How to manually configure IKEv2 VPN on iOS?

[LimJK]

@XIII
Bump:

Great that mobileconfig profiles are working for you...

I am trying to do the same, creating a mobileconfig and then signing.
- Can you please provide details as to how you are creating the mobileconfig file?
- I have tried endlessly; but not succeeding...
- Are you importing the IKEv2 certificate (in the profile)? How?

A set of detailed instructions would be very welcome...

Hi, let me try

Step (1) Setup IPSec Server on your Router

• Setup DDNS (I use Asus DDNS Services with Let's Encrypt, you can use anything else)
• Export IKEv2 Config “Mobile” Certificate; Click "Mobile" and Export
• Setup "Secret Key" (note: if you setup Instant Guard first, it will generate a cryptic Key for you, I prefer to manage my own key, so I setup IPSec First and Instant Guard will honour the Key I have created)
• Setup Username & Password and select both V1 & V2 IKE versions
• Apply (Done)

Step (2) Setup IPSec Client on my MacBookPro

• Under Network Preference click “+” to Add new Service
  • Select Interface: “VPN”
  • Select VPN Type: IKEv2
  • Give it a Service name: (eg) VPN (IKEv2)
  • Click on “Create”
• Configure VPN
  • Server Address: xxxxxx.asuscomm.com (I happened to use Asus DDNS)
  • Remote ID: xxxxxx.asuscomm.com (same as Server Address above; this was the missing piece for me)
• Click on “Authentication Settings
  • Username: MacUser (the user names you created on IPSec Server)
  • Password: zzzzz (the password you created on IPSec Server
• Add the exported Certificate from IPSec Server
  • Double Clicking on the exported Certificate will take you to KeyChain
  • Double Clicking the imported Certificate in KeyChain, and make it "Trusted"

Step (3) Setup IPSec Client on my iPhoneXsMax
(The concept is the same, I will do it later tonight or tomorrow)

Hope it helps ... by the way on Merlin's 386.2 VPN Status Page will display IPSec Connection correctly; IKEv2, IKEv1 (for both manually setup Clients or Instant Guard Client). I hope I have not missed any important steps.

 

[XIII]

Sorry, don’t have time now, but have put it on my todo list.

(still might only be able to,give a high level overview)

 

[LimJK]

Step (3) Setup IKEv2 VPN Client on my iPhoneXsMax

• Under Settings -> VPN -> Add VPN Configuration
  • Select Type: IKEv2
  • Description: (eg) IKEv2 VPN
  • Server: xxxxxx.asuscomm.com (I happened to use Asus DDNS)
  • Remote ID: xxxxxx.asuscomm.com (same as Server Address above)
  • Local ID: (leave it blank)
• Authentication:
  • User Authentication -> Username
  • Username: (eg) iPhoneUser (the user names you created on IPSec Server)
  • Password: zzzzz (the password you created on IPSec Server)
• Setup Certificate
  • AirDrop the exported Mobile Certificate from MacBookPro to iPhoneXsMax
  • It should appear under Settings -> General -> Profiles
  • Select the ASUS RT-AX???-???? Root CA
  • Install it … you should see that it is verified in green
• You are done

 

[gspannu]

Hi, let me try

Thanks, for the detailed instructions, very helpful.

However, my question is about "How to create a .mobileconfig file (using Apple Configurator or otherwise) that contains both the VPN settings and the certificate.

 

[gspannu]

Sorry, don’t have time now, but have put it on my todo list.

(still might only be able to,give a high level overview)

I am basically after instructions on .mobileconfig file.

I am well versed with editing a .mobileconfig manually or with Apple Configurator. I have a Apple dev account, so would like to sign my profile.

Essentially, looking to create a mobileconfig that contains both the exported certificate and the IKEv2 VPN settings.

Thanks...

 

[LimJK]

Thanks, for the detailed instructions, very helpful.

However, my question is about "How to create a .mobileconfig file (using Apple Configurator or otherwise) that contains both the VPN settings and the certificate.

Gspannu,
That is beyond me Sorry.

 

[gspannu]

Gspannu,
That is beyond me Sorry.

No worries, hopefully @XIII will be able to help out.

Your instructions with the screenshots should help a lot of people out. Great work. Thanks.

 

[XIII]

This is a stripped down version of the profile I used. If you combine it with the instructions/info from @LimJK, does this help?

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadCertificateFileName</key>
            <string>asus.der</string>
            <key>PayloadContent</key>
            <data>[CERTIFICATE]</data>
            <key>PayloadDescription</key>
            <string>ASUS router root certificate</string>
            <key>PayloadIdentifier</key>
            <string>vpn.ikev2.certificate</string>
            <key>PayloadType</key>
            <string>com.apple.security.root</string>
            <key>PayloadUUID</key>
            <string>[UUID]</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
        <dict>
            <key>IKEv2</key>
            <dict>
                <key>AuthName</key>
                <string>[USERNAME]</string>
                <key>AuthPassword</key>
                <string>[PASSWORD]</string>
                <key>AuthenticationMethod</key>
                <string>Certificate</string>
                <key>ExtendedAuthEnabled</key>
                <true/>
                <key>RemoteAddress</key>
                <string>[DDNS-NAME]</string>
                <key>RemoteIdentifier</key>
                <string>[DDNS-NAME]</string>
                <key>ServerCertificateIssuerCommonName</key>
                <string>[ROUTER-CERTIFICATE-ISSUER-COMMON-NAME]</string>
            </dict>
            <key>PayloadDescription</key>
            <string>IKEv2 VPN</string>
            <key>PayloadIdentifier</key>
            <string>vpn.ikev2.config</string>
            <key>PayloadType</key>
            <string>com.apple.vpn.managed</string>
            <key>PayloadUUID</key>
            <string>[UUID]</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>UserDefinedName</key>
            <string>IKEv2 VPN</string>
            <key>VPNType</key>
            <string>IKEv2</string>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>IKEv2 VPN</string>
    <key>PayloadIdentifier</key>
    <string>vpn.ikev2</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>[UUID]</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

