pfSense

The Mobile Client IKEv2 server in pfSense should be able to do two things that it presently cannot:

1. Bind to multiple interfaces.
2. Run multiple instances (should isolation be needed).

Here is the rationale for the first one:

I have several Apple devices in my household. Some are Apple TVs, some are iPads that are only used inside the house and some are iPhone devices that roam such that they need to connect both from outside and inside the premise. I want to secure their communication with a VPN. Part of the motivation for doing this is KRACK and any future vulnerabilities that might be found, but also part of the motivation is the desire to protect the iOS devices that roam. Furthermore, the iOS devices that are outside the network do not necessarily need to talk to the internal iOS devices and in their case, the VPN is solely intended to protect them against rogue APs. The natural solution for this is to use two separate OpenVPN instances. However, this has multiple problems:

1. The Apple TVs do not support OpenVPN.
2. The OpenVPN client for iOS uses PolarSSL, which does encryption in software and is therefore vulnerable to cache timing attacks.
3. It is only possible to configure iOS to force a VPN on IKEv2. This requires creating a special provisioning profile on Mac OS X with the Apple Configurator 2 and putting iOS into supervised mode.

The only way to solve these issues is to use either an IKEv2 that binds to multiple interfaces (giving up isolation of external devices) or multiple IKEv2 servers. Neither is possible on iOS.

I had originally asked about how to do this here:

https://www.reddit.com/r/PFSENSE/comments/79203k/ikev2_server_on_multiple_interfaces/

By the way, while the IKEv2 client on unprovisioned iOS devices does not support the best encryption options when configured as a standalone device, it appears possible to use the Apple Configurator 2 tool on Mac OS X to provision iOS devices as provisioned devices and configure extremely strong encryption. One example being Suite-B-GCM-256 from RFC6379 with Perfect Forward Secrecy. It appears possible to substitute RSA for those concerned about backdoors in secp384r1. I should note that I have not confirmed whether 16384-bit RSA is usable.