
Product: IPFire Reporter: Tom Rymes <tomvend>
Component: ---Assignee: Michael Tremer <michael.tremer>
Status: NEW --- QA Contact:
Severity: - Unknown -    
Priority: - Unknown - CC: michael.tremer, peter.mueller
Version: 2   
Hardware: unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 11618    

Description Tom Rymes 2018-02-06 23:51:49 UTC 
Apple Devices (MacOS and iOS) provide a means to greatly simplify and control the installation of IKEv2 connections. An XML file is copied to the device and opened, causing the certificates to be installed and the connection created. Settings such as auto-connect on cellular or auto-connect on Wi-fi, etc can be configured.

Similarly, a simple Powershell script on Windows can install certificates, create a VPN connection, and choose more secure ciphers in a much more user-friendly way than manually performing these steps. 

I would like to request that the IPFire Roadwarrior IPSec WUI be enhanced to include the creation of these files/scripts (which could be downloaded via a similar link to the current certificate link). 

I think that this would be a major improvement for ease of use, and a good way to attract new users to IPFire. IKEv2 is built-in to Windows, MacOS, and iOS at this point, and is preferable to OpenVPN.
Comment 1 Michael Tremer 2018-02-12 00:03:17 UTC 
I would really like this, too.

I would offer to do the iOS stuff here if someone could send me a tempate profile created with the Apple Configurator (I don't have a Mac to run that).

But I have no idea how to do the Windows stuff. Does anyone have experience with that?
Comment 2 Tom Rymes 2018-02-12 14:54:40 UTC 
Michael: For Windows, here is the information I had dug up. After I had figured this out on my own, I found Algo, which takes all of the same stuff and puts it in a pretty wrapper (powershell script).

Import Certificate: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
Add/Configure VPN Connection: https://docs.microsoft.com/en-us/powershell/module/vpnclient/?view=win10-ps

To add a VPN Connection:
1.) Import the cert: certutil -f -importpfx <filename>
2.) Add the connection: Add-VpnConnection -name "MyVPN" -ServerAddress "xxx.xxx.xxx.xxx" -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -EncryptionLevel Required
3.) Configure the connection: Set-VpnConnectionIPsecConfiguration -ConnectionName "MyVPN" -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod AES128 -IntegrityCheckMethod SHA384 -DHGroup ECP256 -PfsGroup ECP256  -Force

To remove the same connection:
1.) Remove-VpnConnection -name "MyVPN" -Force

The above is information I worked out on my own. I don't personally think any of the output files from Algo are covered by a license, but I didn't want to put any of that up here without checking first.

For Apple, I will download the configurator when I have my mac in front of me again, but here are two good links, one of which includes a sample file:

https://developer.apple.com/library/content/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html

https://hub.zhovner.com/geek/universal-ikev2-server-configuration/
Comment 3 Tom Rymes 2018-02-13 15:24:41 UTC 
After re-reading your comment, Michael, I wanted to point out that the Apple Mobileconfig files work for both MacOS and iOS, not just iOS.

Tom
Comment 4 Michael Tremer 2018-02-13 17:20:15 UTC 
(In reply to Tom Rymes from comment #3)
> After re-reading your comment, Michael, I wanted to point out that the Apple
> Mobileconfig files work for both MacOS and iOS, not just iOS.
> 
> Tom

That's amazing. I wish other OSes had such a nice way to do this.
Comment 5 Peter Müller 2019-10-13 10:44:07 UTC 
What is the status of this bug?