vpn – Configure Strongswan Cipher Settings for iOS 14

FYI, I think I’m in the right community now. Started in StackOverflow since it related to my app, but it relates more to the server side.

Anyway, I had a Strongswan VPN set up (Ubuntu 18.04) for an internal business iOS app. The VPN was handled programatically. With the iOS 14 betas it’s stopped working. This was my ipsec.conf:

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    ike=aes256-sha1-modp1024,3des-sha1-modp1024!
    esp=aes256-sha1,3des-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=<MY_IP>
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightdns=8.8.8.8,8.8.4.4
    rightsourceip=10.10.10.0/24
    authby=secret

Since it continued to work on iOS 13 devices, I thought it was a bug. But after submitting an issue in the Feedback app, they told me the supported cipher types have been updated in iOS 14 (of course totally undocumented). Posting on the developer forum (https://developer.apple.com/forums/thread/659209) finally got me to the following new supported ciphers:

ENCR_AES_CBC
PRF_HMAC_SHA2_256
AUTH_HMAC_SHA2_256_128
2048 bit MODP Group / Diffie-Hellman Group (D-H) 

But how would I implement this in my ipsec.conf? I tried the following, but still won’t work:

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    ike=aes256-sha2_256-modp2048!
    esp=aes256-prfsha256-modp2048!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=<MY_IP>
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightdns=8.8.8.8,8.8.4.4
    rightsourceip=10.10.10.0/24
    authby=secret

I believe that the ike settings is for key exchange, and thus should reflect the “AUTH” in the supported ciphers above. Am I off? Anything I can read up on to understand this all better?