IKEv2 (iOS Only)

This VPN connection type is supported on iOS devices.

Internet Key Exchange version 2 (IKEv2) is the default VPN setting for iOS. The IKEv2 is used to create a security association in the IPSec (Internet Protocol Security) suite. A security association (SA) establishes shared security attributes between two network entities to support secure communication.

Use the following guidelines to configure the IKEv2 VPN connection type.

Within these selections, you may make settings for:

iOS VPN configurations using IKEv2 need to include a selected value from the following list of certificate types:

  • RSA
  • ECDSA256
  • ECDSA384
  • ECDSA512

The ED25519 certificate type is not supported.

Table 61.  IKEv2 settings (iOS)

Item

Description

Name

Enter a short phrase that identifies this VPN setting.

Description

Provide a description that clarifies the purpose of these settings.

Channel

For macOS only. Select one of the following distribution options:

  • Device channel - the configuration is effective for all users on a device. This is the typical option.
  • User channel - the configuration is effective only for the currently registered user on a device.

Connection Type

Select IKEv2 (iOS Only).

Always-on VPN (supervised only)

Select to enable the VPN connection to remain on at all times. More settings display, including Celluar settings and Service Exceptions.

This setting applies only to supervised devices.

Allow user to disable automatic connection

Select to allow device users to disconnect automatically triggered connections.

This setting applies only to supervised devices.

Use same tunnel configuration for Cellular and Wi-Fi

Select to configure one VPN tunnel for both cellular and wi-fi data.

This setting applies only to supervised devices.

Cellular / Wi-Fi (Cellular and Wi-Fi configurations appear separately when you select Always-on VPN.)

Server

Enter the IP address, hostname, or URL for the VPN server.

Local Identifier

Required. Enter the local identifier of the IKEv2 client in one of the following formats:

  • FQDN
  • UserFQDN
  • Address
  • ASN1DN

Remote Identifier

Required. Enter the remote identifier in one of the following formats:

  • FQDN
  • UserFQDN
  • Address
  • ASN1DN

Dead Peer Detection Rate

Optional. Defaults to Medium. Select one of the following:

  • None (Disable)
  • Low (keepalive sent every 30 minutes)
  • Medium (keepalive sent every 10 minutes)
  • High (keepalive sent every 1 minute)

Use IPv4/IPv6 Internal Subnet Attributes

Optional. If selected, negotiations should use IKEv2 Configuration Attribute INTERNAL_IP4_SUBNET and INTERNAL_IP6_SUBNET. Disabled by default.

Available in iOS 9.0 or supported newer versions.

Disable Mobility and Multihoming

Select to disable mobility and multihoming (MOBIKE).

Available in iOS 9.0 or supported newer versions.

Disable redirects

Optional. If selected, disables IKEv2 redirect. If not selected, the IKEv2 connection would be redirected if a redirect request is received from the server. By default, not selected.

Available in iOS 9.0 or supported newer versions.

Enable NAT keepalive

Optional. Select to enable Network Address Translation (NAT) Keepalive offload for Always On VPN IKEv2 connections. Keepalive packets are used to maintain NAT mappings for IKEv2 connections. These packets are sent at regular intervals when the device is awake. If selected, Keepalive packets would be sent by the chip even while the device is asleep. The default interval for the Keepalive packets for Always On VPN is 20 seconds over WiFi and 110 seconds over Cellular interface.

Available in iOS 9.0 or supported newer versions.

NATKeepAliveInterval

Optional. Controls the interval over which Keepalive packets are sent by the device. The minimum value is 20 seconds. If no key is specified, the default is 20 seconds.

Available in iOS 9.0 or supported newer versions.

EnablePFS

Optional. Select to enable Perfect Forward Secrecy for IKEv2 connections. By default, not selected.

Available in iOS 9.0 or supported newer versions.

Authentication

Machine Authentication

Select None, Shared Secret /Group Name, or Certificate.

  • If selecting None, be sure to enable EAP.
  • If Certificate is selected, Server Certificate Issuer Common Name should be added.

Shared Secret

If you select Shared Secret / Group Name, enter shared secret to be used for IKE authentication.

Identity Certificate

If you select Certificate, select the identity certificate to be used as the account credential.

If you select Certificate, and extended authentication (EAP) is not used, this certificate will be sent out for IKE client authentication. If extended authentication is used, this certificate can be used for EAP-TLS.

Server Certificate Issuer Common Name

Optional. Selecting this field will cause IKE to send a certificate request based on this certificate issuer to the server.

This field is required if Machine Authentication is set to Certificate.

