Configuring IPsec IKEv2 Remote Access VPN Clients on macOS/iOS¶
This document demonstrates how to configure an IKEv2 connection for use by macOS or iOS devices. This procedure was performed on macOS 14.2 Sonoma but the procedure is identical on the last several versions of macOS.
This involves use of the Apple Configurator utility as the macOS/iOS GUI for configuring a VPN on the client does not support several important options. Using the Apple Configurator utility allows the client to be configured to match the desired settings on TNSR rather than forcing TNSR to match the default, potentially weaker, settings from macOS/iOS.
Note
Though this guide is primarily aimed at macOS, the same configuration profile can be loaded onto iOS devices in a similar fashion.
Prerequisites¶
Before starting:
Setup TNSR as an IKEv2 server as described in either IPsec Remote Access VPN using IKEv2 with EAP-TLS or IPsec Remote Access VPN using IKEv2 with EAP-RADIUS.
Install Apple Configurator from the App Store on a macOS system
Export the CA used to sign the server certificate and save it as a
.crt
file (EAP-TLS and EAP-RADIUS)Export a PKCS#12 bundle for the user certificates (EAP-TLS only)
Warning
Make sure the PKI name of a user certificate matches the common name in the certificate as well as the PKCS#12 filename.
Make sure to use the correct PKCS#12 algorithms to be readable by macOS/iOS:
tnsr# pki pkcs12 ipsec-myuser generate export-password abcd1234 ca-name ipsec-ca key-pbe-algorithm PBE-SHA1-3DES certificate-pbe-algorithm PBE-SHA1-3DES mac-algorithm sha1
Copy the exported files to the system with Apple Configurator installed
Creating a Profile¶
EAP-TLS¶
Open Apple Configurator
Navigate to File > New Profile
Click General on the left side
Configure the settings
- Name
Display name for the Profile (e.g. TNSR-VPN-myuser)
The rest of the settings are optional.
Click Certificates on left side
Click Configure
Locate the exported PKCS#12 file and select it
Click Open
Enter the password used to export the PKCS#12 file, or leave it blank so the user has to enter it each time it is loaded
Click + in the upper right of the certificate entries to add another certificate payload
Locate the exported CA certificate file and select it
Click Open
Select VPN from the left column
Click Configure
Set the fields as follows:
- Connection Name
Whatever fits best, e.g.
TNSR - EAP-TLS Remote Access
- Connection Type
IKEv2
- Server
Hostname or IP address of the server
- Remote Identifier
Hostname or other identifier that matches a SAN in the server certificate
Warning
This must match the value configured on TNSR in the
identity local
section of the remote access IPsec tunnel configuration.- Local Identifier
Common Name (CN) of user certificate
- Machine Authentication
Certificate
- Certificate Type
Match the user certificate type (e.g. RSA in most cases)
- Server Certificate Issuer Common Name
CN of the server certificate CA
- Server Certificate Common Name
CN of the server certificate, likely the hostname (e.g.
tnsr.example.com
)- Enable EAP
Checked
- EAP Authentication
Certificate
- Identity Certificate
Choose the imported PKCS#12 certificate bundle
- Enable perfect forward security
Check when TNSR is configured with a DH group in the child proposal
Click IKE SA Params and configure its parameters:
- Encryption Algorithm
Match the IKE proposal encryption (e.g. AES-256-GCM)
- Integrity Algorithm
Match the IKE proposal hash or PRF (e.g. SHA256)
- Diffie-Hellman Group
Match the IKE proposal group (e.g. 14 for
modp2048
)See also
For information on which group numbers correspond to the equivalent values in TNSR, see the list of Diffie Hellman Groups in the strongSwan documentation.
- Lifetime in Minutes
Match the IKE lifetime but in minutes (e.g.
28800
seconds =480
minutes)
Click Child SA Params and configure its parameters
- Encryption Algorithm
Match the child proposal encryption (e.g. AES-256-GCM)
- Integrity Algorithm
Match the child proposal hash (e.g. SHA256)
- Diffie-Hellman Group
Match the child proposal group (e.g. 14 for modp2048)
See also
For information on which group numbers correspond to the equivalent values in TNSR, see the list of Diffie Hellman Groups in the strongSwan documentation.
- Lifetime in Minutes
Match the child lifetime but in minutes (e.g.
3600
seconds =60
minutes)- DNS Server Addresses
Click + and add at least one DNS server
Warning
This is required by macOS when using the configurator.
