Per App VPN: IKEv2

The IKEv2 Per App VPN feature allows you to select which apps must communicate over a VPN connection. You can specify whether the per-app VPN automatically starts when the app initiates network communications. You do this when:

General

VPN Name Enter the name of the VPN connection.
Auto Start VPN Select this option to automatically start the VPN.

Configurations

General

VPN Server Hostname / IP Address Enter the IP address or hostname of the VPN server.
Remote Identifier Enter the remote identifier.
Local Identifier Enter the identifier of the IKEv2 client.

Machine Authentication

Authentication Type Select the type of authentication method for the VPN: Certificate or Shared Secret.
Shared Secret Enter the shared secret used for IKE authentication.
Enable EAP Select this option to enable EAP-only authentication.
EAP Authentication Select the EAP authentication type.
Identity Certificate Select the certificate within the same profile to use as the account credential.
Certificate Type Select the type of certificate used for IKEv2 machine authentication. Provide the Server Certificate Issuer Common Name when specifying this field and enabling EAP.
Server Certificate Issuer Common Name Enter the common name of the server certificate issuer. This field enables IKE to send a certificate request based on this certificate issuer to the server. You need this field to specify Certificate Type and enable EAP.
Server Certificate Common Name Enter the common name of the server certificate. Use this name to validate the certificate sent by the IKE server. If this field is not set, use the Remote Identifier to validate the certificate.
TLS Minimum Version Select the minimum TLS version to use with EAP-TLS authentication.
TLS Maximum Version Select the maximum TLS version to use with EAP-TLS authentication.
Domain Enter the domain for authenticating the connection. Supports macros.
Account Enter the user name used for EAP authentication. Supports macros.
Password Enter the password used for EAP authentication.

Miscellaneous

Enable NAT Keepalive While Device Is Asleep Select this option to enable NAT Keepalive offload. NAT Keepalive has an impact on the battery life since Keepalive packets offload to hardware while the device is asleep.
NAT Keepalive Interval Enter the NAT Keepalive interval. This value controls the interval over which the device sends Keepalive offload packets.
Dead Peer Detection Rate Select the rate for dead peer detection.
Disable Redirects Select this option to disable IKEv2 redirects. If this option is not selected, the IKEv2 connection redirects when the server receives a redirect request.
Disable Mobility and Multi-homing Select this option to disable mobility and multi-homing.
Use IPv4/IPv6 Internal Subnet Attributes Select this option to have negotiations use IKEv2 configuration attributes INTERNAL_IP4_SUBNET and INTERNAL_IP6_SUBNET.
Enable Perfect Forward Secrecy Select this option to enable perfect forward secrecy.
Enable Certificate Revocation Check Select this option to perform a certificate revocation check for IKEv2 connections. This is a best-effort revocation check. Server response timeouts would not cause it to fail.
Enable Cellular Fallback When selected, this option enables a tunnel over cellular data to carry traffic that is eligible for WiFi Assist and also requires VPN. Enabling fallback requires that the server support many tunnels for a single user.

VPN On Demand

Enable VPN On Demand Select this option to enable VPN On Demand.
VPN On Demand Actions Select to add a VPN On Demand action.
Disconnect On Idle Select After Interval to disconnect after and on-demand connection idles.
After Interval Select the length of time to wait before disconnecting an on-demand connection.

IKE Security Association Parameters

Encryption Algorithm Select the encryption algorithm.
Integrity Algorithm Select the integrity algorithm.
Diffie-Hellman Group Select the Diffie-Hellman group.
Lifetime In Minutes Enter the IKE security association lifetime in minutes. The value must be between 10 and 1440 minutes.

Child Security Association Parameters

Encryption Algorithm Select the encryption algorithm.
Integrity Algorithm Select the integrity algorithm.
Diffie-Hellman Group Select the Diffie-Hellman group.
Lifetime In Minutes Enter the child security association lifetime in minutes. The value must be between 10 and 1440 minutes.

Proxy

Proxy Select how you want to configure proxies with this configuration.
URL Enter the URL needed to receive proxy settings.
Proxy Server Enter the hostname or IP address of the proxy server.
Username Enter the username for authenticating the connection. Supports macros.
Password Enter the password for authenticating the connection.

Domains

Add Safari Domains Select to add Safari domains. Entries must each specify a domain that triggers the VPN connection in Safari. (Requires iOS 7.0 or later.)
Add Calendar Domains Select to add Calendar domains. Entries must each specify a domain that triggers the VPN connection in Calendar. (Requires iOS 13.0 or later.)
Add Contacts Domains Select to add Contacts domains. Entries must each specify a domain that triggers the VPN connection in Contacts. (Requires iOS 13.0 or later.)
Add Mail Domains Select to add Mail domains. Entries must each specify a domain that triggers the VPN connection in Mail. (Requires iOS 13.0 or later.)
Add SMB Domains Select to add SMB domains. Entries must each specify an SMB domain accessible through this VPN connection. (Requires iOS 7.0 or later.)

Managed Applications

Select Add to enter an app name and search the App Store for the applications you want this VPN to apply to. If you have several apps for which you would like to use the VPN, you can upload a .csv or .txt file by clicking the Import button. Each row in the .csv or .txt file must contain the following information: app ID, app name.