Server Certificate Common Name

Optional. The Common Name of the server certificate. This name is used to validate the certificate sent by the IKE server. If not set, the Remote Identifier will be used to validate the certificate.

Enable EAP

Select to enable extended authentication. If Machine Authentication is set to None, you must select an EAP authentication method.

IKE SA Params (A Security Association establishes shared security attributes between two network entities to support secure communication.)

Encryption algorithm

Optional. Select one of the following:

  • DES
  • 3DES
  • AES-128
  • AES-256 (Default)
  • AES-128-GCM
  • AES-256-GCM
  • ChaCha20Poly1305

Integrity algorithm

Optional. Select one of the following:

  • SHA1-96
  • SHA1-160
  • SHA2-256 (Default)
  • SHA2-384
  • SHA2-512

Diffie-Hellman Group

Optional. Select one of the following: 1, 2, 5, 14 (Default), 15, 16, 17, 18, 19, 20, 21, 31.

If you upgrade from a version of Ivanti EPMM that allowed the value 0 for this field, edit the VPN configuration to use a different Diffie-Hellman Group value. Ivanti EPMM will send the configuration to devices only after you save the change.

Lifetime In Minutes

Optional security association lifetime (re-key interval) in minutes. Valid values are 10 through 1440. Defaults to 1440 minutes.

Child SA Params (A Child SA is any SA that was negotiated via the IKE SA.)

Encryption algorithm

Optional. Select one of the following:

  • DES
  • 3DES
  • AES-128
  • AES-256 (Default)
  • AES-128-GCM
  • AES-256-GCM
  • ChaCha20Poly1305

Integrity algorithm

Optional. Select one of the following:

  • SHA1-96
  • SHA1-160
  • SHA2-256 (Default)
  • SHA2-384
  • SHA2-512

Diffie-Hellman Group

Optional. Select one of the following: 1, 2, 5, 14 (Default), 15, 16, 17, 18, 19, 20, 21. 31

If you upgrade from a version of Ivanti EPMM that allowed the value 0 for this field, edit the VPN configuration to use a different Diffie-Hellman Group value. Ivanti EPMM will send the configuration to devices only after you save the change.

Lifetime In Minutes

Optional security association lifetime (rekey interval) in minutes. Valid values are 10 through 1440. Defaults to 1440 minutes.

Wi-Fi see Cellular / Wi-Fi

Service Exceptions (Configure exceptions to VPN tunnel. This section is only displayed if the Always-on VPN (supervised only) option is selected at the top of the window.)

Voice Mail

Select one of the following options for voicemail:

  • Allow traffic via tunnel
  • Allow traffic outside tunnel
  • Drop traffic

Air Print

Select one of the following options for Air Print:

  • Allow traffic via tunnel
  • Allow traffic outside tunnel
  • Drop traffic

Allow traffic from captive web sheet outside the VPN tunnel

Select to allow traffic from captive web sheets outside the VPN tunnel.

Allow traffic from all captive networking apps outside the VPN tunnel

Select to allow traffic from all captive networking apps outside the VPN tunnel.

When selecting this item, skip to the proxy server section.

Captive Networking App Bundle Identifiers

Specify the apps whose traffic you want to allow outside the VPN tunnel. Captive networking apps may require additional entitlements to operate in a captive environment.

Select Add+ to add the bundle ID of a relevant app to the list of apps allowed outside the VPN tunnel.

This section is only displayed if the Allow traffic from all captive networking apps outside the VPN tunnel option is not selected.

Continue to Proxy - Manual , or Proxy - Automatic.

Proxy - None (default)

Use the following guidelines to configure an IPKEv2 (iOS Only) VPN proxy setting type.

Table 62.  Proxy - None (default) settings

Item

Description

Proxy

None is the default setting. To configure a Manual or Automatic proxy, go to Proxy - Manual or Proxy - Automatic.

VPN On Demand

Select to enable VPN On Demand.

The On Demand Rules field displays.

On Demand rules are associated with an array of dictionaries that define the network match criteria identifying a particular network location.

VPN On Demand matches the dictionaries in the On Demand Rules against properties of your current network connection to determine whether domain-based rules should be used in determining whether to connect, then handles the connection as follows:

  • If domain-based matching is enabled for a matching On Demand Rule dictionary, then for each dictionary in that dictionary’s connection evaluation array, VPN On Demand compares the requested domain against the domains listed in the Domains array.
  • If domain-based matching is not enabled, the specified behavior (Connect, Disconnect, Allow, or Ignore) is used if the dictionary otherwise matches.

