Configuring VPN chaining

VPN chaining is the nesting of a VPN tunnel in another VPN tunnel. VPN chaining provides additional security by hiding the Ivanti Tunnel VPN end destination. With Ivanti Tunnel you can configure VPN chaining with OpenVPN as the outer tunnel and Tunnel as the inner tunnel. VPN chaining can be configured for per-app only.

Before you begin

Configure Tunnel for Samsung Knox Workspace as described in Configuration overview for Ivanti Tunnel for the Samsung Knox container (Ivanti EPMM).
Configure an OpenVPN VPN setting in the Ivanti EPMM Admin Portal. For more information, see the “Configuring new VPN settings” and the “OpenVPN” sections in the Ivanti EPMM Device Management Guide for Android.

Use the OpenVPN setting on Ivanti EPMM only to configure Samsung “OpenVPN net.openvpn.knox.connect” for Samsung Knox devices. The configuration is available only to limited customers as approved by Samsung. Contact Samsung to get the correct OpenVPN package. It is supported only on devices with the Samsung Knox option selected in the VPN setting.

Procedure

In the Ivanti EPMM Admin Portal, go to Policies & Configs > Configurations.
Select and Edit the Ivanti Tunnel VPN configuration for Samsung Knox Workspace.
1. In the Ivanti Tunnel VPN configuration for Samsung Knox Workspace, for VPN Chaining, select Inner.
2. Click Save.
Select and Edit the OpenVPN configuration.
1. In the OpenVPN configuration, for VPN Chaining, select Outer.
2. Click Save.
Select and Edit the Samsung Knox container configuration.

Figure 1. Apps configuration
In the Apps section of the Samsung Knox container configuration, do the following:
1. For VPN for Tunnel, select the OpenVPN configuration with outer VPN chaining (Configured in step 3).
2. For apps that will use VPN chaining, select the Ivanti Tunnel VPN configuration with inner VPN chaining (Configured in step 2).
Ensure that the configurations are applied to a label that contains the devices for which you want to allow VPN chaining with Ivanti Tunnel.