VPN Configuration
- Android (Deprecated for Android Enterprise devices. You need to use the Managed Configuration for specific VPN from the App Catalog.)
- Windows
- iOS
- macOS
- visionOS
A VPN configuration defines the settings for virtual private network access.
Delegation with custom distribution option is available for this configuration. For more information, see Distributing the configuration topic in Working with Configurations.
Procedure
- Go to Configurations > +Add.
- Select the VPN configuration.
- Enter a Name for the configuration.
- Enter a description.
- Configure the VPN settings as per the following descriptions.
- (iOS 9.0+ Only) In the Match Domains section, click + Add to enter one or more matching domains (example: company.com). Proxy connection is used when the domain is one of these specified domains.
- Click Next.
- (macOS only) In the Distribute page, select one of the following distribution options:
- Device channel - the configuration is effective for all users on a device, which is the typical option.
- User channel - the configuration is effective only for the currently registered user on a device.
- Select the remaining distribution options for this configuration.
- Click Done.
VPN settings
Setting |
What To Do |
Name |
Enter a name that identifies this configuration. |
Description |
Enter a description that clarifies the purpose of this configuration. |
Connection Type |
Select the type of VPN to configure. The remaining settings depend on this selection. |
The protocols and their settings are listed as follows:
-
L2TP (Not supported on Ivanti Go)
-
PPTP (Not supported on Ivanti Go)
-
IPsec (Cisco) (Not supported on Ivanti Go)
-
Cisco AnyConnect (Supported on Ivanti Go)
-
Juniper SSL (Not supported on Ivanti Go)
-
NetMotion VPN (Not supported on Ivanti Go)
- Pulse Secure (Supported on Ivanti Go)
-
F5 SSL (Not supported on Ivanti Go)
-
SonicWALL Mobile Connect (Not supported on Ivanti Go)
-
Aruba VIA (Not supported on Ivanti Go)
-
Custom SSL (Not supported on Ivanti Go)
-
Palo Alto Networks GlobalProtect (Supported on Ivanti Go)
-
KEv2 (Windows Only) (Not supported on Ivanti Go)
-
IKEv2 (Not supported on Ivanti Go)
L2TP
Setting |
What To Do |
Server |
Enter the IP address or host name for the VPN server. |
Account |
Enter the user account to be used for authenticating the connection.* |
User Authentication |
Select the authentication method to use: Password or RSA SecurID. |
Shared Secret |
Enter the shared secret passcode if one is necessary for initiating the connection. |
Send All Traffic |
Select this option to use this connection for all network traffic. This option helps protect data from being compromised, particularly on public networks. |
Proxy Setup |
Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available:
If you select Automatic, then the following additional field is available: Proxy Server URL: Enter the fully-qualified URL for the proxy. |
PPTP
Setting |
What To Do |
Server |
Enter the IP address or host name for the VPN server. |
Account |
Enter the user account to be used for authenticating the connection.* |
User Authentication |
Select the authentication method to use: Password or RSA SecurID. |
Encryption Level |
Select a level of data encryption for the connection: None, Automatic, or Maximum (128-bit). |
Send All Traffic |
Select this option to use this connection for all network traffic. This option helps protect data from being compromised, particularly on public networks. |
Proxy Setup |
Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available:
If you select Automatic, then the following additional field is available: Proxy Server URL: Enter the fully-qualified URL for the proxy. |
IPsec (Cisco)
Setting |
What To Do |
Server |
Enter the IP address or host name for the VPN server. |
Account |
Enter the user account to be used for authenticating the connection.* |
Machine Authentication |
Select the authentication method to use: Shared Secret/Group Name or Certificate. |
Group Name |
Shared Secret/Group Name authentication. Specify the name of the group to use. If Hybrid Authentication is used, the string must end with “[hybrid]â€. |
Shared Secret |
Shared Secret/Group Name authentication. Enter the shared secret passcode. |
Use Hybrid Authentication |
Shared Secret/Group Name authentication. Select to specify hybrid authentication, i.e., server provides a certificate and the client provides a pre-shared key. |
Prompt for Password |
Shared Secret/Group Name authentication. Specify whether the user should be prompted for a password when connecting. |
Credential |
Certificate authentication Select the identity certificate to use. |
Include User PIN |