 

VPN On Demand rules are applied when the device's primary network interface changes, for example when the device switches to a different Wi-Fi network.

  • A matching rule is not required. The Default Rule is applied if a matching rule is not defined.
  • If you select Evaluate Connection, a matching rule is not required.
  • You can create up to 10 On Demand matching rules.
  • For each matching rule you can create up to 50 Type and Value pairs.

For instructions, see On Demand Rules.

Per-App VPN

Per-app VPN is supported on iOS devices version 9.0 or supported newer versions.

Select Yes to create a per-app VPN setting. An additional license may be required for this feature.

The Provider Type field displays.

You cannot delete a per-app VPN setting that is being used by an app. Remove the per-app VPN setting from the app before you delete the setting.

You can enable per-app VPN for an app when you:

  • add the app in the App Catalog.
  • edit an in-house app or an App Store app in the App Catalog.

When multiple labels are assigned to associate the selected VPN configurations in the Per-App VPN section, then VPN prioritization will happen in the order of the selected list.

See the Ivanti EPMM [email protected] Guide for information about how to add or edit iOS apps.

Continue to On Demand Rules.

Continue to Domains.

Proxy - Manual

If you select Manual for proxy, you must specify the proxy server, port number and proxy domain information.

Table 63.  Proxy - Manual settings

Item

Description

Proxy

Select Manual. To configure a or Automatic proxy, go to Proxy - Automatic.

Proxy Server

Enter the name for the proxy server.

Proxy Server Port

Enter the port number for the proxy server.

Type - Select Static or Variable for the type of authentication to be used for the proxy server.

Proxy Server User Name

If the authentication type is Static, enter the username for the proxy server.

If the authentication type is Variable, the default variable selected is $USERID$.

Proxy Server Password

If the authentication type is Static, enter the password for the proxy server. Confirm the password in the field below.

If the authentication type is Variable, the default variable selected is $PASSWORD$.

Proxy Domains (iOS only)

The VPN will only proxy for the domain and domain suffixes specified here (.com and .org are examples of top-level domain suffixes). Domain suffixes can be used to match multiple domains. For example, .com would include all .com domains, and example.com would include all domains ending in example.com, such as pages.example.com and mysite.example.com. Wildcards are not supported.

Select Add+ to add a domain.

VPN On Demand

Select to enable VPN On Demand.

The On Demand Rules field displays.

On Demand rules are associated with an array of dictionaries that define the network match criteria identifying a particular network location.

VPN On Demand matches the dictionaries in the On Demand Rules against properties of your current network connection to determine whether domain-based rules should be used in determining whether to connect, then handles the connection as follows:

  • If domain-based matching is enabled for a matching On Demand Rule dictionary, then for each dictionary in that dictionary’s connection evaluation array, VPN On Demand compares the requested domain against the domains listed in the Domains array.
  • If domain-based matching is not enabled, the specified behavior (Connect, Disconnect, Allow, or Ignore) is used if the dictionary otherwise matches.

 

VPN On Demand rules are applied when the device's primary network interface changes, for example when the device switches to a different Wi-Fi network.

  • A matching rule is not required. The Default Rule is applied if a matching rule is not defined.
  • If you select Evaluate Connection, a matching rule is not required.
  • You can create up to 10 On Demand matching rules.
  • For each matching rule you can create up to 50 Type and Value pairs.

For instructions, see On Demand Rules.

Per-App VPN

Per-app VPN is supported on iOS devices version 9.0 or supported newer versions.

Select Yes to create a per-app VPN setting. An additional license may be required for this feature.

You cannot delete a per-app VPN setting that is being used by an app. Remove the per-app VPN setting from the app before you delete the setting.

You can enable per-app VPN for an app when you:

  • add the app in the App Catalog.
  • edit an in-house app or an App Store app in the App Catalog.

When multiple labels are assigned to associate the selected VPN configurations in the Per-App VPN section, then VPN prioritization will happen in the order of the selected list.

See the Ivanti EPMM [email protected] Guide for information about how to add or edit iOS apps.

Continue to On Demand Rules.

Continue to Domains.

Proxy - Automatic

If you selected an Automatic proxy, you must specify the proxy server URL and proxy domain(s).

Table 64.  Proxy - Automatic settings

Item

Description

Proxy

Select Automatic proxy. To configure a Manual proxy, go to Proxy - Manual.

Proxy Server URL

Enter the URL for the proxy server.

Enter the URL of the location of the proxy auto-configuration file.

