VPN: IKEv2

The IKEv2 VPN profile configuration enables you to configure IKEv2 VPN settings for devices when:

Note: Requires Device Enrollment.
Note: The fields and controls that appear in this dialog box change according to the selections you make.

General

VPN Name Enter the VPN name used to identify this account.
Always-On VPN Select this option to enable Always-On VPN, which enables tunnel configuration options, service exception options, captive web-sheet options, and captive network plugin options. (Requires supervision and iOS 8.0 or later.)
Allow User to Disable Auto Connection Select this option to allow the user to disable auto connection.
Use Same Tunnel Configuration for Cellular and WiFi Select this option if you want to use the same tunnel configuration for cellular and WiFi.

Configurations

General

VPN Server Hostname / IP Address Enter the IP address or hostname of the VPN server.
Remote Identifier Enter the remote identifier.
Local Identifier Enter the identifier of the IKEv2 client.

Machine Authentication

Authentication Type Select the type of authentication method for the VPN: Certificate or Shared Secret.
Shared Secret Enter the shared secret used for IKE authentication.
Enable EAP Select this option to enable EAP-only authentication.
EAP Authentication Select the EAP authentication type.
Identity Certificate Select the certificate within the same profile to use as the account credential.
Certificate Type Select the type of certificate used for IKEv2 machine authentication. Provide the Server Certificate Issuer Common Name when specifying this field and enabling EAP.
Server Certificate Issuer Common Name Enter the common name of the server certificate issuer. This field enables IKE to send a certificate request based on this certificate issuer to the server. You need this field to specify Certificate Type and enable EAP.
Server Certificate Common Name Enter the common name of the server certificate. Use this name to validate the certificate sent by the IKE server. If this field is not set, use the Remote Identifier to validate the certificate.
TLS Minimum Version Select the minimum TLS version to use with EAP-TLS authentication.
TLS Maximum Version Select the maximum TLS version to use with EAP-TLS authentication.
Domain Enter the domain for authenticating the connection. Supports macros.
Account Enter the user name used for EAP authentication. Supports macros.
Password Enter the password used for EAP authentication.

Miscellaneous

Enable NAT Keepalive While Device Is Asleep Select this option to enable NAT Keepalive offload. NAT Keepalive has an impact on the battery life since Keepalive packets offload to hardware while the device is asleep.
NAT Keepalive Interval Enter the NAT Keepalive interval. This value controls the interval over which the device sends Keepalive offload packets.
Dead Peer Detection Rate Select the rate for dead peer detection.
Disable Redirects Select this option to disable IKEv2 redirects. If this option is not selected, the IKEv2 connection redirects when the server receives a redirect request.
Disable Mobility and Multi-homing Select this option to disable mobility and multi-homing.
Use IPv4/IPv6 Internal Subnet Attributes Select this option to have negotiations use IKEv2 configuration attributes INTERNAL_IP4_SUBNET and INTERNAL_IP6_SUBNET.
Enable Perfect Forward Secrecy Select this option to enable perfect forward secrecy.
Enable Certificate Revocation Check Select this option to perform a certificate revocation check for IKEv2 connections. This is a best-effort revocation check. Server response timeouts would not cause it to fail.
Enable Cellular Fallback When selected, this option enables a tunnel over cellular data to carry traffic that is eligible for WiFi Assist and also requires VPN. Enabling fallback requires that the server support many tunnels for a single user.

VPN On Demand

Enable VPN On Demand Select this option to enable VPN On Demand.
VPN On Demand Actions Select to add a VPN On Demand action.
Disconnect On Idle Select After Interval to disconnect after and on-demand connection idles.
After Interval Select the length of time to wait before disconnecting an on-demand connection.

IKE Security Association Parameters

Encryption Algorithm Select the encryption algorithm.
Integrity Algorithm Select the integrity algorithm.
Diffie-Hellman Group Select the Diffie-Hellman group.
Lifetime In Minutes Enter the IKE security association lifetime in minutes. The value must be between 10 and 1440 minutes.

Child Security Association Parameters

Encryption Algorithm Select the encryption algorithm.
Integrity Algorithm Select the integrity algorithm.
Diffie-Hellman Group Select the Diffie-Hellman group.
Lifetime In Minutes Enter the child security association lifetime in minutes. The value must be between 10 and 1440 minutes.

Proxy

Proxy Select how you want to configure proxies with this configuration.
URL Enter the URL needed to receive proxy settings.
Proxy Server Enter the hostname or IP address of the proxy server.
Username Enter the username for authenticating the connection. Supports macros.
Password Enter the password for authenticating the connection.

Service Exceptions

Voice Mail Select an option for the voice mail service.
AirPrint Select an option for the AirPrint service.
Cellular Services Select an option for the cellular services.
Allow Traffic from All Captive Web Sheets Outside the VPN Tunnel Select this option to allow traffic from all captive web sheets outside the VPN tunnel.
Allow Traffic from All Captive Networking Apps Outside the VPN Tunnel Select this option to allow traffic from all captive networking apps outside the VPN tunnel to perform captive network handling.
Captive Networking Applications Select + to add applications you want to allow on the captive network.