IKEv2¶
Summary¶
IKEv2¶
IKEv2
IKEv2 settings
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| dictionary | {‘UseConfigurationAttributeInternalIPSubnet’: 0, ‘IKESecurityAssociationParameters’: {‘EncryptionAlgorithm’: ‘3DES’, ‘LifeTimeInMinutes’: 1440, ‘DiffieHellmanGroup’: 14, ‘IntegrityAlgorithm’: ‘SHA1-96’}, ‘EnableCertificateRevocationCheck’: 0, ‘EnablePFS’: 0, ‘DeadPeerDetectionRate’: ‘Medium’, ‘DisableRedirect’: 0, ‘DisableMOBIKE’: 0, ‘ChildSecurityAssociationParameters’: {‘EncryptionAlgorithm’: ‘3DES’, ‘LifeTimeInMinutes’: 1440, ‘DiffieHellmanGroup’: 14, ‘IntegrityAlgorithm’: ‘SHA1-96’}, ‘AuthenticationMethod’: ‘SharedSecret’} | N/A | N/A | N/A | N/A | N/A |
| Name | Type | Title | Description | Required |
|---|---|---|---|---|
| RemoteAddress | string | RemoteAddress | IP address or hostname of the VPN server | always |
| LocalIdentifier | string | LocalIdentifier | Identifier of the IKEv2 client | always |
| RemoteIdentifier | string | RemoteIdentifier | Remote Identifier of the IKEv2 client | always |
| AuthenticationMethod | string | AuthenticationMethod | AuthenticationMethod of the IKEv2 client | always |
| PayloadCertificateUUID | string | PayloadCertificateUUID | The UUID of the identity certificate as the account credential | n/a |
| SharedSecret | string | SharedSecret | Value for IKE authentication | n/a |
| ExtendedAuthEnabled | integer | ExtendedAuthEnabled | Set to 1 to enable extended authentication (EAP) | n/a |
| AuthName | string | AuthName | Username used for authentication | n/a |
| DisableRedirect | integer | Disable Redirect | Set to 1 to disable IKEv2 redirect | n/a |
| DisableMOBIKE | integer | Disable Mobility and Multihoming | Set to 1 to disable MOBIKE negotiation in IKEv2 | n/a |
| UseConfigurationAttributeInternalIPSubnet | integer | Use IPv4 / IPv6 Internal Subnet Attributes | Set to 1 to indicate if negotiation should use IKEv2 Configuration Attribute INTERNAL_IP4_SUBNET and INTERNAL_IP6_SUBNET. | n/a |
| EnablePFS | integer | Enable perfect forward secrecy | Set to 1 to enable Perfect Forward Secrecy for IKEv2 connections | n/a |
| ServerAddresses | array | An array of DNS server IP address strings | An array of DNS server IP address strings (IPv4 or IPv6) | n/a |
| SearchDomains | array | A list of domain strings used to fully qualify single-label host names. | A list of domain strings used to fully qualify single-label host names. | n/a |
| DomainName | string | The primary domain of the tunnel | The primary domain of the tunnel | n/a |
| SupplementalMatchDomains | array | A list of domain strings used to determine which DNS queries will use the DNS resolver settings contained in ServerAddresses. | A list of domain strings used to determine which DNS queries will use the DNS resolver settings contained in ServerAddresses. | n/a |
| SupplementalMatchDomainsNoSearch | integer | Append supplemental domains to resolver list | Optional. Whether (0) or not (1) the domains in the SupplementalMatchDomains list should be appended to the resolver’s list of search domains. Default is 0. | n/a |
| EnableCertificateRevocationCheck | integer | Enable certificate revocation check | Optional. Set to 1 to enable a certificate revocation check for IKEv2 connections. This is a best-effort revocation check; server response timeouts will not cause it to fail. | n/a |
| AuthPassword | string | AuthPassword | Password used for authentication | n/a |
| DeadPeerDetectionRate | string | Dead Peer Detection Rate | Dead peer detection rate | n/a |
| CertificateType | string | Certificate Type | Type of the certificate; defaults to RSA | n/a |
| ServerCertificateIssuerCommonName | string | ServerCertificateIssuerCommonName | Common Name of the server certificate issuer | n/a |
| ServerCertificateCommonName | string | ServerCertificateCommonName | Common name of the server certificate | n/a |
| TLSMinimumVersion | string | TLSMinimumVersion | The minimum TLS version to be used with EAP-TLS authentication. Value may be 1.0, 1.1, or 1.2. If no value is specified, the default minimum is 1.0. | n/a |
| TLSMaximumVersion | string | TLSMaximumVersion | The maximum TLS version to be used with EAP-TLS authentication. Value may be 1.0, 1.1, or 1.2. If no value is specified, the default maximum is 1.2. | n/a |
| NATKeepAliveOffloadEnable | integer | NAT Keepalive offload for Always On VPN IKEv2 connections | Set to 1 to enable or 0 to disable NAT Keepalive offload for Always On VPN IKEv2 connections | n/a |
| NATKeepAliveInterval | integer | NAT Keepalive interval for Always On VPN IKEv2 connections | NAT Keepalive interval for Always On VPN IKEv2 connections | n/a |
| IKESecurityAssociationParameters | dictionary | IKESecurityAssociationParameters | Applies to child Security Association | n/a |
| ChildSecurityAssociationParameters | dictionary | ChildSecurityAssociationParameters | Applies to child Security Association | n/a |
Keys¶
RemoteAddress¶
RemoteAddress
IP address or hostname of the VPN server
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| string | N/A | always | N/A | N/A | N/A | N/A |
LocalIdentifier¶
LocalIdentifier
Identifier of the IKEv2 client
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| string | N/A | always | N/A | N/A | N/A | N/A |
Identifier of the IKEv2 client in one of the following formats:
- FQDN
- UserFQDN
- Address
- ASN1DN
RemoteIdentifier¶
RemoteIdentifier
Remote Identifier of the IKEv2 client
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| string | N/A | always | N/A | N/A | N/A | N/A |
Identifier of the IKEv2 client in one of the following formats:
- FQDN
- UserFQDN
- Address
- ASN1DN
AuthenticationMethod¶
AuthenticationMethod
AuthenticationMethod of the IKEv2 client
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| string | N/A | always | N/A | N/A | N/A | N/A |
Valid Choices¶
- SharedSecret
- Certificate
- None
Note
To enable EAP-only authentication, the authentication method should be set to None and the ExtendedAuthEnabled key should be set to 1. If this key is set to None and the ExtendedAuthEnabled key is not set, the authentication configuration defaults to SharedSecret.
