Always-on VPN configurations for Apple devices
iPhone and iPad devices run in single-user mode. There’s no distinction between device identity and user identity. When the device establishes an IKEv2 tunnel to the IKEv2 server, the server perceives the device as a single peer entity. Traditionally, there is one tunnel between the device and a VPN server. Because Always-on VPN introduces per-interface tunnels, there may be multiple simultaneous tunnels established between a single device and the IKEv2 server. Always-on VPN configuration supports two configurations.
If your organisation chooses to deploy Always-on VPN on mobile data–only devices (in which the Wi-Fi interface is permanently taken out or deactivated), one IKEv2 tunnel is established over the data IP interface between each device and the IKEv2 server. This is the same as in the traditional VPN model. The device acts as one IKEv2 client, with one identify (for example, one client certificate or one user and password) establishing one IKEv2 tunnel with the IKEv2 server.
Mobile data and Wi-Fi devices
If your organisation deploys Always-on VPN for devices with mobile data and Wi-Fi interfaces, two simultaneous IKEv2 tunnels are established from the device. There are two scenarios for using devices that can connect over mobile data and Wi-Fi:
The mobile data tunnel and the Wi-Fi tunnel terminate on separate IKEv2 servers.
Always-on VPN per-interface tunnel configuration keys allow an organisation to configure devices establishing a mobile data tunnel to one IKEv2 server and a Wi-Fi tunnel to a second IKEv2 server. One benefit of this model is that a device can use the same client identity (that is, client certificate or user/password) for both tunnels since the tunnels terminate on different servers. With different servers, your organisation also has greater flexibility on per-interface-type traffic (mobile data traffic vs. Wi-Fi traffic) segregation and control. The drawback is that your organisation has to maintain two different IKEv2 servers with identical client authentication policies.
The mobile data tunnel and the Wi-Fi tunnel terminate on the same IKEv2 servers.
Always-on VPN per-interface tunnel configuration also lets your organisation configure a device to establish the mobile data tunnel and the Wi-Fi tunnel to the same IKEv2 server.
One client identity per device: Your organisation can configure the same client identity (that is, one client certificate or one user/password pair) for a mobile data tunnel and a Wi-Fi tunnel, if the IKEv2 server supports multiple tunnels per client. The benefit is that you can avoid the extra client identity per device and the extra configuration/resource burden on the server. The drawback is that as a device moves in and out of networks, new tunnels get established and old tunnels become stale. Depending on the server implementation, the server may not be able to clean up stale tunnels efficiently and accurately. Your organisation must implement a strategy for stale tunnel clean-up on the server.
Two client identities per device: Your organisation can configure two client identities (that is, two client certificates or two user/password pairs), one for a mobile data tunnel and one for a Wi-Fi tunnel. The IKEv2 server sees two different clients establishing their own tunnels. The benefit of this model is that it works with most server implementations because many servers differentiate tunnels by their client identities and allow only one tunnel per client. The drawback of this model is that it requires twice the client identity, configuration and resource management on the server.
After you decide which configuration to use, you can apply the IKEv2 Always-on VPN configuration details.