IKEv2 MDM setup for Apple devices
Learn how to set up IKEv2 VPN using the supported IKEv2 features and corresponding configuration profile keys described here.
Machine authentication methods
IKEv2 supports the following machine authentication methods. You use the AuthenticationMethod key to specify their level of authentication:
None: No machine authentication required.
Shared Secret: A preset key created by you.
Certificate: For Certificate authentication, the LocalIdentifier and RemoteIdentifier keys are commonly used to identify the IKEv2 client and the IKEv2 server.
The LocalIdentifier key should usually match the user/device certificate’s identity (SubjectAltName or Subject CommonName), since server implementation may require that match to validate the client’s identity.
The RemoteIdentifier key should match the server certificate’s identity (SubjectAltName or Subject CommonName).
Note: If RemoteIdentifier doesn’t match the server certificate’s identity, ServerCertificateCommonName key can be used to specify the server certificate’s identity.
You also use the ServerCertificateIssuerCommonName key to specify the server CA Common Name. Specifying this key triggers IKEv2 CERTREQ to be sent to the server, which is required by some implementations.
EAP: EAP-MSCHAPv2, EAP-TLS and EAP-PEAP
You must use the ExtendedAuthEnabled key to enable EAP:
Specify AuthName and AuthPassword for EAP-MSCHAPv2
Specify the user/device certificate for EAP-TLS. The ServerCertificateIssuerCommonName key is required for EAP-TLS
Specify both AuthName and AuthPassword and the user/device certificate for EAP-PEAP
For server authentication, you also use the AuthenticationMethod key to specify the IKEv2 level of authentication.
IKE and child proposals
IKEv2 supports one IKE proposal and one child proposal. Each proposal allows specification for one encryption algorithm, one integrity algorithm and one Diffie-Hellman Group. Server configuration must allow the client IKE and child proposals.
An IKE and child proposal also allows specification for client initiated IKE and child rekeys. In addition, server initiated rekeys are independent from client initiated rekeys and can be configured on your server. For Always-On VPN, disabling server initiated rekeys is recommended.
Dead peer detection
IKEv2 supports dead peer detection. Server dead peer detection is independent from client dead peer detection and can be configured on your server. For Always-On VPN, disabling server dead peer detection is recommended.
IKEv2 supports split tunnel. By default, split tunnel routes are sent by your server to the client via the IKEv2 Traffic Selectors. You use the UseConfigurationAttributeInternalIPSubnet key if your server implementation requires the INTERNAL_IP4_SUBNET and INTERNAL_IP6_SUBNET attributes to send routes to the client.
Note: IKEv2 doesn’t support split DNS from the server. However, the iOS and iPadOS VPN payload support a DNS dictionary that allows for split DNS.
MOBIKE, server redirect and Perfect Forward Secrecy
IKEv2 supports MOBIKE, server redirects and Perfect Forward Secrecy (PFS), all of which have default values. Server support and configuration are required to achieve full functionality for these options:
MOBIKE: Enabled by default. Use the DisableMOBIKE key to disable it.
Server redirect: Enabled by default. Use the DisableRedirect key to disable it.
PFS (requires child Diffie-Hellman Group): Disabled by default. Use the EnablePFS key to enable it.
NAT keepalive offload
IKEv2 supports NAT keepalive offload for Always-On VPN connections and is enabled by default. It offloads sending NAT keepalives to hardware while the device is asleep. The NATKeepAliveInterval key is used to control the frequency of the keepalive offloads, and the NATKeepAliveOffloadEnable key is used to enable and disable it. This feature keeps the Always-On IKEv2 connection up across device sleep cycles.