- DNS Search Domains
Click + and add at least one search domain
Warning
This is required by macOS when using the configurator.
Fill in any other desired remaining options
See also
Consult Apple’s documentation for more information.
Navigate to File > Save As
Enter a name such as
TNSR-VPN-myname.mobilecofig
Pick Where to save the file
Click Save
EAP-RADIUS¶
Open Apple Configurator
Navigate to File > New Profile
Click General on the left side
Configure the settings
- Name
Display name for the Profile (e.g. TNSR-VPN-myuser)
The rest of the settings are optional.
Click Certificates on left side
Click Configure
Locate the exported CA certificate file and select it
Click Open
Select VPN from the left column
Click Configure
Set the fields as follows:
- Connection Name
Whatever fits best, e.g.
TNSR - EAP-TLS Remote Access
- Connection Type
IKEv2
- Server
Hostname or IP address of the server
- Remote Identifier
Hostname or other identifier that matches a SAN in the server certificate
Warning
This must match the value configured on TNSR in the
identity local
section of the remote access IPsec tunnel configuration.- Local Identifier
RADIUS username (e.g.
myuser
)- Machine Authentication
Certificate
- Certificate Type
Match the server certificate type (e.g. RSA in most cases)
- Server Certificate Issuer Common Name
CN of the server certificate CA
- Server Certificate Common Name
CN of the server certificate, likely the hostname (e.g.
tnsr.example.com
)- Enable EAP
Checked
- EAP Authentication
User name/Password
- Account
RADIUS username (e.g.
myuser
)- Password
Optionally store the user’s RADIUS password. This is less secure. The best practice is to leave this empty and allow the OS to prompt for the password on each connection.
- Enable perfect forward security
Check when TNSR is configured with a DH group in the child proposal
Click IKE SA Params and configure its parameters:
- Encryption Algorithm
Match the IKE proposal encryption (e.g. AES-256-GCM)
- Integrity Algorithm
Match the IKE proposal hash or PRF (e.g. SHA256)
- Diffie-Hellman Group
Match the IKE proposal group (e.g. 14 for
modp2048
)See also
For information on which group numbers correspond to the equivalent values in TNSR, see the list of Diffie Hellman Groups in the strongSwan documentation.
- Lifetime in Minutes
Match the IKE lifetime but in minutes (e.g.
28800
seconds =480
minutes)
Click Child SA Params and configure its parameters
- Encryption Algorithm
Match the child proposal encryption (e.g. AES-256-GCM)
- Integrity Algorithm
Match the child proposal hash (e.g. SHA256)
- Diffie-Hellman Group
Match the child proposal group (e.g. 14 for modp2048)
See also
For information on which group numbers correspond to the equivalent values in TNSR, see the list of Diffie Hellman Groups in the strongSwan documentation.
- Lifetime in Minutes
Match the child lifetime but in minutes (e.g.
3600
seconds =60
minutes)
Fill in any other desired remaining options
See also
Consult Apple’s documentation for more information.
Navigate to File > Save
Enter a name such as
TNSR-VPN-myname.mobilecofig
Pick Where to save the file
Click Save
Installing the Profile¶
These steps are performed on the client system.
Copy the exported profile to the client system (e.g.
TNSR-VPN-myname.mobilecofig
)Open Finder and locate the file
Double click the profile
Navigate to the Apple Menu, System Settings > Privacy & Security > Others > Profiles (or search for
Profiles
)Double click the profile in the Downloaded list on the Profiles screen
Review the information
Click Install…
Click Install on the next dialog
Enter the password for the macOS user at the security prompt
Click OK
Alternately, import the profile directly on the Profiles section of System Settings and it will be added and prompt for approval in one step.
Split Tunneling¶
The macOS IPsec client will automatically respect the traffic selectors configured on the server. The client does not require any manual adjustments.
If there are no traffic selectors on the server, the client will send all of its traffic, including Internet traffic, across the VPN.
Connecting/Disconnecting¶
Navigate to System Settings > VPN
Click the slider next to the desired VPN entry
Note
For EAP-RADIUS, the OS will prompt for the password before attempting a connection.
Consider adding VPN status to the menu bar to make connecting and disconnecting easier:
Navigate to the Apple Menu, Control Center
Scroll down to the section titled Menu Bar Only
Set VPN to Show in Menu Bar
Now the VPN connection can easily be managed using the icon in the menu bar.