You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

IKEv2 VPN on iOS - issues & workarounds

Apple added support for IKEv2 VPN connections in iOS8 but only via mobileconfig profiles and added further support in iOS9 so you could define an IKEv2 profile in the GUI on the iOS device itself. (Apple also added IKEv2 support to OS X in El Capitan.)


Note: IKEv2 is considered much more modern and secure than previous older VPN standards such as IPSec, L2TP, and PPTP. Hence the fact Apple added support for IKEv2 and my using it.


While I have now successfully got an iPhone running iOS 9.2.1 to connect via IKEv2 to a matching IKEv2 VPN server I did come across a couple of bugs along the way which I have now reported to Apple. Obviously in getting it working I managed to get round these bugs.


ISSUE 1

As mentioned iOS9 now allows defining manually on the iOS device itself an IKEv2 profile. These can be configured to use SSL certificates for authenticating the client device e.g. iPhone, or can be configured to use a username/password pair, this later option is in IKEv2 terminology referred to as EAP - Extensible Authentication Protocol.


Unfortunately due to it seems to a bug in iOS9 (9.2.1) this time, even when you tell your iOS device to use certificate based authentication and have a valid certificate selected, it incorrectly tells the IKEv2 VPN server that it wants to use EAP instead. Therefore the connection fails because the VPN server sees a request to use EAP which is supposed to be a username and password but the iOS device of course cannot send a username and password because duh! it has been configured to only use a certificate.


The workaround for this second issue is that you unfortunately have to use a mobileconfig file to define the same exact settings. This as you will see led to discovering Issue 2 below.


Note: If you specifically define an IKEv2 profile on the iOS device with it told to use a username and password then this does work.


ISSUE 2

A common method for generating mobileconfig profiles for use with iOS devices is Apple Configurator. Apple Configurator 1.7.2 for Yosemite supports defining an IKEv2 profile but only for iOS clients, Apple Configurator 2.1 for El Capitan supports creating an IKEv2 profile for both iOS and Macs.


The issue I hit with Apple Configurator is that both the Yosemite version and the El Capitan version add an entry in the mobileconfig as standard which caused a conflict with my IKEv2 VPN server and prevented the iOS device from successfully connecting. The entry is in the IPv4 section and is a flag called OverridePrimary and AppleConfigurator sets this to be 'true' i.e. 1. This flag apparently tells the VPN client it must send all network traffic via the VPN connection including 'normal' traffic that needs to go to Internet connected sites, e.g. web browsing traffic. There is nothing wrong with wanting this to happen and in fact most corporates using IKEv2 would want that, however at least in my case this setting conflicts with settings in my IKEv2 VPN server which itself is already set to force all VPN clients to send all traffic via the VPN, this conflict causes the connection attempt to fail.


Note: I am using StrongSwan 5.1.2 on a Linux server as the VPN server.


To workaround this problem after identifying it I had to manually edit the mobileconfig file produced by Apple Configurator and delete the following section.


     <key>IPv4</key>
     <dict>
          <key>OverridePrimary</key>
          <integer>1</integer>
     </dict>


As my IKEv2 server is set to force all traffic via the VPN connection that still happens but this time with the above deleted from the mobileconfig the connection succeeds.


Unfortunately the Apple Configurator user interface does not list this option and hence does not itself allow disabling it if as in my case this turns out to be needed. Hence the need to manually edit the mobileconfig file.



Now that I have got IKEv2 'working' on iOS I will move on to trying this in El Capitan and see how many bugs Apple have managed to include there.

Posted on Mar 4, 2016 4:26 AM

Reply
Question marked as Top-ranking reply

Posted on Oct 27, 2017 7:53 AM

Hi John,


How are you dealing with DNS resolution for internal hosts. I find that when not using a mobileconfig and just manually configuring Cisco IPSec VPN or IKEv2 VPN, the DNS resolution for split tunnels is broken as the search domain gets assigned to DNS resolver 1 which happens to be the LAN/WIFI card so DNS lookup always fail in this case.


Have you encountered this or know of a workaround ?

8 replies
Question marked as Top-ranking reply

Oct 27, 2017 7:53 AM in response to John Lockwood

Hi John,


How are you dealing with DNS resolution for internal hosts. I find that when not using a mobileconfig and just manually configuring Cisco IPSec VPN or IKEv2 VPN, the DNS resolution for split tunnels is broken as the search domain gets assigned to DNS resolver 1 which happens to be the LAN/WIFI card so DNS lookup always fail in this case.


Have you encountered this or know of a workaround ?

Oct 27, 2017 9:44 AM in response to adisor20

I don't configure the DNS in the mobileconfig profile. I configure the StrongSwan5 server to inform the VPN client of the DNS addresses and also to enforce routing all traffic via the VPN link. This works fine for me and after a couple of seconds at most the client is able to resolve internal private DNS addresses.


I have however been doing this as per the discussion title mainly with iOS and not Mac if that makes a difference for you.


I certainly don't see any differences whether the iOS device is connected via cellular data or WiFi.


Perhaps the reason it is working for me is the fact I am not using a split tunnel since I deliberately enforce routing all traffic. My use of IKEv2 was as part of a VPN on Demand solution for the purposes of ensuring all traffic from mobile devices was secured via VPN and not open to eavesdropping say in a [insert favourite coffee chain] on public WiFi.


Since you are apparently configuring the DNS settings manually on the client device, have you tried pushing it from the VPN server even with a split tunnel?


I use Strongswan5 so this is done by adding rightdns=192.168.12.12 or similar to /etc/ipsec.conf on the server.


If you are after pushing a default domain then I am not sure this is possible at least with StrongSwan. However I always ensure everything uses the FQDN rather than just the hostname and assuming there is a valid default domain.

Nov 25, 2016 4:38 AM in response to wuwentao

Yes Apple have fixed it in a more recent version of Apple Configurator in response to my bug report so it now gives you the choice to have this flag set to 0 or 1.


As a reminder the issue was older versions of Apple Configurator always set it to 1 and this conflicted with the StrongSwan setup which was already set to force all traffic to go via the VPN connection.

Nov 25, 2016 7:37 AM in response to John Lockwood

Thanks very much for your reply!

but this workaround still can't work for me .

I didn't select [send all traffic through VPN],but My mac got the default gateway.


netstat -rn |grep default

default link#15 UCS 32 0 ipsec0

default 192.168.2.1 UGScI 16 0 en0

default fe80::%utun0 UGcI utun0


I don't want send all the traffic via the vpn, I will manual add it with a script.

Nov 25, 2016 8:34 AM in response to wuwentao

If your using such a modern enterprise strength VPN such as IKEv2 the presumption is you would want to enforce routing all traffic via it to prevent people seeing traffic outside the VPN in an Internet cafe.


However in my setup and possibly yours the enforcement of all traffic going via the VPN is down to StrongSwan5. You can therefore configure StrongSwan5 to not enforce this. In my case this is down to the line -


leftsubnet=0.0.0.0/0


This means route all addresses since 0.0.0.0/0 translates to a subnet that includes every possible IPv4 address. If you want to change this to only route the addresses needed for your office network then an entry like


leftsubnet=192.168.1.0/24


would limit it to a single Class C subnet and anything else would not go via the VPN route.


The same principal will apply if you have an office using IPv6 - which I am not.

IKEv2 VPN on iOS - issues & workarounds

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.