ads

Style3[OneLeft]

Style3[OneRight]

Style5[ImagesOnly]

Style2


Task:  

Manually create and edit a mobile-config script for iPhone IKEv2 VPNs.  

Requirements:  

  • Script with a common XML editor -no need for Apple Configurator.
  • Use secure cryptography algorithms.
  • Include all certificates for mutual authentication:  User certificate and private key, VPN server certificate, and trusted root certificate.

Solution:  

  1. Preparation:  Encode certificates (e.g., PFX and CER) with Base64:
    http://www.stevenjordan.net/2016/11/add-certs-to-mobile-config-xml.html
  2. Copy the mobile-config script (below) to an XML editor -I personally recommend Notepad+
  3. Edit the mobile-config script.  Remove certificate payloads and replace them with output generated from Step 1.
    (a) User certificate and private key:  Lines 24 - 64.
    (b) VPN server certificate:  Lines 165 - 205.
    (c) Private root certificate:  Lines 225 - 245. 
  4. Change addition text fields to match your organization:
    (a) Consent:  Lines 9 - 10.
    (b) PFX Password:  Line 19.
    (c) PFX file name:  Line 21.
    (d) PFX Payload Display Name:  Line 69.
    (e) IKEv2 Local Identifier String:  Line 117.  N.B., This string must be the same as the user certificate's DNS name listed under in its subject alternative name.
    (f) Remote address (i.e., VPN FQDN):  Line 123.
    (g) Remote identifier (i.e., VPN FQDN):  Line 125.
    (h) Server certificate issuer (i.e., CA):  Line 127.
    (i)  User Defined VPN Name (optional):  Line 156.
    (j)  Server payload display name (e.g., VPN FQDN):  Line 210.
    (k) Root certificate file name (i.e., CER):  Line 222.
    (l)  Root CA payload display name:  Line 250.
    (m)  iPhone profile description:  Line 262.
    (n)  iPhone profile payload display name:  Line 264
    (o) iPhone profile payload identifier (change prefix):  266
    (q) iPhone profile organization name:  268
  5. Save file as:  File_Name.mobileconfig
  6. Distribute.
Please note, this mobile-config contains the user certificate and private key.  Ensure document is deleted from all sources after device configuration is complete.  



About Steven M. Jordan

Steven Jordan is an infrastructure and process management specialist. Steven holds a Master of Science degree in ICT from the University of Wisconsin Stout. Steven is also a Cisco Certified Network Professional (CCNP) and Master Gardener.
«
Next
Newer Post
»
Previous
Older Post

No comments:

Post a Comment