Always-on VPN configurations for Apple devices
iPhone and iPad devices run in single-user mode. There’s no distinction between device identity and user identity. When the device establishes an IKEv2 tunnel to the IKEv2 server, the server perceives the device as a single peer entity. Traditionally, there is one tunnel between the device and a VPN server. Because Always-on VPN introduces per-interface tunnels, there may be multiple simultaneous tunnels established between a single device and the IKEv2 server. Always-on VPN configuration supports two configurations.
If your organization choses to deploy Always-on VPN on cellular-only devices (in which the Wi-Fi interface is permanently taken out or deactivated), one IKEv2 tunnel is established over the cellular IP interface between each device and the IKEv2 server. This is the same as in the traditional VPN model. The device acts as one IKEv2 client, with one identify (for example, one client certificate or one user and password) establishing one IKEv2 tunnel with the IKEv2 server.
Cellular and Wi-Fi devices
If your organization deploys Always-on VPN for devices with cellular and Wi-Fi interfaces, two simultaneous IKEv2 tunnels are established from the device. There are two scenarios for using devices that can connect over cellular and Wi-Fi:
The cellular tunnel and the Wi-Fi tunnel terminate on separate IKEv2 servers.
Always-on VPN per-interface tunnel configuration keys allow an organization to configure devices establishing a cellular tunnel to one IKEv2 server and a Wi-Fi tunnel to a second IKEv2 server. One benefit of this model is that a device can use the same client identity (that is, client certificate or user/password) for both tunnels, since the tunnels terminate on different servers. With different servers, your organization also has greater flexibility on per-interface-type traffic (cellular traffic vs Wi-Fi traffic) segregation and control. The drawback is that your organization has to maintain two different IKEv2 servers with identical client authentication policies.
The cellular tunnel and the Wi-Fi tunnel terminate on the same IKEv2 servers.
Always-on VPN per-interface tunnel configuration also lets your organization configure a device to establish the cellular tunnel and the Wi-Fi tunnel to the same IKEv2 server.
One client identity per device: Your organization can configure the same client identity (that is, one client certificate or one user/password pair) for a cellular tunnel and a Wi-Fi tunnel, if the IKEv2 server supports multiple tunnels per client. The benefit is that you can avoid the extra client identity per device and the extra configuration/resource burden on the server. The drawback is that as a device moves in and out of networks, new tunnels get established and old tunnels become stale. Depending on the server implementation, the server may not be able to clean up stale tunnels efficiently and accurately. Your organization must implement a strategy for stale tunnel cleanup on the server.
Two client identities per device: Your organization can configure two client identities (that is, two client certificates or two user/password pairs), one for a cellular tunnel and one for a Wi-Fi tunnel. The IKEv2 server sees two different clients establishing their own tunnels. The benefit of this model is that it works with most server implementations, because many servers differentiate tunnels by their client identities and allow only one tunnel per client. The drawback of this model is that it requires twice the client identity, configuration, and resource management on the server.
After you decide which configuration to use, you can apply the IKEv2 Always-on VPN configuration details.