pfSense IKEv2 for iOS/macOS – Part 3

In this article, we’ll configure an Apple Mobile Configuration Profile for iOS and macOS devices to connect to the VPN we created.

Articles in This Series:
Part 1 – Certificate Configuration
Part 2 – VPN Configuration
Part 3 (Current Article)
Part 4 – On Demand VPN

Part 3 – Mobile Profile
1. General Tab

  • Open Apple Configurator 2. From the File menu, choose New Profile.
  • Configure the General tab as follows (these options show up when installing to your device):

    Figure 1 New Profile Window
  • Name: A descriptive name for your mobile profile.
  • Identifier: This is a unique name for the profile. Typically, you
    would use the FQDN in reverse. All this does is enable you to replace a
    profile in place by using the same identifier.
  • Organization: Optional
  • Description: Optional
  • Consent Message: Optional
  • Security: This allows you to protect the profile with a password to prevent it being removed.

2. Certificates Tab

  • Switch to the Certificates tab and click the Configure button.
  • This will open a file browser. Choose the CA Certificate, the Server Certificate, and the User PKCS12 (.p12 File) Certificate.
  • You will notice that the PKCS12 User Certificate has a password field and alert. You will need to enter the export password you specified when using OpenSSL to export the P12 file. The alert should go away after entering the password.

    Figure 2 Certificates Tab

3. VPN Tab

  • Switch to the VPN tab and click the Configure button. Configure as follows:

    Figure 3 VPN Tab
  • Connection Name: A descriptive name that will show up in the VPN menu of your device.
  • Connection Type: IKEv2
  • Send All Traffic Through VPN: Unchecked
  • Always-On VPN (Supervised Only): Unchecked
  • Server: FQDN of the VPN Server
  • Remote Identifier: FQDN of the VPN Server
  • Local Identifier: CN of User Certificate
  • Machine Authentication: Certificate
  • Certificate Type: RSA
  • Server Certificate Issuer Common Name: CN of the CA server you created (internalVPNCA in the example).
  • Server Certificate Common Name: CN of the Server Certificate you created (should be the FQDN of the server).
  • Enable EAP: Checked
  • EAP Authentication: Certificate
  • Identity Certificate: Select the User Certificate you imported.
  • Dead Peer Detection Rate: Medium
  • Disable Redirects: Unchecked
  • Disable Mobility and Multihoming: Unchecked
  • Use IPv4/IPv6 Internal Subnet Attributes: Unchecked
  • Enable Perfect Forward Secrecy: Unchecked
  • Enable Certificate Revocation Check: Unchecked

    Figure 4 VPN Tab/IKE SA Params
  • Encryption Algorithm: AES-256-GCM
  • Integrity Algorithm: SHA2-384 (This will be disabled when you choose AES-256-GCM)
  • Diffie-Hellman Group: 20
  • Lifetime in Minutes: 480
  • Proxy Setup: None
  • Disconnect on Idle: Never

    Figure 5 VPN Tab/Child SA Params
  • Encryption Algorithm: AES-256-GCM
  • Integrity Algorithm: SHA2-256 (This will be disabled when you choose AES-256-GCM)
  • Diffie-Hellman Group: 20
  • Lifetime in Minutes: 60
  • Proxy Setup: None
  • Disconnect on Idle: Never

4. Save and Push File – Mobile

  • Choose File\Save from the Apple Configurator 2 menu. Save your mobile profile to a location of your choosing.
  • To add the profile to a mobile device, connect the device via USB and wait for it to appear in the Apple Configurator 2 main window. Once it does, click on it once to ensure it is selected, then click the Add button, choose Profiles, and select the profile you just saved.
  • Follow the prompts on your device to install the profile. Ensure it shows up in Settings\General\Profiles & Device Management.
  • Go to Settings\General\VPN and ensure that the VPN you created in the profile shows up. Select it and change the toggle under Status to connect (test off of Wifi).

4. Save and Push File – macOS

  • To install the Mobile Configuration Profile on your Mac desktop or laptop, simply double-click the file you saved and follow the prompts to install it.
That’s it! You’re done!

There’s one more section of this tutorial left, if you want it. To force your VPN to connect when you’re not connected to trusted or internal networks, proceed to Part 4 – On Demand VPN!

Leave a Reply

Your email address will not be published. Required fields are marked *