IKEv2 VPN on iOS - issues & workarounds

Apple added support for IKEv2 VPN connections in iOS8 but only via mobileconfig profiles and added further support in iOS9 so you could define an IKEv2 profile in the GUI on the iOS device itself. (Apple also added IKEv2 support to OS X in El Capitan.)

Note: IKEv2 is considered much more modern and secure than previous older VPN standards such as IPSec, L2TP, and PPTP. Hence the fact Apple added support for IKEv2 and my using it.

While I have now successfully got an iPhone running iOS 9.2.1 to connect via IKEv2 to a matching IKEv2 VPN server I did come across a couple of bugs along the way which I have now reported to Apple. Obviously in getting it working I managed to get round these bugs.

ISSUE 1

As mentioned iOS9 now allows defining manually on the iOS device itself an IKEv2 profile. These can be configured to use SSL certificates for authenticating the client device e.g. iPhone, or can be configured to use a username/password pair, this later option is in IKEv2 terminology referred to as EAP - Extensible Authentication Protocol.

Unfortunately due to it seems to a bug in iOS9 (9.2.1) this time, even when you tell your iOS device to use certificate based authentication and have a valid certificate selected, it incorrectly tells the IKEv2 VPN server that it wants to use EAP instead. Therefore the connection fails because the VPN server sees a request to use EAP which is supposed to be a username and password but the iOS device of course cannot send a username and password because duh! it has been configured to only use a certificate.

The workaround for this second issue is that you unfortunately have to use a mobileconfig file to define the same exact settings. This as you will see led to discovering Issue 2 below.

Note: If you specifically define an IKEv2 profile on the iOS device with it told to use a username and password then this does work.

ISSUE 2

A common method for generating mobileconfig profiles for use with iOS devices is Apple Configurator. Apple Configurator 1.7.2 for Yosemite supports defining an IKEv2 profile but only for iOS clients, Apple Configurator 2.1 for El Capitan supports creating an IKEv2 profile for both iOS and Macs.

The issue I hit with Apple Configurator is that both the Yosemite version and the El Capitan version add an entry in the mobileconfig as standard which caused a conflict with my IKEv2 VPN server and prevented the iOS device from successfully connecting. The entry is in the IPv4 section and is a flag called OverridePrimary and AppleConfigurator sets this to be 'true' i.e. 1. This flag apparently tells the VPN client it must send all network traffic via the VPN connection including 'normal' traffic that needs to go to Internet connected sites, e.g. web browsing traffic. There is nothing wrong with wanting this to happen and in fact most corporates using IKEv2 would want that, however at least in my case this setting conflicts with settings in my IKEv2 VPN server which itself is already set to force all VPN clients to send all traffic via the VPN, this conflict causes the connection attempt to fail.

Note: I am using StrongSwan 5.1.2 on a Linux server as the VPN server.

To workaround this problem after identifying it I had to manually edit the mobileconfig file produced by Apple Configurator and delete the following section.

     <key>IPv4</key>
     <dict>
          <key>OverridePrimary</key>
          <integer>1</integer>
     </dict>

As my IKEv2 server is set to force all traffic via the VPN connection that still happens but this time with the above deleted from the mobileconfig the connection succeeds.

Unfortunately the Apple Configurator user interface does not list this option and hence does not itself allow disabling it if as in my case this turns out to be needed. Hence the need to manually edit the mobileconfig file.

Now that I have got IKEv2 'working' on iOS I will move on to trying this in El Capitan and see how many bugs Apple have managed to include there.