Certificate authentication Select to prompt the user for a PIN. |
Proxy Setup |
Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available:
If you select Automatic, then the following additional fields are available: Proxy Server URL: Enter the fully-qualified URL for the proxy. |
Cisco AnyConnect
Setting |
What To Do |
Server |
Enter the IP address or host name for the VPN server. |
Account |
Enter the user account to be used for authenticating the connection.* |
Group |
Enter the group to use to authenticate the connection. |
User Authentication |
Select the user authentication method to use: Password or Certificate. If you select Certificate, then the following field is available: Credential: Select the identity certificate to use. |
Proxy Setup |
Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available:
If you select Automatic, then the following additional field is available: Proxy Server URL: Enter the fully-qualified URL for the proxy. |
Juniper SSL
Setting |
What To Do |
Server |
Enter the IP address or host name for the VPN server. |
Account |
Enter the user account to be used for authenticating the connection.* |
Realm |
Enter the authentication realm to be used for authenticating the connection. |
Role |
Enter the authentication role to be used for authenticating the connection. |
User Authentication |
Select the user authentication method to use: Password or Certificate. If you select Certificate, then the following field is available: Credential: Select the identity certificate to use. |
Proxy Setup |
Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available:
If you select Automatic, then the following additional field is available: Proxy Server URL: Enter the fully-qualified URL for the proxy. |
NetMotion VPN
Setting |
What To Do |
Server |
Enter the IP address or host name for the VPN server. |
Account |
Enter the user account to be used for authenticating the connection.* |
User Authentication |
Select the user authentication method to use: Password or Certificate. If you select Certificate, then the following field is available: Credential: Select the identity certificate to use. |
Proxy Setup |
Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available:
If you select Automatic, then the following additional field is available: Proxy Server URL: Enter the fully-qualified URL for the proxy. |
F5 SSL
Setting |
What To Do |
Server |
Enter the IP address or host name for the VPN server. |
Account |
Enter the user account to be used for authenticating the connection. |
User Authentication |
Enter the user authentication method to use: Password or Certificate. If you select Certificate, then the following field is available: Credential: Select the identity certificate to use. |
Proxy Setup |
Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available:
If you select Automatic, then the following additional field is available: Proxy Server URL: Enter the fully-qualified URL for the proxy. |
SonicWALL Mobile Connect
Setting |
What To Do |
Server |
Enter the IP address or host name for the VPN server. |
Account |
Enter the user account to be used for authenticating the connection.* |
Login Group or Domain |
Enter the login group or domain to be used for authenticating the connection. |
User Authentication |
Select the user authentication method to use: Password or Certificate. If you select Certificate, then the following field is available: Credential: Select the identity certificate to use. |
Proxy Setup |
Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available:
If you select Automatic, then the following additional field is available: Proxy Server URL: Enter the fully-qualified URL for the proxy. |
Aruba VIA
Setting |
What To Do |
Server |
Enter the IP address or host name for the VPN server. |
Account |
Enter the user account to be used for authenticating the connection.* |
User Authentication |
Select the user authentication method to use: Password or Certificate. If you select Certificate, then the following field is available: Credential: Select the identity certificate to use. |
Proxy Setup |
Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available:
If you select Automatic, then the following additional field is available: Proxy Server URL: Enter the fully-qualified URL for the proxy. |
Custom SSL
Setting |
What To Do |
Identifier |
Enter the identifier for this custom SSL VPN in reverse DNS format (such as com.mycompany.myserver). |
Server |
Enter the IP address or host name for the VPN server. |
Account |
Enter the user account to be used for authenticating the connection.* |
Custom Data |
Enter the key-value pairs that define the custom data for this VPN. |
User Authentication |
