Enable PFS for LT2P IPSEC

[richardtop]

Checklist

• [x] I searched existing Issues, and did not find a similar enhancement request
• [x] This enhancement request is about the VPN setup scripts, and not IPsec VPN itself
• [x] I read the README
• [x] I read the Important notes
• [x] I followed instructions to configure VPN clients
• [x] I checked IKEv1 troubleshooting, IKEv2 troubleshooting and VPN status

Describe the enhancement request Why PFS (Perfect Forward Secrecy) is not enabled for the l2tp ipsec vpn configuration by default?

here's the part from the mobileconfig:

    <key>EnablePFS</key>
    <integer>0</integer>

[hwdsl2]

@richardtop Hello! .mobileconfig files are used for IKEv2 mode in this project, not IPsec/L2TP mode. Because PFS requires specific VPN ciphers, it is not enabled by default for compatibility with different versions of iOS and macOS systems. You may enable it for your use case by editing /opt/src/ikev2.sh, then re-create the IKEv2 client configuration.

[richardtop]

Could you please clarify more in detail how to enable PFS for IKEv2, i.e. when should I edit the file exactly and which command should I run afterwards? Thanks.

[hwdsl2]

@richardtop To enable PFS, edit the generated .mobileconfig file(s), find the EnablePFS key (as you mentioned above), change its value from 0 to 1. After that, remove the existing VPN profile (if any) from your VPN client (macOS or iOS), then import the edited .mobileconfig file.

Reference: https://developer.apple.com/documentation/devicemanagement/vpn/ikev2