IKEv2 Mobile-Config Script


Task:  

Manually create and edit a mobile-config script for iPhone IKEv2 VPNs.  

Requirements:  

  • Script with a common XML editor -no need for Apple Configurator.
  • Use secure cryptography algorithms.
  • Include all certificates for mutual authentication:  User certificate and private key, VPN server certificate, and trusted root certificate.

Solution:  

  1. Preparation:  Encode certificates (e.g., PFX and CER) with Base64:
    http://www.stevenjordan.net/2016/11/add-certs-to-mobile-config-xml.html
  2. Copy the mobile-config script (below) to an XML editor -I personally recommend Notepad+
  3. Edit the mobile-config script.  Remove certificate payloads and replace them with output generated from Step 1.
    (a) User certificate and private key:  Lines 24 - 64.
    (b) VPN server certificate:  Lines 165 - 205.
    (c) Private root certificate:  Lines 225 - 245. 
  4. Change addition text fields to match your organization:
    (a) Consent:  Lines 9 - 10.
    (b) PFX Password:  Line 19.
    (c) PFX file name:  Line 21.
    (d) PFX Payload Display Name:  Line 69.
    (e) IKEv2 Local Identifier String:  Line 117.  N.B., This string must be the same as the user certificate's DNS name listed under in its subject alternative name.
    (f) Remote address (i.e., VPN FQDN):  Line 123.
    (g) Remote identifier (i.e., VPN FQDN):  Line 125.
    (h) Server certificate issuer (i.e., CA):  Line 127.
    (i)  User Defined VPN Name (optional):  Line 156.
    (j)  Server payload display name (e.g., VPN FQDN):  Line 210.
    (k) Root certificate file name (i.e., CER):  Line 222.
    (l)  Root CA payload display name:  Line 250.
    (m)  iPhone profile description:  Line 262.
    (n)  iPhone profile payload display name:  Line 264
    (o) iPhone profile payload identifier (change prefix):  266
    (q) iPhone profile organization name:  268
  5. Save file as:  File_Name.mobileconfig
  6. Distribute.
Please note, this mobile-config contains the user certificate and private key.  Ensure document is deleted from all sources after device configuration is complete.  



0 Comments:

Post a Comment

My Instagram