Select the user authentication method to use: Password or Certificate. If you select Certificate, then the following field is available: Credential: Select the identity certificate to use. |
Proxy Setup |
Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available:
If you select Automatic, then the following additional field is available: Proxy Server URL: Enter the fully-qualified URL for the proxy. |
Palo Alto Networks GlobalProtect
Setting |
What To Do |
Server |
Enter the IP address or host name for the VPN server. |
Account |
Enter the user account to be used for authenticating the connection. |
Custom Data |
Enter the key-value pairs that define the custom data for this VPN. |
User Authentication |
Select the user authentication method to use: Password or Certificate. If you select Certificate, then the following field is available: Credential: Select the identity certificate to use. |
Proxy Setup |
Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available:
If you select Automatic, then the following additional field is available: Proxy Server URL: Enter the fully-qualified URL for the proxy. |
IKEv2 (Windows Only)
Setting |
What To Do |
Server |
Enter the host name or IP address of the VPN server. |
Proxy Setup |
Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available:
If you select Automatic, then the following additional field is available: Proxy Server URL: Enter the fully-qualified URL for the proxy. |
IKEv2
Setting |
What To Do |
Server |
Enter the host name or IP address of the VPN server. |
Local Identifier |
Identifier of the IKEv2 client in one of the following formats:
|
Remote Identifier |
Remote identifier in one of the following formats:
|
Machine Authentication |
Available only if Enable EAP is not selected. Select one of the following:
|
EAP Authentication |
Available only if Enable EAP is selected. Select one of the following:
|
Shared Secret |
Available only if Shared Secret was selected for Machine Authentication. Enter the shared secret for the connection. |
Credential |
Available only if Certificate was selected for Machine Authentication. Select the certificate to use. this certificate will be sent out for IKE client authentication. If extended authentication is used, this certificate can be used for EAP-TLS. |
Enable EAP |
Select to enable extended authentication. |
Account |
Available only if Username/Password was selected for EAP Authentication. Enter the account ID for the VPN server. |
Password |
Available only if Username/Password was selected for EAP Authentication. Enter the password for the VPN server. |
Dead Peer Detection Interval |
Select one of the following options:
|
Server Certificate Issuer Common Name |
(Optional) - Common name of a server certificate issuer, causes the IKE server to send a certificate request based on the certificate issuer to the server. |
Server Certificate Common Name |
(Optional) - Common name of a server certificate used to validate the certificate sent by the IKEv2 server. |
Use IP4 and IP6 subnets attributes |
(Optional) Select to use IP4 and IP6 subnets attributes. |
Enable IKEv2 Mobility and Multihoming Protocol (MOBIKE) |
(Optional) The default setting is 0. MOBIKE (The ability to support multi-homed mobile devices when connected to both Wi-Fi and cellular links with multiple IP addresses) is enabled. It is enabled by default. Set to 1 to disable MOBIKE. |
Enable Perfect Forward Secrecy (PFS) |
(Optional) When set to 1 it enables PFS for IKEv2 connections. The default setting is 0. |
Enable IKEv2 redirect |
(Optional) The default setting is 0. The IKEv2 connection is redirected if a redirect request is received from the server. It is enabled by default. Set to 1 to disable IKEv2 redirect. |
Enable NAT keepalive |
Enables the Network Address Translation keepalive that prevents the deletion of NAT entries in the absence of any traffic when there is NAT between IKE peers. |
NAT keepalive interval |
If NAT keepalive is enabled, this is the time in seconds that keepalive packets will be sent for the device. |
Encryption Algorithm |
Select one of the following options:
|
Integrity Algorithm |
Select one of the following options:
|
Diffie Hellman Group |
Select one of the following options:
|
Lifetime In Minutes |
Enter the SA lifetime (re-key interval) in minutes. Valid values are 10 through 1440. |
Proxy Setup |
Select Manual or Automatic to configure a proxy. If you select Manual, then the following additional fields are available:
If you select Automatic, then the following additional field is available: Proxy Server URL: Enter the fully-qualified URL for the proxy. |
*Type $ to see a list of supported variables, if available, for this field.
For more information, see How to create a configuration