So I had a Strongswan VPN set up for an internal business iOS app. The VPN was handled programatically. With the iOS 14 betas it's stopped working. This was my ipsec.conf:
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
ike=aes256-sha1-modp1024,3des-sha1-modp1024!
esp=aes256-sha1,3des-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=<MY_IP>
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightdns=8.8.8.8,8.8.4.4
rightsourceip=10.10.10.0/24
authby=secret
Since it continued to work on iOS 13 devices, I thought it was a bug. But after submitting an issue in the Feedback app, they told me the supported cipher types have been updated in iOS 14 (of course totally undocumented). Posting on the developer forum (https://developer.apple.com/forums/thread/659209) finally got me to the following new supported ciphers:
ENCR_AES_CBC
PRF_HMAC_SHA2_256
AUTH_HMAC_SHA2_256_128
2048 bit MODP Group / Diffie-Hellman Group (D-H)
But how would I implement this in my ipsec.conf? I tried the following, but still won't work:
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
ike=aes256-sha2_256-modp2048!
esp=aes256-prfsha256-modp2048!
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=<MY_IP>
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightdns=8.8.8.8,8.8.4.4
rightsourceip=10.10.10.0/24
authby=secret
I believe that the ike settings is for key exchange, and thus should reflect the "AUTH" in the supported ciphers above. Am I off? Anything I can read up on to understand this all better?