Project

General

Profile

Actions
Copy link

Bug #6684

closed

Setting IKEv2 Phase 2 in Mobile Config appears to generate invalid Apple Profile

Added by Chris Linstruth over 7 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Matthew Smith
Category:
IPsec Profile Wizard
Target version:
-
Start date:
08/07/2016
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

Setting "Phase2 PFS Group - Provide the Phase2 PFS group to clients (overrides all mobile phase2 settings)" in Mobile Clients settings on at least IKEv2 appears to generate an invalid mobileconfig profile using the Apple IPsec Profile factory package (ipsec-profile-exporter).

Culprit is probably:

<key>DiffieHellmanGroup</key>
<integer></integer>

in the child SA config.

Workaround: disable in Mobile Clients config and enable DH group in Phase 2.

Actions
Copy link
 #1

Updated by Jim Thompson over 7 years ago

  • Assignee set to Matthew Smith
Actions
Copy link
 #2

Updated by Jim Pingle over 4 years ago

  • Category set to IPsec Profile Wizard
Actions
Copy link
 #3

Updated by Viktor Gurov about 4 years ago

tested on pfSense 2.4.5.a.20200120.1342 with ipsec-profile-wizard 0.12

no such issue - you can set DH group in both Phase 2 and "Phase2 PFS Group - Provide the Phase2 PFS group to clients (overrides all mobile phase2 settings)" and get correct DH group numbers in remote-access-ipsec.mobileconfig

Actions
Copy link
 #4

Updated by Jim Pingle about 4 years ago

  • Status changed from New to Resolved
Actions
Copy link

Also available in: Atom PDF