I put all the things you need to change for your set-up in square brackets ([, ]).

• All UUID's need to be unique; you can create random ones using "uuidgen" on the command line of your Mac.
• For the certificate: I exported the router's certificate, which I added in the "Apple Configurator 2" App to a dummy profile. Then I copied the certificate part of that dummy profile to this IKEv2 profile (using a text editor).

Hope this helps!

 

[gspannu]

This is a stripped down version of the profile I used. If you combine it with the instructions/info from @LimJK, does this help?

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadCertificateFileName</key>
            <string>asus.der</string>
            <key>PayloadContent</key>
            <data>[CERTIFICATE]</data>
            <key>PayloadDescription</key>
            <string>ASUS router root certificate</string>
            <key>PayloadIdentifier</key>
            <string>vpn.ikev2.certificate</string>
            <key>PayloadType</key>
            <string>com.apple.security.root</string>
            <key>PayloadUUID</key>
            <string>[UUID]</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
        <dict>
            <key>IKEv2</key>
            <dict>
                <key>AuthName</key>
                <string>[USERNAME]</string>
                <key>AuthPassword</key>
                <string>[PASSWORD]</string>
                <key>AuthenticationMethod</key>
                <string>Certificate</string>
                <key>ExtendedAuthEnabled</key>
                <true/>
                <key>RemoteAddress</key>
                <string>[DDNS-NAME]</string>
                <key>RemoteIdentifier</key>
                <string>[DDNS-NAME]</string>
                <key>ServerCertificateIssuerCommonName</key>
                <string>[ROUTER-CERTIFICATE-ISSUER-COMMON-NAME]</string>
            </dict>
            <key>PayloadDescription</key>
            <string>IKEv2 VPN</string>
            <key>PayloadIdentifier</key>
            <string>vpn.ikev2.config</string>
            <key>PayloadType</key>
            <string>com.apple.vpn.managed</string>
            <key>PayloadUUID</key>
            <string>[UUID]</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>UserDefinedName</key>
            <string>IKEv2 VPN</string>
            <key>VPNType</key>
            <string>IKEv2</string>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>IKEv2 VPN</string>
    <key>PayloadIdentifier</key>
    <string>vpn.ikev2</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>[UUID]</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

I put all the things you need to change for your set-up in square brackets ([, ]).

• All UUID's need to be unique; you can create random ones using "uuidgen" on the command line of your Mac.
• For the certificate: I exported the router's certificate, which I added in the "Apple Configurator 2" App to a dummy profile. Then I copied the certificate part of that dummy profile to this IKEv2 profile (using a text editor).

Hope this helps!

- Understood the manual editing part.

- The certificate exported from Router webpage is in .pem format (ikev2_cert_mobile.pem) - how do you add this to a dummy profile?
Reason: As I understand it, a PEM format certificate cannot be added to a profile in Apple Configurator as it does not accept a .pem file.
Or have I got something wrong? A bit of help here would get me going...

 

[XIII]

- The certificate exported from Router webpage is in .pem format (ikev2_cert_mobile.pem) - how do you add this to a dummy profile?
Reason: As I understand it, a PEM format certificate cannot be added to a profile in Apple Configurator as it does not accept a .pem file.

I think I converted the PEM certificate to the DER format before importing:

Convert PEM formatted public key to DER

I have a public key which is ASN.1 DER formatted shown below : 0:d=0 hl=3 l= 181 cons: SEQUENCE 3:d=1 hl=3 l= 144 cons: SEQUENCE 6:d=2 hl=2 l= 0 prim:

unix.stackexchange.com

 

[gspannu]

I think I converted the PEM certificate to the DER format before importing:

Manged to get it all working. Thanks.

For reference: The conversion to DER format has to be done with x509...

openssl x509 -in <inputfilename.pem> -out <outputfilename.der> -outform DER

for e.g. openssl x509 -in ikev2_cert_mobile.pem -out ikev2_cert_mobile.der -outform

 

[mad_4u]

try Brooog IKEv2 app on ios
https://apps.apple.com/app/brooog-vpn/id1542583818
you need to setup your server to use eap-mschapv2

 

[XIII]

Why would you use a third-party App (with a website that shows most of the text in a non-western language) when iOS has native support?

 

[gspannu]

try Brooog IKEv2 app on ios
https://apps.apple.com/app/brooog-vpn/id1542583818
you need to setup your server to use eap-mschapv2

iOS and macOS support these VPN connections - there is no requirements for a 3rd party app to manage a connection to the router.