Add documentation to configure OS X with IPSec

[hakito]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• I have read the contributing guide lines at https://github.com/opnsense/docs/blob/master/CONTRIBUTING.md
• I have searched the existing issues and I am convinced that mine is new.

Is your feature request related to a problem? Please describe.

I am new to OPNsense and I could get IPSec working with windows, but not with OS X.

The current documentation

docs/source/manual/how-tos/ipsec-rw.rst

Line 114 in 523630a

:header: "VPN Method", "Win7", "Win10", "Linux", "Mac OS X", "IOS", "Android", "OPNsense config"

refers to the documentation IPsec: Setup OPNsense for IKEv2 EAP-TLS. But is this probably outdated?

docs/source/manual/how-tos/ipsec-rw-srv-eaptls.rst

Line 50 in 523630a

Step 3 - Phase 1 Mobile Clients

Mobile Clients does not have a Phase 1 setup.

Describe the solution you like

An up to date description for the OPNsense configuration and the according configuration in OS X.

Describe alternatives you considered

In the meantime I use OpenVPN, but this requires installation of an additional client in OS X.

Additional context

[Monviech]

This setup worked really well with the NCP client on macOS.

https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html

Its kinda the same as with OpenVPN, the best experience comes with an additional (commercial) client like Viscosity.

[hakito]

I also came across this section. But I wanted to avoid installing additional software on the clients. So it's not possible to make it work with native OS X VPN implementation?

[Monviech]

I'm sure it is possible somehow but you would need to do your own testing.

Since it works with iOS it should work somehow with OSX. But given how iOS for example ignores the IKE Configuration Payloads AND dns servers, using a client that actually accepts them and configures DNS and Routes with them might still be needed.

When in doubt check out the Strongswan Documentation, there are a lot of configuration examples.

I just checked and there is also a strongswan client for macOS:
https://docs.strongswan.org/docs/5.9/os/macos.html

Though its unmaintained now and they say to use Ikev2 built in:
https://support.apple.com/de-de/guide/mac-help/mchlp2963/mac

I guess configuraton would work the same as with iOS example in the docs.

[hakito]

Thanks for the hint. I already tried for several hours to get it working on OS X. But I didn't get remote authentication working.

But to be honest - I am also not very experienced with IPSec troubleshooting. At least it seems I am not the only one struggling with this.

I already decided with my client to use OpenVPN in the meantime for OS X clients.

[Monviech]

That is a good choice, especially when using Clients like Viscosity. It's just not worth the trouble IPsec imposes on the admin and the user in that environment.