What's new

How to manually configure IKEv2 VPN on iOS?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

@XIII
Bump:

Great that mobileconfig profiles are working for you...

I am trying to do the same, creating a mobileconfig and then signing.
- Can you please provide details as to how you are creating the mobileconfig file?
- I have tried endlessly; but not succeeding...
- Are you importing the IKEv2 certificate (in the profile)? How?

A set of detailed instructions would be very welcome...
Hi, let me try :)

Step (1) Setup IPSec Server on your Router
  • Setup DDNS (I use Asus DDNS Services with Let's Encrypt, you can use anything else)
  • Export IKEv2 Config “Mobile” Certificate; Click "Mobile" and Export
  • Setup "Secret Key" (note: if you setup Instant Guard first, it will generate a cryptic Key for you, I prefer to manage my own key, so I setup IPSec First and Instant Guard will honour the Key I have created)
  • Setup Username & Password and select both V1 & V2 IKE versions
  • Apply (Done)
IPSec Server Settings for IKEv2.png


Step (2) Setup IPSec Client on my MacBookPro
  • Under Network Preference click “+” to Add new Service
    • Select Interface: “VPN”
    • Select VPN Type: IKEv2
    • Give it a Service name: (eg) VPN (IKEv2)
    • Click on “Create”
  • Configure VPN
    • Server Address: xxxxxx.asuscomm.com (I happened to use Asus DDNS)
    • Remote ID: xxxxxx.asuscomm.com (same as Server Address above; this was the missing piece for me)
  • Click on “Authentication Settings
    • Username: MacUser (the user names you created on IPSec Server)
    • Password: zzzzz (the password you created on IPSec Server
  • Add the exported Certificate from IPSec Server
    • Double Clicking on the exported Certificate will take you to KeyChain
    • Double Clicking the imported Certificate in KeyChain, and make it "Trusted"
IPSec macOS Client Page 1.png

IPSec macOS Client Page 2.png


IPSec macOS Client Page 3.png


Step (3) Setup IPSec Client on my iPhoneXsMax
(The concept is the same, I will do it later tonight or tomorrow)

Hope it helps ... by the way on Merlin's 386.2 VPN Status Page will display IPSec Connection correctly; IKEv2, IKEv1 (for both manually setup Clients or Instant Guard Client). I hope I have not missed any important steps.
 
Sorry, don’t have time now, but have put it on my todo list.

(still might only be able to,give a high level overview)
 
Step (3) Setup IKEv2 VPN Client on my iPhoneXsMax
  • Under Settings -> VPN -> Add VPN Configuration
    • Select Type: IKEv2
    • Description: (eg) IKEv2 VPN
    • Server: xxxxxx.asuscomm.com (I happened to use Asus DDNS)
    • Remote ID: xxxxxx.asuscomm.com (same as Server Address above)
    • Local ID: (leave it blank)
  • Authentication:
    • User Authentication -> Username
    • Username: (eg) iPhoneUser (the user names you created on IPSec Server)
    • Password: zzzzz (the password you created on IPSec Server)
  • Setup Certificate
    • AirDrop the exported Mobile Certificate from MacBookPro to iPhoneXsMax
    • It should appear under Settings -> General -> Profiles
    • Select the ASUS RT-AX???-???? Root CA
    • Install it … you should see that it is verified in green
  • You are done
IKEv2 VPN iOS Client.PNG

IPSec iOS Certificate Page 1.PNG
 
Last edited:
Hi, let me try :)
Thanks, for the detailed instructions, very helpful.

However, my question is about "How to create a .mobileconfig file (using Apple Configurator or otherwise) that contains both the VPN settings and the certificate.
 
Sorry, don’t have time now, but have put it on my todo list.

(still might only be able to,give a high level overview)


I am basically after instructions on .mobileconfig file.

I am well versed with editing a .mobileconfig manually or with Apple Configurator. I have a Apple dev account, so would like to sign my profile.

Essentially, looking to create a mobileconfig that contains both the exported certificate and the IKEv2 VPN settings.

Thanks...
 
Thanks, for the detailed instructions, very helpful.

However, my question is about "How to create a .mobileconfig file (using Apple Configurator or otherwise) that contains both the VPN settings and the certificate.
Gspannu,
That is beyond me :) Sorry.
 
This is a stripped down version of the profile I used. If you combine it with the instructions/info from @LimJK, does this help?

