How to manually configure IKEv2 VPN on iOS?

XIII

Very Senior Member
Manual setup seems to work after importing the certificate on my iOS devices.

However, I want to make a .mobileconfig profile using Apple Configurator 2.

Unfortunately, I keep getting a "User Authentication failed" error.

Maybe that's related to the options I need to set for IKE SA Params / Child SA Params?
  • Encryption Algorithm (AES-128?)
  • Integrity Algorithm (SHA2-256?)
  • Diffie-Hellman Group (14?)
  • Lifetime in Minutes (1440?)
I had a look at this source file and this discussion which led to my (incorrect?) choices.

Do I somehow need to configure Strongswan using a .postconf file to match these parameters?

@Odkrys You seem to know a lot about this; maybe you can help?
 

XIII

Very Senior Member
I got it working by first creating an IKEv2 VPN network in Apple Configurator 2 and then manually removing all property list values (with a text editor) that were not in the Strongswan examples...
 

LimJK

Very Senior Member
I got it working by first creating an IKEv2 VPN network in Apple Configurator 2 and then manually removing all property list values (with a text editor) that were not in the Strongswan examples...
XIII,
I am hoping to learn how to setup native IKEv2 VPN on both my MacBookPro and iPhone to work with my IPSec VPN Server on my RT-AX88U. ASUS VPN FAQ only covers VPN (Cisco IPsec)

When you have some time, can you consider to do simplified Step by Step for some of us retired members to be able follow. Thanks.
 

gspannu

Regular Contributor
I got it working by first creating an IKEv2 VPN network in Apple Configurator 2 and then manually removing all property list values (with a text editor) that were not in the Strongswan examples...
Can you post your sample .mobileconfig file (with the security parts annotated))?
 

XIII

Very Senior Member
When you have some time, can you consider to do simplified Step by Step for some of us retired members to be able follow. Thanks.
Can you post your sample .mobileconfig file (with the security parts annotated))?
Sorry, I forgot to make notes back then.

However, I plan to do a factory reset now that 386.1 final is out, so maybe I need to “learn” again...

Will try to post a redacted mobile configuration file.
 

gspannu

Regular Contributor
Sorry, I forgot to make notes back then.

However, I plan to do a factory reset now that 386.1 final is out, so maybe I need to “learn” again...

Will try to post a redacted mobile configuration file.
Thanks... await eagerly for your instructions...
 

XIII

Very Senior Member
Hm. There's something weird in my mobileconfig file it seems...

Need to check that first (later this week?)
 

gspannu

Regular Contributor
Hm. There's something weird in my mobileconfig file it seems...

Need to check that first (later this week?)
Meanwhile... Could you please share what steps/ settings you used to create the client connection in iOS/ Mac?
 

XIII

Very Senior Member
Meanwhile... Could you please share what steps/ settings you used to create the client connection in iOS/ Mac?
From what I remember now I only had to install that profile on iOS.

(I have not tried this on macOS; the MacBook Pro I use is from my company and contains a lot of profiles and a VPN already; I need this because I'm working from home due to COVID-19 measures, so I can't tinker with that)

On the router I exported the certificate and configured a single user with supported IKE version v1&v2. Both the certificate and the user are added to the iOS profile.
 

LimJK

Very Senior Member
It's my last step after the factory reset, but I can't get it to work anymore... (keep getting "User Authentication failed." again - even with manual setup)

I know I had a look at these instructions: https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-mobile-ikev2-client-ios.html

But I can't remember whether I also changed anything in /etc/ipsec.conf

And if I did, those changes are gone now, due to the factory reset... :mad:
XIII,
Do you remember what is the Remote ID (a required field) in the iOS IKEv2 Configuration. Thanks.
PS: Not to worry if you cannot remember, we can continue to use Cisco IPSec VPN on iOS.
 

LimJK

Very Senior Member
XIII,
Do you remember what is the Remote ID (a required field) in the iOS IKEv2 Configuration. Thanks.
PS: Not to worry if you cannot remember, we can continue to use Cisco IPSec VPN on iOS.
XIII,
Good news :) :
iOS IKEv2 VPN is working for the first time for me. ie. I can remotely access my Home network like any other VPN options, including ability to run iOS Asus Router App remotely.

What I did for configuring IKEv2 VPN on iOS 14.4:
  • Type: IKEv2
  • Description: IKEv2 VPN (the default name)
  • Server: xxxxx.asuscomm.com (that I setup in DDNS, I use Asus DDNS Service)
  • Remote ID: xxxxx.asuscomm.com (same as above ... thanks to XIII for providing the link that point me to this)

  • Authentication -> Username
  • Username: yyyyy (this is the user name I setup in Router's IPSec VPN Server with IKE (v1 & v2)
  • Password: zzzz (as above)
PS:
  • I exported Current Certification for Mobile in Router's IPSec VPN Server Configuration screen. Airdrop to my iPhone, install. Edit: I just confirm that installing Certification is necessary.
  • I noticed that there is no connection status on the Router VPN screen.
 
