Configuring IPsec IKEv2 Remote Access VPN Clients on macOS/iOS

This document demonstrates how to configure an IKEv2 connection for use by macOS or iOS devices. This procedure was performed on macOS 14.2 Sonoma but the procedure is identical on the last several versions of macOS.

This involves use of the Apple Configurator utility as the macOS/iOS GUI for configuring a VPN on the client does not support several important options. Using the Apple Configurator utility allows the client to be configured to match the desired settings on TNSR rather than forcing TNSR to match the default, potentially weaker, settings from macOS/iOS.

Note

Though this guide is primarily aimed at macOS, the same configuration profile can be loaded onto iOS devices in a similar fashion.

Prerequisites

Before starting:

  • Setup TNSR as an IKEv2 server as described in either IPsec Remote Access VPN using IKEv2 with EAP-TLS or IPsec Remote Access VPN using IKEv2 with EAP-RADIUS.

  • Install Apple Configurator from the App Store on a macOS system

  • Export the CA used to sign the server certificate and save it as a .crt file (EAP-TLS and EAP-RADIUS)

  • Export a PKCS#12 bundle for the user certificates (EAP-TLS only)

    Warning

    Make sure the PKI name of a user certificate matches the common name in the certificate as well as the PKCS#12 filename.

    Make sure to use the correct PKCS#12 algorithms to be readable by macOS/iOS:

    tnsr# pki pkcs12 ipsec-myuser generate export-password abcd1234 ca-name ipsec-ca
          key-pbe-algorithm PBE-SHA1-3DES certificate-pbe-algorithm PBE-SHA1-3DES
          mac-algorithm sha1

  • Copy the exported files to the system with Apple Configurator installed

Creating a Profile

EAP-TLS

  • Open Apple Configurator

  • Navigate to File > New Profile

  • Click General on the left side

  • Configure the settings

    Name

    Display name for the Profile (e.g. TNSR-VPN-myuser)

    The rest of the settings are optional.

  • Click Certificates on left side

  • Click Configure

  • Locate the exported PKCS#12 file and select it

  • Click Open

  • Enter the password used to export the PKCS#12 file, or leave it blank so the user has to enter it each time it is loaded

  • Click + in the upper right of the certificate entries to add another certificate payload

  • Locate the exported CA certificate file and select it

  • Click Open

  • Select VPN from the left column

  • Click Configure

  • Set the fields as follows:

    Connection Name

    Whatever fits best, e.g. TNSR - EAP-TLS Remote Access

    Connection Type

    IKEv2

    Server

    Hostname or IP address of the server

    Remote Identifier

    Hostname or other identifier that matches a SAN in the server certificate

    Warning

    This must match the value configured on TNSR in the identity local section of the remote access IPsec tunnel configuration.

    Local Identifier

    Common Name (CN) of user certificate

    Machine Authentication

    Certificate

    Certificate Type

    Match the user certificate type (e.g. RSA in most cases)

    Server Certificate Issuer Common Name

    CN of the server certificate CA

    Server Certificate Common Name

    CN of the server certificate, likely the hostname (e.g. tnsr.example.com)

    Enable EAP

    Checked

    EAP Authentication

    Certificate

    Identity Certificate

    Choose the imported PKCS#12 certificate bundle

    Enable perfect forward security

    Check when TNSR is configured with a DH group in the child proposal

  • Click IKE SA Params and configure its parameters:

    Encryption Algorithm

    Match the IKE proposal encryption (e.g. AES-256-GCM)

    Integrity Algorithm

    Match the IKE proposal hash or PRF (e.g. SHA256)

    Diffie-Hellman Group

    Match the IKE proposal group (e.g. 14 for modp2048)

    See also

    For information on which group numbers correspond to the equivalent values in TNSR, see the list of Diffie Hellman Groups in the strongSwan documentation.

    Lifetime in Minutes

    Match the IKE lifetime but in minutes (e.g. 28800 seconds = 480 minutes)

  • Click Child SA Params and configure its parameters

    Encryption Algorithm

    Match the child proposal encryption (e.g. AES-256-GCM)

    Integrity Algorithm

    Match the child proposal hash (e.g. SHA256)

    Diffie-Hellman Group

    Match the child proposal group (e.g. 14 for modp2048)

    See also

    For information on which group numbers correspond to the equivalent values in TNSR, see the list of Diffie Hellman Groups in the strongSwan documentation.

    Lifetime in Minutes

    Match the child lifetime but in minutes (e.g. 3600 seconds = 60 minutes)

    DNS Server Addresses

    Click + and add at least one DNS server

    Warning

    This is required by macOS when using the configurator.

