Project

General

Profile

Bug #6684

Setting IKEv2 Phase 2 in Mobile Config appears to generate invalid Apple Profile

Added by Chris Linstruth almost 4 years ago. Updated 4 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec Profile Wizard
Target version:
-
Start date:
08/07/2016
Due date:
% Done:

0%

Estimated time:
Affected Version:
Affected Architecture:

Description

Setting "Phase2 PFS Group - Provide the Phase2 PFS group to clients (overrides all mobile phase2 settings)" in Mobile Clients settings on at least IKEv2 appears to generate an invalid mobileconfig profile using the Apple IPsec Profile factory package (ipsec-profile-exporter).

Culprit is probably:

<key>DiffieHellmanGroup</key>
<integer></integer>

in the child SA config.

Workaround: disable in Mobile Clients config and enable DH group in Phase 2.

History

#1 Updated by Jim Thompson over 3 years ago

  • Assignee set to Matthew Smith

#2 Updated by Jim Pingle 10 months ago

  • Category set to IPsec Profile Wizard

#3 Updated by Viktor Gurov 4 months ago

tested on pfSense 2.4.5.a.20200120.1342 with ipsec-profile-wizard 0.12

no such issue - you can set DH group in both Phase 2 and "Phase2 PFS Group - Provide the Phase2 PFS group to clients (overrides all mobile phase2 settings)" and get correct DH group numbers in remote-access-ipsec.mobileconfig

#4 Updated by Jim Pingle 4 months ago

  • Status changed from New to Resolved

Also available in: Atom PDF