PayloadCertificateUUID¶
PayloadCertificateUUID
The UUID of the identity certificate as the account credential
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| string | N/A | N/A | N/A | N/A | N/A | N/A |
If the value of AuthenticationMethod is Certificate, this certificate is sent out for IKEv2 machine authentication. If extended authentication (EAP) is used, it is sent out for EAP-TLS authentication.
If AuthenticationMethod is SharedSecret, this value is used for IKE authentication.
ExtendedAuthEnabled¶
ExtendedAuthEnabled
Set to 1 to enable extended authentication (EAP)
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| integer | 0 | N/A | N/A | N/A | N/A | N/A |
AuthName¶
AuthName
Username used for authentication
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| string | N/A | N/A | N/A | N/A | N/A | N/A |
DisableRedirect¶
Disable Redirect
Set to 1 to disable IKEv2 redirect
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| integer | 0 | N/A | N/A | N/A | N/A | N/A |
DisableMOBIKE¶
Disable Mobility and Multihoming
Set to 1 to disable MOBIKE negotiation in IKEv2
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| integer | 0 | N/A | N/A | N/A | N/A | N/A |
UseConfigurationAttributeInternalIPSubnet¶
Use IPv4 / IPv6 Internal Subnet Attributes
Set to 1 to indicate if negotiation should use IKEv2 Configuration Attribute INTERNAL_IP4_SUBNET and INTERNAL_IP6_SUBNET.
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| integer | 0 | N/A | N/A | N/A | N/A | N/A |
EnablePFS¶
Enable perfect forward secrecy
Set to 1 to enable Perfect Forward Secrecy for IKEv2 connections
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| integer | 0 | N/A | N/A | N/A | N/A | N/A |
ServerAddresses¶
An array of DNS server IP address strings
An array of DNS server IP address strings (IPv4 or IPv6)
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| array | N/A | N/A | N/A | 10.0 | 10.12 | N/A |
SearchDomains¶
A list of domain strings used to fully qualify single-label host names.
A list of domain strings used to fully qualify single-label host names.
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| array | N/A | N/A | N/A | 10.0 | 10.12 | N/A |
DomainName¶
The primary domain of the tunnel
The primary domain of the tunnel
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| string | N/A | N/A | N/A | 10.0 | 10.12 | N/A |
SupplementalMatchDomains¶
A list of domain strings used to determine which DNS queries will use the DNS resolver settings contained in ServerAddresses.
A list of domain strings used to determine which DNS queries will use the DNS resolver settings contained in ServerAddresses.
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| array | N/A | N/A | N/A | 10.0 | 10.12 | N/A |
This key is used to create a split DNS configuration where only hosts in certain domains are resolved using the tunnel’s DNS resolver. Hosts not in one of the domains in this list are resolved using the system’s default resolver.
If SupplementalMatchDomains contains the empty string it becomes the default domain. This is how a split-tunnel configuration can direct all DNS queries first to the VPN DNS servers before the primary DNS servers.
If the VPN tunnel becomes the network’s default route, the servers listed in ServerAddresses become the default resolver and the SupplementalMatchDomains list is ignored.
EnableCertificateRevocationCheck¶
Enable certificate revocation check
Optional. Set to 1 to enable a certificate revocation check for IKEv2 connections. This is a best-effort revocation check; server response timeouts will not cause it to fail.
