Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IOS On Demand VPN

    Scheduled Pinned Locked Moved IPsec
    6 Posts 3 Posters 878 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      Deadringers
      last edited by

      Hey,

      So I used the config exporter within PFsense, and I have an IPsec VPN up and running without any issues.

      It's cert based, uses reasonable security settings and works great.

      The only problem I have is I cannot figure out where to put the "on demand" config within the XML that's generated.

      I'd like to have the VPN Always on, but only when I'm away from my home.

      So I was hoping to put this into my config somewhere to say connect if not on XYZ SSID...

      I found two sites which might have the answer... but after trying to implement their suggestions I just get a generic error from apple configurator:

      This profile is invalid or missing required values. [ConfigurationUtilityKit.error – 0x6 (6)]

      https://github.com/nerd-one/VPN-OnDemand/blob/master/VPN%20OnDemand.mobileconfig
      https://github.com/nerd-one/VPN-OnDemand/blob/master/VPN%20OnDemand.mobileconfig

      My current working config is below, I've removed sensitive info or replaced it with a placeholder.

      Can anyone help me with the above?

      <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>AlwaysOn</key>
			<dict>
				<key>AllowedCaptiveNetworkPlugins</key>
				<array/>
				<key>ServiceExceptions</key>
				<array/>
				<key>TunnelConfigurations</key>
				<array>
					<dict>
						<key>AuthenticationMethod</key>
						<string>SharedSecret</string>
						<key>ChildSecurityAssociationParameters</key>
						<dict>
							<key>DiffieHellmanGroup</key>
							<integer>14</integer>
							<key>EncryptionAlgorithm</key>
							<string>AES-256</string>
							<key>IntegrityAlgorithm</key>
							<string>SHA2-256</string>
							<key>LifeTimeInMinutes</key>
							<integer>1440</integer>
						</dict>
						<key>DeadPeerDetectionRate</key>
						<string>Medium</string>
						<key>DisableMOBIKE</key>
						<integer>0</integer>
						<key>DisableRedirect</key>
						<integer>0</integer>
						<key>EnableCertificateRevocationCheck</key>
						<integer>0</integer>
						<key>EnableFallback</key>
						<integer>0</integer>
						<key>EnablePFS</key>
						<integer>0</integer>
						<key>IKESecurityAssociationParameters</key>
						<dict>
							<key>DiffieHellmanGroup</key>
							<integer>14</integer>
							<key>EncryptionAlgorithm</key>
							<string>AES-256</string>
							<key>IntegrityAlgorithm</key>
							<string>SHA2-256</string>
							<key>LifeTimeInMinutes</key>
							<integer>1440</integer>
						</dict>
						<key>Interfaces</key>
						<array>
							<string>Cellular</string>
							<string>WiFi</string>
						</array>
						<key>NATKeepAliveInterval</key>
						<integer>110</integer>
						<key>NATKeepAliveOffloadEnable</key>
						<integer>1</integer>
						<key>ProtocolType</key>
						<string>IKEv2</string>
						<key>UseConfigurationAttributeInternalIPSubnet</key>
						<integer>0</integer>
					</dict>
				</array>
			</dict>
			<key>IPv4</key>
			<dict>
				<key>OverridePrimary</key>
				<integer>1</integer>
			</dict>
			<key>PayloadDescription</key>
			<string>Configures VPN settings, including authentication</string>
			<key>PayloadDisplayName</key>
			<string>My VPN Name Here</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.vpn.managed.xxx-xxx-xxx</string>
			<key>PayloadOrganization</key>
			<string>pfSense</string>
			<key>PayloadType</key>
			<string>com.apple.vpn.managed</string>
			<key>PayloadUUID</key>
			<string>xxx-xxx-xxx</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>UserDefinedName</key>
			<string>VPN NAME HERE</string>
			<key>VPNType</key>
			<string>AlwaysOn</string>
		</dict>
		<dict>
			<key>Password</key>
			<string>STRING HERE </string>
			<key>PayloadCertificateFileName</key>
			<string>IPsec-VPN-Cert.p12</string>
			<key>PayloadContent</key>
			<data>
			KEY/CRT DATA IN HERE
			</data>
			<key>PayloadDescription</key>
			<string>Provides device authentication (certificate or identity).</string>
			<key>PayloadDisplayName</key>
			<string>IPsec-VPN-Cert.p12</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.security.pkcs12.xxx-xxx-xxx</string>
			<key>PayloadOrganization</key>
			<string>pfSense</string>
			<key>PayloadType</key>
			<string>com.apple.security.pkcs12</string>
			<key>PayloadUUID</key>
			<string>xxx-xxx-xxx</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
		<dict>
			<key>PayloadCertificateFileName</key>
			<string>IPsec-VPN-CA.crt</string>
			<key>PayloadContent</key>
			<data>
			KEY/CRT DATA IN HERE
			</data>
			<key>PayloadDescription</key>
			<string>Provides device authentication (certificate or identity).</string>
			<key>PayloadDisplayName</key>
			<string>IPsec-VPN-CA</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.security.root.xxx-xxx-xxx</string>
			<key>PayloadOrganization</key>
			<string>pfSense</string>
			<key>PayloadType</key>
			<string>com.apple.security.root</string>
			<key>PayloadUUID</key>
			<string>xxx-xxx-xxx</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
	</array>
	<key>PayloadDescription</key>
	<string>Contains configuration settings for connecting to VPN on pfSense firewall and VPN appliance</string>
	<key>PayloadDisplayName</key>
	<string>name of vpn</string>
	<key>PayloadIdentifier</key>
	<string>com.vpnname here</string>
	<key>PayloadOrganization</key>
	<string>pfSense</string>
	<key>PayloadRemovalDisallowed</key>
	<false/>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>xxx-xxx-xxx</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>
      D 1 Reply Last reply Reply Quote 0
      • D
        Deadringers @Deadringers
        last edited by

