ads

Style3[OneLeft]

Style3[OneRight]

Style5[ImagesOnly]

Style2

Task:  

These steps are necessary to connect an iPhone to a Windows VPN server.  It explains how to
generate Apple iOS mobile-config scripts with Apple Configurator 2.  These mobile configuration scripts configure settings unavailable through the iPhone GUI (e.g., IKEv2 cryptography algorithms),

Requirements:

  •  Apple OSX running Apple Configurator 2
  • Server certificates:  Root_CA.cer and VPN_Server.cer(s).
    N.B., this process does not require the private keys for the Root CA or VPN server.
  • Client Certificate
       (a) Subject CN in username format (e.g., smj@stevenjordan.net).
       (b) Enhanced Key Usage (EKU) uses client authentication (1.3.6.1.5.5.7.3.2).
       (c) Subject Alternative Name with DNS attribute that matches the subject CN
             (e.g., DNS Name=smj@stevenjordan.net)
       (d) IKEv2 requires RSA (2048) SHA256 certificate.  

Administrative Process:

Process consists of three steps: (a) Create, (b) distribute, and (c) import the mobile-config.

Mobile Config

Create the mobile-config using Apple Configurator 2.  N.B., this process requires the Root CA and VPN server certificates (e.g., CER files).  The device certificate and private key is optional (i.e., device.PFX).  Additional PFX considerations:

  • IKEv2 VPN authentication requires PFX installation.  
  • Merging the PFX and the mobile-config provides the best user experience.
  • All PFX installations require special security precautions -regardless of mobile-config.
  • Self-service MDM makes administration easier..

Apple Configurator 2:  

  1. Start the Configurator and create a new profile:  File → New Profile.  Alternetly, edit an existing profile:  File → Open → Shoreland_Mobile_Config.
  2. General Tab:  Name, identifier (default), Organization, etc.
  3. Certificates Tab:  Import root.crt, VPN_server.crt.  Import device.pfx (i.e., client cert and private key (optional).
  4. VPN Tab:

    Table 1.  Apple Configurator 2 IKEv2 VPN Example.

Connection Name
 *
Connection Type
IKEv2
Server
VPN FQDN (public facing)
(e.g., vpn.stevenjordan.net)
Remote Identifier
VPN FQDN (public facing)
Local Identifier
Subject CN from client certificate.
(e.g., smj@stevenjordan.net)
Machine Authentication
Certificate
Identify Certificate (Optional)
Choose User_Device.PFX from pull-down menu.
Certificate Type
RSA
Server Certificate Issuer Common Name
Root CA Issuer (CN). 
(e.g., Jordan_Root_CA)
Server Certificate Common Name
VPN FQDN (e.g., vpn.stevenjordan.net)
IKE SA Params
Encryption Algorithm:  AES-256
Integrity Algorithm:  SHA2-256
Diffie-Hellman Group:  14
Child SA Params
Encryption Algorithm:  AES-256
Integrity Algorithm:  SHA1-96
Diffie-Hellman Group:  14

    5.  Save mobile-config:  
           File → New Profile.  Optionally Sign the profile.  Signing the code is optional and requires a certificate from Apple.  Save to an accessible location (e.g., Documents).

Distribute Mobile-Config

The safest method to distribute these mobile configuration scripts, especially those with private keys, is from a mobile device management (MDM) server.  Apple Configurator works as a secure MDM solution.  The process configures each device via USB. The process is not 100% automated -but it is secure.  http://simplemdm.com/2016/03/14/how-to-enroll-in-mdm-with-apple-configurator-2/

Alternately, organizations can distribute mobile-config scripts via email or web.   For example, use Outlook OWA, upload to a website, or use a corporate OneDrive.  Include the device.pfx if not incorporated in the mobile-config.  

Please consider the security risks associated with these alternative distribution methods. Certificates and private keys are used to validate identity.  We DO NOT want the wrong person to intercept this data.  It will allow them to authenticate to network servers, send email, etc...  Please use common sense.  Always delete private keys after installation is complete.     

Import Mobile-Config

Send the end-user an email with the mobile-config.  The email can include the mobile-config file as an attachment.  The end-user simply needs to open the attachment to start the installation process.  
  • Installation requires the end-user's device PIN.  
  • The end user will receive an alert that the mobile-config file is not signed
  • The end user must install user certificates and private keys (e.g. device.pfx) as required.  PKIs can be incorporated into the mobile-config script.
  • User may receive a warning that the PFX is not signed or trusted.

Additional Information:  

Alternatives to Apple Configurator:  Edit mobile-config XML scripts with Notepad++:  http://www.stevenjordan.net/2016/11/ikev2-mobile-config-script.html

How to add certificates and private keys within mobile-config XML scripts using Notepad++:
http://www.stevenjordan.net/2016/11/add-certs-to-mobile-config-xml.html

http://www.stevenjordan.net/2016/09/harden-rras-ikev2.html

Configure Windows Server IKEv2 VPNS:
http://www.stevenjordan.net/2016/09/secure-ikev2-win-10.html

About Steven M. Jordan

Steven Jordan is an infrastructure and process management specialist. Steven holds a Master of Science degree in ICT from the University of Wisconsin Stout. Steven is also a Cisco Certified Network Professional (CCNP) and Master Gardener.
«
Next
Newer Post
»
Previous
Older Post

No comments:

Post a Comment