Proxy Domains (iOS only)

The VPN will only proxy for the domain and domain suffixes specified here (.com and .org are examples of top-level domain suffixes). Domain suffixes can be used to match multiple domains. For example, .com would include all .com domains, and example.com would include all domains ending in example.com, such as pages.example.com and mysite.example.com. Wildcards are not supported.

Select Add+ to add a domain.

VPN On Demand

Select to enable VPN On Demand.

The On Demand Rules field displays.

On Demand rules are associated with an array of dictionaries that define the network match criteria identifying a particular network location.

VPN On Demand matches the dictionaries in the On Demand Rules against properties of your current network connection to determine whether domain-based rules should be used in determining whether to connect, then handles the connection as follows:

  • If domain-based matching is enabled for a matching On Demand Rule dictionary, then for each dictionary in that dictionary’s connection evaluation array, VPN On Demand compares the requested domain against the domains listed in the Domains array.
  • If domain-based matching is not enabled, the specified behavior (Connect, Disconnect, Allow, or Ignore) is used if the dictionary otherwise matches.

 

VPN On Demand rules are applied when the device's primary network interface changes, for example when the device switches to a different Wi-Fi network.

  • A matching rule is not required. The Default Rule is applied if a matching rule is not defined.
  • If you select Evaluate Connection, a matching rule is not required.
  • You can create up to 10 On Demand matching rules.
  • For each matching rule you can create up to 50 Type and Value pairs.

For instructions, see On Demand Rules.

Per-App VPN

Per-app VPN is supported on iOS devices version 9.0 or supported newer versions.

Select Yes to create a per-app VPN setting. An additional license may be required for this feature.

The Provider Type field displays.

You cannot delete a per-app VPN setting that is being used by an app. Remove the per-app VPN setting from the app before you delete the setting.

You can enable per-app VPN for an app when you:

  • add the app in the App Catalog.
  • edit an in-house app or an App Store app in the App Catalog.

When multiple labels are assigned to associate the selected VPN configurations in the Per-App VPN section, then VPN prioritization will happen in the order of the selected list.

See the Ivanti EPMM [email protected] Guide for information about how to add or edit iOS apps.

Continue to On Demand Rules.

Continue to Domains.

On Demand Rules

Applicable to: iOS 7 and later

Whenever a network change is detected, the VPN On Demand service compares the newly connected network against the match network criteria specified in each set of rules (in order) to determine whether VPN On Demand should be allowed or not on the newly-joined network.

Rule sets are checked sequentially, beginning with the first. A rule set matches the current network only if all of the specified policies in that rule set match.

If a rule set matches the current network, a server probe is sent if a URL is specified in the profile. VPN then acts according to the policy defined in the dictionary (for example, Allow, Ignore, Evaluate Connection, Connect, or Disconnect).

Define sets of evaluation rules for each action that can be taken by VPN On Demand: Allow, Connect, Disconnect, Evaluate Connection, and Ignore. You can define more than one set of rules for each type of action that can be taken. For each set of evaluation rules, the number of rules defined for that set is indicated in the No. of Rules column.

Example of number of rules defined

Procedure 

  1. Select Add+ to add a new set of On Demand evaluation rules.

    A rule creation dialog box opens.

    Rule creation dialog box

  2. From the On Demand Action drop-down list, select the action you want to be taken when the rules you create below are matched.

    The following actions are available:

    Allow: (Deprecated by iOS.) Allow VPN On Demand to connect if triggered.

    Connect: Unconditionally initiate a VPN connection on the next network attempt.

    Disconnect: Tear down the VPN connection and do not reconnect on demand as long as this dictionary matches.

    Evaluate Connection: Evaluate the action parameters for each connection attempt.

    Ignore: Leave any existing VPN connection up, but do not reconnect on demand as long as this dictionary matches.

  3. Matching Rules - For each rule you create, enter one of the following types:

    DNS domain: This rule matches if any of the domain names in the specified list matches any domain in the device’s search domains list. A wildcard '*' prefix is supported. For example, *.example.com matches against either mydomain.example.com or yourdomain.example.com.

    DNS Server Address: This rule matches if any of the network’s specified DNS servers match any entry in the list. Matching with a single wildcard is supported. For example, 17.* matches any DNS server in the class A 17 subnet.

    SSID: A list of SSIDs to match against the current network. If the network is not a Wi-Fi network, or if the SSID does not appear in this list, the match fails. Omit this rule and the corresponding list to match against any SSID.

    Interface Type: If specified, this rule matches only if the primary network interface hardware matches the specified interface type. Choose Ethernet, Wifi, or Cellular.