    DNS Search Domains

    Click + and add at least one search domain

    Warning

    This is required by macOS when using the configurator.

  • Fill in any other desired remaining options

    See also

    Consult Apple’s documentation for more information.

  • Navigate to File > Save As

  • Enter a name such as TNSR-VPN-myname.mobilecofig

  • Pick Where to save the file

  • Click Save

EAP-RADIUS

  • Open Apple Configurator

  • Navigate to File > New Profile

  • Click General on the left side

  • Configure the settings

    Name

    Display name for the Profile (e.g. TNSR-VPN-myuser)

    The rest of the settings are optional.

  • Click Certificates on left side

  • Click Configure

  • Locate the exported CA certificate file and select it

  • Click Open

  • Select VPN from the left column

  • Click Configure

  • Set the fields as follows:

    Connection Name

    Whatever fits best, e.g. TNSR - EAP-TLS Remote Access

    Connection Type

    IKEv2

    Server

    Hostname or IP address of the server

    Remote Identifier

    Hostname or other identifier that matches a SAN in the server certificate

    Warning

    This must match the value configured on TNSR in the identity local section of the remote access IPsec tunnel configuration.

    Local Identifier

    RADIUS username (e.g. myuser)

    Machine Authentication

    Certificate

    Certificate Type

    Match the server certificate type (e.g. RSA in most cases)

    Server Certificate Issuer Common Name

    CN of the server certificate CA

    Server Certificate Common Name

    CN of the server certificate, likely the hostname (e.g. tnsr.example.com)

    Enable EAP

    Checked

    EAP Authentication

    User name/Password

    Account

    RADIUS username (e.g. myuser)

    Password

    Optionally store the user’s RADIUS password. This is less secure. The best practice is to leave this empty and allow the OS to prompt for the password on each connection.

    Enable perfect forward security

    Check when TNSR is configured with a DH group in the child proposal

  • Click IKE SA Params and configure its parameters:

    Encryption Algorithm

    Match the IKE proposal encryption (e.g. AES-256-GCM)

    Integrity Algorithm

    Match the IKE proposal hash or PRF (e.g. SHA256)

    Diffie-Hellman Group

    Match the IKE proposal group (e.g. 14 for modp2048)

    See also

    For information on which group numbers correspond to the equivalent values in TNSR, see the list of Diffie Hellman Groups in the strongSwan documentation.

    Lifetime in Minutes

    Match the IKE lifetime but in minutes (e.g. 28800 seconds = 480 minutes)

  • Click Child SA Params and configure its parameters

    Encryption Algorithm

    Match the child proposal encryption (e.g. AES-256-GCM)

    Integrity Algorithm

    Match the child proposal hash (e.g. SHA256)

    Diffie-Hellman Group

    Match the child proposal group (e.g. 14 for modp2048)

    See also

    For information on which group numbers correspond to the equivalent values in TNSR, see the list of Diffie Hellman Groups in the strongSwan documentation.

    Lifetime in Minutes

    Match the child lifetime but in minutes (e.g. 3600 seconds = 60 minutes)

  • Fill in any other desired remaining options

    See also

    Consult Apple’s documentation for more information.

  • Navigate to File > Save

  • Enter a name such as TNSR-VPN-myname.mobilecofig

  • Pick Where to save the file

  • Click Save

Installing the Profile

These steps are performed on the client system.

  • Copy the exported profile to the client system (e.g. TNSR-VPN-myname.mobilecofig)

  • Open Finder and locate the file

  • Double click the profile

  • Navigate to the Apple Menu, System Settings > Privacy & Security > Others > Profiles (or search for Profiles)

  • Double click the profile in the Downloaded list on the Profiles screen

  • Review the information

  • Click Install…

  • Click Install on the next dialog

  • Enter the password for the macOS user at the security prompt

  • Click OK

Alternately, import the profile directly on the Profiles section of System Settings and it will be added and prompt for approval in one step.

Split Tunneling

The macOS IPsec client will automatically respect the traffic selectors configured on the server. The client does not require any manual adjustments.

If there are no traffic selectors on the server, the client will send all of its traffic, including Internet traffic, across the VPN.

Connecting/Disconnecting

  • Navigate to System Settings > VPN

  • Click the slider next to the desired VPN entry

Note

For EAP-RADIUS, the OS will prompt for the password before attempting a connection.

Consider adding VPN status to the menu bar to make connecting and disconnecting easier:

  • Navigate to the Apple Menu, Control Center

  • Scroll down to the section titled Menu Bar Only

  • Set VPN to Show in Menu Bar

Now the VPN connection can easily be managed using the icon in the menu bar.