Code:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadCertificateFileName</key>
            <string>asus.der</string>
            <key>PayloadContent</key>
            <data>[CERTIFICATE]</data>
            <key>PayloadDescription</key>
            <string>ASUS router root certificate</string>
            <key>PayloadIdentifier</key>
            <string>vpn.ikev2.certificate</string>
            <key>PayloadType</key>
            <string>com.apple.security.root</string>
            <key>PayloadUUID</key>
            <string>[UUID]</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
        <dict>
            <key>IKEv2</key>
            <dict>
                <key>AuthName</key>
                <string>[USERNAME]</string>
                <key>AuthPassword</key>
                <string>[PASSWORD]</string>
                <key>AuthenticationMethod</key>
                <string>Certificate</string>
                <key>ExtendedAuthEnabled</key>
                <true/>
                <key>RemoteAddress</key>
                <string>[DDNS-NAME]</string>
                <key>RemoteIdentifier</key>
                <string>[DDNS-NAME]</string>
                <key>ServerCertificateIssuerCommonName</key>
                <string>[ROUTER-CERTIFICATE-ISSUER-COMMON-NAME]</string>
            </dict>
            <key>PayloadDescription</key>
            <string>IKEv2 VPN</string>
            <key>PayloadIdentifier</key>
            <string>vpn.ikev2.config</string>
            <key>PayloadType</key>
            <string>com.apple.vpn.managed</string>
            <key>PayloadUUID</key>
            <string>[UUID]</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>UserDefinedName</key>
            <string>IKEv2 VPN</string>
            <key>VPNType</key>
            <string>IKEv2</string>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>IKEv2 VPN</string>
    <key>PayloadIdentifier</key>
    <string>vpn.ikev2</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>[UUID]</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

I put all the things you need to change for your set-up in square brackets ([, ]).
  • All UUID's need to be unique; you can create random ones using "uuidgen" on the command line of your Mac.
  • For the certificate: I exported the router's certificate, which I added in the "Apple Configurator 2" App to a dummy profile. Then I copied the certificate part of that dummy profile to this IKEv2 profile (using a text editor).

Hope this helps!
 
This is a stripped down version of the profile I used. If you combine it with the instructions/info from @LimJK, does this help?

Code:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadCertificateFileName</key>
            <string>asus.der</string>
            <key>PayloadContent</key>
            <data>[CERTIFICATE]</data>
            <key>PayloadDescription</key>
            <string>ASUS router root certificate</string>
            <key>PayloadIdentifier</key>
            <string>vpn.ikev2.certificate</string>
            <key>PayloadType</key>
            <string>com.apple.security.root</string>
            <key>PayloadUUID</key>
            <string>[UUID]</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
        <dict>
            <key>IKEv2</key>
            <dict>
                <key>AuthName</key>
                <string>[USERNAME]</string>
                <key>AuthPassword</key>
                <string>[PASSWORD]</string>
                <key>AuthenticationMethod</key>
                <string>Certificate</string>
                <key>ExtendedAuthEnabled</key>
                <true/>
                <key>RemoteAddress</key>
                <string>[DDNS-NAME]</string>
                <key>RemoteIdentifier</key>
                <string>[DDNS-NAME]</string>
                <key>ServerCertificateIssuerCommonName</key>
                <string>[ROUTER-CERTIFICATE-ISSUER-COMMON-NAME]</string>
            </dict>
            <key>PayloadDescription</key>
            <string>IKEv2 VPN</string>
            <key>PayloadIdentifier</key>
            <string>vpn.ikev2.config</string>
            <key>PayloadType</key>
            <string>com.apple.vpn.managed</string>
            <key>PayloadUUID</key>
            <string>[UUID]</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>UserDefinedName</key>
            <string>IKEv2 VPN</string>
            <key>VPNType</key>
            <string>IKEv2</string>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>IKEv2 VPN</string>
    <key>PayloadIdentifier</key>
    <string>vpn.ikev2</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>[UUID]</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

I put all the things you need to change for your set-up in square brackets ([, ]).
  • All UUID's need to be unique; you can create random ones using "uuidgen" on the command line of your Mac.
  • For the certificate: I exported the router's certificate, which I added in the "Apple Configurator 2" App to a dummy profile. Then I copied the certificate part of that dummy profile to this IKEv2 profile (using a text editor).

Hope this helps!
- Understood the manual editing part.

- The certificate exported from Router webpage is in .pem format (ikev2_cert_mobile.pem) - how do you add this to a dummy profile?
Reason: As I understand it, a PEM format certificate cannot be added to a profile in Apple Configurator as it does not accept a .pem file.
Or have I got something wrong? A bit of help here would get me going...
 
Last edited:
- The certificate exported from Router webpage is in .pem format (ikev2_cert_mobile.pem) - how do you add this to a dummy profile?
Reason: As I understand it, a PEM format certificate cannot be added to a profile in Apple Configurator as it does not accept a .pem file.
I think I converted the PEM certificate to the DER format before importing:

 
I think I converted the PEM certificate to the DER format before importing:
Manged to get it all working. Thanks.

For reference: The conversion to DER format has to be done with x509...
Code:
openssl x509 -in <inputfilename.pem> -out <outputfilename.der> -outform DER
for e.g. openssl x509 -in ikev2_cert_mobile.pem -out ikev2_cert_mobile.der -outform
 
Why would you use a third-party App (with a website that shows most of the text in a non-western language) when iOS has native support?
 
Similar threads
Thread starter Title Forum Replies Date
D Manually Assigned IP Address Not Respected for Repeater ASUSWRT - Official 2

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top