Last edited:

LimJK

Very Senior Member
XIII,
Good news :) :
iOS IKEv2 VPN is working for the first time for me. ie. I can remotely access my Home network like any other VPN options, including ability to run iOS Asus Router App remotely.

What I did for configuring IKEv2 VPN on iOS 14.4:
  • Type: IKEv2
  • Description: IKEv2 VPN (the default name)
  • Server: xxxxx.asuscomm.com (that I setup in DDNS, I use Asus DDNS Service)
  • Remote ID: xxxxx.asuscomm.com (same as above ... thanks to XIII for providing the link that point me to this)

  • Authentication -> Username
  • Username: yyyyy (this is the user name I setup in Router's IPSec VPN Server with IKE (v1 & v2)
  • Password: zzzz (as above)
PS:
  • I exported Current Certification for Mobile in Router's IPSec VPN Server Configuration screen. Airdrop to my iPhone, install. Edit: I just confirm that installing Certification is necessary.
  • I noticed that there is no connection status on the Router VPN screen.
Additional Good News :) :
I got macOS Catalina 10.15.7 IKEv2 VPN is working for the first time for me.
Do the same as for iOS IKEv2 in the previous post. I use the same certificated export to mobile on macOS, and make it trusted in my keychain.
Have fun:)
 

XIII

Very Senior Member
That’s a manual setup, right?

But even that did not work for me yesterday, with similar steps...
 

LimJK

Very Senior Member
That’s a manual setup, right?

But even that did not work for me yesterday, with similar steps...
XIII,
All the VPN Servers on Asus Router require manual setup for the client on iOS or Mac; for IKEv2 VPN like in steps in my earlier post. The only automated way is via Instant Guard.

PS:
  • You need to install and verify the certificate, and on Mac need to make it trusted.
  • I tried about 20 times; the first time it failed, I rebooted my iPhone and tried again, it works after that.
  • My thought is, if you are only using it for iOS, maybe Instant Guard is the most seamless solution
  • I am used to using OpenVPN on iOS and MacBookPro which is even more involved, so IKEv2 setup is OK for me
  • When I have time I will look at performance of the various VPN Server options, before I decide which one to use regularly
  • It appears that when I use IKEv2 VPN on iOS or macOS to connect to Asus Router, I noticed there is NO connection status information ... so it may not be something I am going to use
  • Do, let me know if you need any specific info for comparison, I will be happy to provide.
 

XIII

Very Senior Member
  • I had an automated setup (via a mobile config profile), but it's not working now (after factory reset; did update the certificate in the profile)
  • Instant Guard does not work on my setup (before and after factory reset)
  • the manual setup currently also fails, even after a reboot of my iPhone
 

XIII

Very Senior Member
I'm such a fool...

I sign my profiles before installing them on my iOS devices. Yesterday I modified the unsigned profile, but forgot to sign it. So the signed profile that I installed was still the old one with the certificate from before the factory reset... (I noticed the expiration date of the certificate in the profile did not match the router's one)

After signing and installing the updated profile IKEv2 works fine on iPhone and iPad! :)
 

gspannu

Regular Contributor
I'm such a fool...

I sign my profiles before installing them on my iOS devices. Yesterday I modified the unsigned profile, but forgot to sign it. So the signed profile that I installed was still the old one with the certificate from before the factory reset... (I noticed the expiration date of the certificate in the profile did not match the router's one)

After signing and installing the updated profile IKEv2 works fine on iPhone and iPad! :)
Great that mobileconfig profiles are working for you...

I am trying to do the same, creating a mobileconfig and then signing.

Can you please provide details as to how you are creating the mobileconfig file?

I have tried endlessly; but not succeeding...

Are you importing the IKEv2 certificate (in the profile)? How?

A set of detailed instructions would be very welcome...
 

gspannu

Regular Contributor
I'm such a fool...

I sign my profiles before installing them on my iOS devices. Yesterday I modified the unsigned profile, but forgot to sign it. So the signed profile that I installed was still the old one with the certificate from before the factory reset... (I noticed the expiration date of the certificate in the profile did not match the router's one)

After signing and installing the updated profile IKEv2 works fine on iPhone and iPad! :)

@XIII
Bump:

Great that mobileconfig profiles are working for you...

I am trying to do the same, creating a mobileconfig and then signing.
- Can you please provide details as to how you are creating the mobileconfig file?
- I have tried endlessly; but not succeeding...
- Are you importing the IKEv2 certificate (in the profile)? How?

A set of detailed instructions would be very welcome...
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top