        After some trial and error I figured it out..

        				<key>AuthenticationMethod</key>
				<string>Certificate</string>
				<key>RemoteAddress</key>
				<string>vpn.domain.com</string>
				<key>PayloadCertificateUUID</key>
				<string>xxx-xxx-xxx</string>
				<key>OnDemandEnabled</key>
				<integer>1</integer>
				<key>OnDemandRules</key>
				<array>
					<dict>
						<key>Action</key>
						<string>Disconnect</string>
						<key>InterfaceTypeMatch</key>
						<string>WiFi</string>
						<key>SSIDMatch</key>
						<array>
							<string>SSID HERE</string>
							<string>SSID HERE</string>
						</array>
					</dict>
					<dict>
						<key>Action</key>
						<string>Connect</string>
						<key>InterfaceTypeMatch</key>
						<string>Cellular</string>
					</dict>
					<dict>
						<key>Action</key>
						<string>Connect</string>
						<key>InterfaceTypeMatch</key>
						<string>WiFi</string>
					</dict>
					<dict>
						<key>Action</key>
						<string>Connect</string>
					</dict>
				</array>
			</dict>
			<key>IPv4</key>
        T 1 Reply Last reply Reply Quote 1
        • D Deadringers referenced this topic on
        • T
          TheWaterbug @Deadringers
          last edited by

          @Deadringers

          Looks interesting! I will try this next time I get a chance.

          How does one actually load this onto an iOS device?

          D 1 Reply Last reply Reply Quote 0
          • D
            Deadringers @TheWaterbug
            last edited by

            @TheWaterbug

            You'll need a few things, might seem like a lot but it's actually quite easy with the pfSense ipsec wizard!

            • Setup your VPN settings in pfSense for IPsec tunnel to use EAP TLS
            • I.e. this is using a CA that you setup, a Cert for the IPsec Server, and a cert for each client.
            • Download the config with the pfSense package "ipsec-profile-wizard"
            • Test this config works by now loading that .mobileconfig onto your phone.

            https://www.derman.com/blogs/iOS-IPSec-VPN-OnDemand-Setup

            Section 3 there "3. Import the IPSec VPN configuration profile onto the iPhone" provides instructions for apple configurator, or just emailing it to yourself.

            Once you've got the above working nicely, you know you have a secure VPN with cert based auth and you can add in the few line that I posted above to the .mobileconfig file, and then upload that to the phone in question.

            N.B.

            You MIGHT have to "Supervise" your iphone for this to work...
            For "Always On VPN" you 100% need it supervised, but I THINK that with "On Demand VPN" you don't have to.

            https://www.miradore.com/knowledge/ios/enable-supervised-mode-on-ios-device-using-apple-configurator/

            That should get you started.

            1 Reply Last reply Reply Quote 0
            • F
              florao
              last edited by

              This post is deleted!
              D 1 Reply Last reply Reply Quote 0
              • D
                Deadringers @florao
                last edited by

                This post is deleted!
                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.