VPN: IKEv2
The IKEv2 VPN profile configuration enables you to configure IKEv2 VPN settings for devices.
Note: Requires Device Enrollment.
Note: The fields and controls that appear in this dialog box will change according to the selections you make.
General
| VPN Name | Enter the VPN name used to identify this account. |
| Always-On VPN | Select this option to enable Always-On VPN, which enables tunnel configuration options, service exception options, captive web-sheet options, and captive network plugin options. (Requires supervision and iOS 8.0 or later.) |
| Allow User to Disable Auto-Connection | Select this option to allow the user to disable auto-connection. |
| Use Same Tunnel Configuration for Cellular and WiFi | Select this option if you want to use the same tunnel configuration for cellular and WiFi. |
Configurations
General
| VPN Server Hostname / IP Address | Enter the IP address or hostname of the VPN server. |
| Remote Identifier | Enter the remote identifier. |
| Local Identifier | Enter the identifier of the IKEv2 client. |
Machine Authentication
| Authentication Type | Select the type of authentication method for the VPN: Certificate or Shared Secret. |
| Shared Secret | Enter the shared secret used for IKE authentication. |
| Enable EAP | Select this option to enable EAP-only authentication. |
| EAP Authentication | Select the EAP authentication type. |
| Identity Certificate | Select the certificate within thye same profile to use as the account credential. |
| Certificate Type | Select the type of certificate used for IKEv2 machine authentication. If this field is specified and EAP is enabled, the Server Certificate Issuer Common Name field is required. |
| Server Certificate Issuer Common Name | Enter the common name of the server certificate issuer. This field enables IKE to send a certificate request based on this certificate issuer to the server. This field is required if Certificate Type is specified and EAP is enabled. |
| Server Certificate Common Name | Enter the common name of the server certificate. This name is used to validate the certificate sent by the IKE server. If this field is not set, the Remote Identifier is used to validate the certificate. |
| TLS Minimum Version | Select the minimum TLS version to be used with EAP-TLS authentication. |
| TLS Maximum Version | Select the maximum TLS version to be used with EAP-TLS authentication. |
| Domain | Enter the domain for authenticating the connection. Supports macros. |
| Account | Enter the user name used for EAP authentication. Supports macros. |
| Password | Enter the password used for EAP authentication. |
Miscellaneous
| Enable NAT Keepalive While Device Is Asleep | Select this option to enable NAT Keepalive offload. NAT Keepalive has an impact on the battery life since Keepalive packets will be offloaded to hardware while the device is asleep. |
| NAT Keepalive Interval | Enter the NAT Keepalive interval. This value controls the interval over which Keepalive offload packets are sent by the device. |
| Dead Peer Detection Rate | Select the rate for dead peer detection. |
| Disable Redirects | Select this option to disable IKEv2 redirects. If this option is not selected, the IKEv2 connection is redirected if a redirect request is received from the server. |
| Disable Mobility and Multihoming | Select this option to disable mobility and multihoming. |
| Use IPv4/IPv6 Internal Subnet Attributes | Select this option to have negotiations use IKEv2 configuration attributes INTERNAL_IP4_SUBNET and INTERNAL_IP6_SUBNET. |
| Enable Perfect Forward Secrecy | Select this option to enable perfect forward secrecy. |
| Enable Certificate Revocation Check | Select this option to perform a certificate revocation check for IKEv2 connections. This is a best-effort revocation check; server response timeouts won't cause it to fail. |
| Enable Cellular Fallback | When selected, this option enables a tunnel over cellular data to carry traffic that is eligible for WiFi Assist and also requires VPN. Enabling fallback requires that the server support multiple tunnels for a single user. |
VPN On Demand
| Enable VPN On Demand | Select this option to enable VPN On Demand. |
| VPN On Demand Actions | Click the + button to add a VPN On Demand action. |
| Disconnect On Idle | Select After Interval to disconnect after and on-demand connection idles. |
| After Interval | Select the length of time to wait before disconnecting an on-demand connection. |
IKE Security Association Parameters
| Encryption Algorithm | Select the encryption algorithm. |
| Integrity Algorithm | Select the integrity algorithm. |
| Diffie-Hellman Group | Select the Diffie-Hellman group. |
| Lifetime In Minutes | Enter the IKE security association lifetime in minutes. The value must be between 10 and 1440 minutes. |
Child Security Association Parameters
| Encryption Algorithm | Select the encryption algorithm. |
| Integrity Algorithm | Select the integrity algorithm. |
| Diffie-Hellman Group | Select the Diffie-Hellman group. |
| Lifetime In Minutes | Enter the child security association lifetime in minutes. The value must be between 10 and 1440 minutes. |
Proxy
| Proxy | Select how you want to configure proxies to be used with this configuration. |
| URL | Enter the URL that will be used to receive proxy settings. |
| Proxy Server | Enter the hostname or IP address of the proxy server. |
| Username | Enter the username for authenticating the connection. Supports macros. |
| Password | Enter the password for authenticating the connection. |
Service Exceptions
| Voice Mail | Select an option for the voice mail service. |
| AirPrint | Select an option for the AirPrint service. |
| Cellular Services | Select an option for the cellular services. |
| Allow Traffic from All Captive Web Sheets Outside the VPN Tunnel | Select this option to allow traffic from all captive web sheets outside the VPN tunnel. |
| Allow Traffic from All Captive Networking Apps Outside the VPN Tunnel | Select this option to allow traffic from all captive networking apps outside the VPN tunnel to perform captive network handling. |
| Captive Networking Applications | Click the + button to add applications you want to allow on the captive network. |