    URL String Probe: A URL to probe. If this URL is successfully fetched without redirection (returning a 200 HTTP status code), this rule matches.

  4. Enter a value for each rule type and an optional description.
  5. After adding your rules, select OK.

Default Rules

Define a default rule that simply specifies a default VPN On Demand action in case none of the On Demand rules match, or if no On Demand rules have been defined.

Procedure 

  1. From the On Demand Action drop-down list, select the action you want to be taken by default, if none of the rules match or none are defined.
  2. Select Add+ to add a default rule.

    The following actions are available:

    Allow: (Deprecated by iOS.) Allow VPN On Demand to connect if triggered.

    Connect: Unconditionally initiate a VPN connection on the next network attempt.

    Disconnect: Tear down the VPN connection and do not reconnect on demand as long as this dictionary matches.

    Evaluate Connection: Evaluate the action parameters for each connection attempt.

    Ignore: Leave any existing VPN connection up, but do not reconnect on demand as long as this dictionary matches.

    If you select Evaluate Connection, a domain actions table displays:

    Domain actions table in the Evaluate Connection section.

  3. Select Add+ to add a domain action.

    The Action Parameters dialog box opens.

    Action Parameters dialog box

  4. From the Domain Action drop-down list, select one of the following actions to be taken for the domains listed in the table:

    Connect if needed: The specified domains should trigger a VPN connection attempt if domain name resolution fails, such as when the DNS server indicates that it cannot resolve the domain, responds with a redirection to a different server, or fails to respond (timeout).

    Never connect: The specified domains should never trigger a VPN connection attempt.

  5. Select Add+ to include any of the following evaluation types:

    Domain: The domains for which this evaluation applies.

    Required DNS Server: IP addresses of DNS servers to be used for resolving the specified domains. These servers need not be part of the device’s current network configuration. If these DNS servers are not reachable, a VPN connection is established in response. These DNS servers should be either internal DNS servers or trusted external DNS servers. You can only configure required DNS server evaluation types for the Connect if needed domain action.

    Required URL Probe: An HTTP or HTTPS (preferred) URL to probe, using a GET request. If no HTTP response code is received from the server, a VPN connection is established in response. You can only configure required URL probe evaluation types for the Connect if needed domain action.

  6. Add a value and optional description for each entry.
  7. Select OK to save your domain action parameters.

Domains

Safari Domains

Applicable to: Safari Domains (iOS 7 and later; macOS 10.11 and later)

You must update your VPN software to a version that supports Per-app VPN.

If the server ends with one of these domain names, a VPN connection is started automatically.

  • Add+ - Click to add a domain.
  • Safari Domain - Enter a domain name. Only alphanumeric characters and periods (.) are supported.
  • Description - Enter a description for the domain.

Calendar Domains

Deprecated in iOS 13.4 and later.

Applicable to: Calendar Domains (iOS 13 and later; macOS 10.15 and later)

If the server ends with one of these domain names, a VPN connection is started automatically.

  • Add+ - Click to add a domain.
  • Calendar Domain - Enter a domain name. Only alphanumeric characters and periods (.) are supported.
  • Description - Enter a description for the domain.

Contact Domains

Deprecated in iOS 13.4 and later.

Applicable to: Contact Domains (iOS 13 and later; macOS 10.15 and later)

If the server ends with one of these domain names, a VPN connection is started automatically.

  • Add+ - Click to add a domain.
  • Contact Domain - Enter a domain name. Only alphanumeric characters and periods (.) are supported.
  • Description - Enter a description for the domain.

Mail Domains

Deprecated in iOS 13.4 and later.

Applicable to: Mail Domains (iOS 13 and later; macOS 10.15 and later)

If the server ends with one of these domain names, a VPN connection is started automatically.

  • Add+ - Click to add a domain.
  • Mail Domain - Enter a domain name. Only alphanumeric characters and periods (.) are supported.
  • Description - Enter a description for the domain.

Associated Domains

Applicable to: Associated Domains (iOS 14.3 and later; macOS 11.0 and later)

Connections to servers within one of these domains are associated with the per-app VPN.

  • Add+ - Click to add a domain.
  • Mail Domain - Enter a domain name. Only alphanumeric characters and periods (.) are supported.
  • Description - Enter a description for the domain.

Excluded Domains

Applicable to: Excluded Domains (iOS 14.3 and later; macOS 11.0 and later)

Connections to servers within one of these domains are excluded from the per-app VPN.

  • Add+ - Click to add a domain.
  • Mail Domain - Enter a domain name. Only alphanumeric characters and periods (.) are supported.
  • Description - Enter a description for the domain.