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| integer | 0 | N/A | N/A | 9.0 | N/A | N/A |
AuthPassword¶
AuthPassword
Password used for authentication
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| string | N/A | N/A | N/A | N/A | N/A | N/A |
DeadPeerDetectionRate¶
Dead Peer Detection Rate
Dead peer detection rate
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| string | Medium | N/A | N/A | N/A | N/A | N/A |
Valid Choices¶
- None
- Low
- Medium
- High
- None
- Disabled
- Low
- keepalive sent every 30 minutes
- Medium
- keepalive sent every 10 minutes
- High
- keepalive sent every 1 minute
CertificateType¶
Certificate Type
Type of the certificate; defaults to RSA
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| string | N/A | N/A | N/A | N/A | N/A | N/A |
ServerCertificateIssuerCommonName¶
ServerCertificateIssuerCommonName
Common Name of the server certificate issuer
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| string | N/A | N/A | N/A | N/A | N/A | N/A |
If set, this field will cause IKE to send a certificate request based on this certificate issuer to the server.
This key is required if both the CertificateType key is included and the ExtendedAuthEnabled key is set to 1.
ServerCertificateCommonName¶
ServerCertificateCommonName
Common name of the server certificate
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| string | N/A | N/A | N/A | N/A | N/A | N/A |
This name is used to validate the certificate sent by the IKE server. If not set, the Remote Identifier will be used to validate the certificate.
TLSMinimumVersion¶
TLSMinimumVersion
The minimum TLS version to be used with EAP-TLS authentication. Value may be 1.0, 1.1, or 1.2. If no value is specified, the default minimum is 1.0.
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| string | 1.0 | N/A | N/A | 11.0 | 10.13 | N/A |
Valid Choices¶
- 1.0
- 1.1
- 1.2
TLSMaximumVersion¶
TLSMaximumVersion
The maximum TLS version to be used with EAP-TLS authentication. Value may be 1.0, 1.1, or 1.2. If no value is specified, the default maximum is 1.2.
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| string | 1.2 | N/A | N/A | 11.0 | 10.13 | N/A |
Valid Choices¶
- 1.0
- 1.1
- 1.2
NATKeepAliveOffloadEnable¶
NAT Keepalive offload for Always On VPN IKEv2 connections
Set to 1 to enable or 0 to disable NAT Keepalive offload for Always On VPN IKEv2 connections
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| integer | 1 | N/A | N/A | N/A | N/A | N/A |
Keepalive packets are sent by the device to maintain NAT mappings for IKEv2 connections that have a NAT on the path. Keepalive packets are sent at regular interval when the device is awake. If NATKeepAliveOffloadEnable is set to 1, Keepalive packets will be offloaded to hardware while the device is asleep. NAT Keepalive offload has an impact on the battery life since extra workload is added during sleep. The default interval for the Keepalive offload packets is 20 seconds over WiFi and 110 seconds over Cellular interface. The default NAT Keepalive works well on networks with small NAT mapping timeouts but imposes a potential battery impact. If a network is known to have larger NAT mapping timeouts, larger Keepalive intervals may be safely used to minimize battery impact.
The Keepalive interval can be modified by setting the NATKeepAliveInterval key.
NATKeepAliveInterval¶
NAT Keepalive interval for Always On VPN IKEv2 connections
NAT Keepalive interval for Always On VPN IKEv2 connections
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| integer | N/A | N/A | N/A | N/A | N/A | N/A |
This value controls the interval over which Keepalive offload packets are sent by the device. The minimum value is 20 seconds.
If no key is specified, the default is 20 seconds over WiFi and 110 seconds over a Cellular interface.
IKESecurityAssociationParameters¶
IKESecurityAssociationParameters
Applies to child Security Association
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| dictionary | {‘EncryptionAlgorithm’: ‘3DES’, ‘LifeTimeInMinutes’: 1440, ‘DiffieHellmanGroup’: 14, ‘IntegrityAlgorithm’: ‘SHA-96’} | N/A | N/A | N/A | N/A | N/A |
| Name | Type | Title | Description | Required |
|---|---|---|---|---|
| EncryptionAlgorithm | string | EncryptionAlgorithm | EncryptionAlgorithm | n/a |
| IntegrityAlgorithm | string | IntegrityAlgorithm | IntegrityAlgorithm | n/a |
| DiffieHellmanGroup | integer | DiffieHellmanGroup | DiffieHellmanGroup | n/a |
| LifeTimeInMinutes | integer | LifeTimeInMinutes | LifeTimeInMinutes | n/a |
ChildSecurityAssociationParameters¶
ChildSecurityAssociationParameters
Applies to child Security Association
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| dictionary | {‘EncryptionAlgorithm’: ‘3DES’, ‘LifeTimeInMinutes’: 1440, ‘DiffieHellmanGroup’: 14, ‘IntegrityAlgorithm’: ‘SHA-96’} | N/A | N/A | N/A | N/A | N/A |
| Name | Type | Title | Description | Required |
|---|---|---|---|---|
| EncryptionAlgorithm | string | EncryptionAlgorithm | EncryptionAlgorithm | n/a |
| IntegrityAlgorithm | string | IntegrityAlgorithm | IntegrityAlgorithm | n/a |
| DiffieHellmanGroup | integer | DiffieHellmanGroup | DiffieHellmanGroup | n/a |
| LifeTimeInMinutes | integer | LifeTimeInMinutes | LifeTimeInMinutes | n/a |