12/08/2018, 15:12

How to connect to IKEv2 VPN server on iPhone (iOS) on demand

By creating a configuration profile of iOS, it becomes possible to automatically connect to the VPN server even if we start switching between wifi and telephone line In this example, communication is performed via VPN on cellular phone line and wifi other than home, and VPN is automatically ...

By creating a configuration profile of iOS, it becomes possible to automatically connect to the VPN server even if we start switching between wifi and telephone line In this example, communication is performed via VPN on cellular phone line and wifi other than home, and VPN is automatically disconnected when connected to home wifi.

I am using ziproxy to reduce the amount of data communication and improve the apparent communication speed, but since there is troublesome to connect a VPN one by one, it is the reason why that I wanted to do something.

We can setup connect as description in the following site How To Setup IKEV2 Strongswan VPN Server on Ubuntu For iOS / iPhone

There is one thing that we have to do is that to make sure to do exactly what was written in the description (without any omission)

What is iOS Construction Profile

A file with some settings of iOS. You can generate it using the tool called Apple Configurator 2, but this tool is for macos so it can not be used with other OS. However, since the configuration profile is an XML file in plist format, it can be written manually without problem.

Create iOS Construction Profile

We can handle this by using the Configuration Profile Reference However, it is troublesome to write all by yourself, so I will put the configuration profile I did compose:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
 <dict>
 <key>PayloadContent</key>
 <array>
 <dict>
 <key>IKEv2</key>
 <dict>
 <key>AuthName</key>
 <string>Username for authentication</string>
 <key>AuthPassword</key>
 <string>Password for authentication</string>
 <key>AuthenticationMethod</key>
 <string>SharedSecret</string>
 <key>key PSK! PSK! using before server authentication</key>
 <dict>
 <key>DiffieHellmanGroup</key>
 <integer>2</integer>
 </dict>
 <key>DeadPeerDetectionRate</key>
 <string>High</string>
 <key>DisableMOBIKE</key>
 <integer>0</integer>
 <key>NATKeepAliveOffloadEnable</key>
 <integer>1</integer>
 <key>NATKeepAliveInterval</key>
 <integer>20</integer>
 <key>DisableRedirect</key>
 <integer>0</integer>
 <key>EnableCertificateRevocationCheck</key>
 <integer>0</integer>
 <key>EnablePFS</key>
 <integer>0</integer>
 <key>ExtendedAuthEnabled</key>
 <true/>
 <key>IKESecurityAssociationParameters</key>
 <dict>
 <key>EncryptionAlgorithm</key>
 <string>AES-256 </string>
 <key>IntegrityAlgorithm</key>
 <string>SHA2-256</string>
 <key>DiffieHellmanGroup</key>
 <integer>2</integer>
 <key>LifeTimeInMinutes</key>
 <integer>1440</integer>
 </dict>
 <key>LocalIdentifier</key>
 <string>myserver.com.client</string>
 <key>RemoteAddress</key>
 <string>Global IP address of the VPN server</string>
 <key>RemoteIdentifier</key>
 <string>myserver.com.server</string>
 <key>SharedSecret</key>
 <string>key PSK! PSK! using before server authentication</string>
 <key>UseConfigurationAttributeInternalIPSubnet</key>
 <integer>0</integer>
 </dict>
 <key>IPv4</key>
 <dict>
 <key>OverridePrimary</key>
 <integer>1</integer>
 </dict>
 <key>PayloadDescription</key>
 <string>Configures VPN settings for iphone</string>
 <key>PayloadDisplayName</key>
 <string>VPN</string>
 <key>PayloadIdentifier</key>
 <string>com.apple.vpn.managed. just-like-that UUID</string>
 <key>PayloadType</key>
 <string>com.apple.vpn.managed</string>
 <key>PayloadUUID</key>
 <string>just-like-that UUID</string>
 <key>PayloadVersion</key>
 <real>1</real>
 <key>Proxies</key>
 <dict>
 <key>HTTPEnable</key>
 <integer>1</integer>
 <key>HTTPProxy</key>
 <string>Private IP address of ziproxy</string>
 <key>HTTPPort</key>
 <integer>ziproxy Port</integer>
 <key>HTTPSEnable</key>
 <integer>1</integer>
 <key>HTTPSProxy</key>
 <string>Private IP address of ziproxy</string>
 <key>HTTPSPort</key>
 <integer>ziproxy Port</integer>
 <key>ProxyAutoConfigEnable</key>
 <integer>0</integer>
 <key>ProxyAutoDiscoveryEnable</key>
 <integer>0</integer>
 </dict>
 <key>UserDefinedName</key>
 <string>vpn</string>
 <key>VPNType</key>
 <string>IKEv2</string>

 <key>OnDemandEnabled</key>
 <integer>1</integer>
 <key>OnDemandRules</key>
 <array>
  <dict>
    <key>Action</key>
    <string>Disconnect</string>
    <key>SSIDMatch</key>
    <array>
      <string>SSID of home wifi</string>
    </array>
  </dict>

  <dict>
    <key>Action</key>
    <string>EvaluateConnection</string>
    <key>Action</key>
    <array>
      <dict>
        <key>InterfaceTypeMatch</key>
        <string>WiFi</string>
      </dict>
    </array>
  </dict>

  <dict>
    <key>Action</key>
    <string>EvaluateConnection</string>
    <key>Action</key>
    <array>
      <dict>
        <key>InterfaceTypeMatch</key>
        <string>Cellular</string>
      </dict>
    </array>
  </dict>

  <dict>
    <key>Action</key>
    <string>Connect</string>
    <key>InterfaceTypeMatch</key>
    <string>WiFi</string>
  </dict>

  <dict>
    <key>Action</key>
    <string>Connect</string>
    <key>InterfaceTypeMatch</key>
    <string>Cellular</string>
  </dict>

 </array>


 <key>VendorConfig</key>
 <dict/>
 </dict>
 </array>
 <key>PayloadDisplayName</key>
 <string>IKEv2</string>
 <key>PayloadIdentifier</key>
 <string>just-like-that UUID</string>
 <key>PayloadRemovalDisallowed</key>
 <false/>
 <key>PayloadType</key>
 <string>Configuration</string>
 <key>PayloadUUID</key>
 <string>just-like-that UUID</string>
 <key>PayloadVersion</key>
 <integer>1</integer>
 </dict>
</plist>

When OnDemandEnabled is set to 1, on-demand communication is enabled and VPN connection / disconnection can be automated according to the defined situation.

In the configuration I use, I use the following rules.

  • Disconnect VPN when connected to home wifi
  • When trying to communicate when using wifi VPN connection
  • Attempting to communicate when using a mobile phone line VPN connection
  • VPN connection when connected to wifi
  • Connecting to a mobile phone line (wifi expires) VPN connection

Disconnect VPN when connecting to Home wifi

  <dict>
    <key>Action</key>
    <string>Disconnect</string>
    <key>SSIDMatch</key>
    <array>
      <string>SSID of home wifi</string>
    </array>
  </dict>

If you specify EvaluateConnection for Action, VPN connection will be made if all conditions specified by array are satisfied. Multiple conditions can be specified.

Difference between EvaluateConnection and Connect

EvaluateConnection, Connect and Disconnect can be specified for Action. Because Disconnect is an action to terminate a VPN connection as it is

EvaluateConnection is evaluated each time you attempt to communicate, while Connect is only evaluated when the interface you use changes. In other words, since Connect is executed only when wifi is connected / disconnected, even if the VPN connection is disconnected for some reason afterwards, it will not be reconnected. On the other hand, since EvaluateConnection is evaluated during communication, it automatically reconnects if the VPN connection is broken.

In my configuration example, both EvaluateConnection and Connect are used to save the latency of automatic reconnection and VPN connection.

There are various other configurable items, so please see the documentation for details.

0