We have a fully functioning AlwaysOn VPN setup for our Windows 10 devices using IKEv2 to two load balanced Windows RRAS servers. We are using certificate authentication, and have separate servers for Radius AAA, two Microsoft NPS servers.
We would like to utilize this same infrastructure for VPN for our iPhones. I have tried numerous permutations of settings on the iOS client and I cannot find a variant that works. I have also looked for anyone else doing iOS with IKEv2 and PKI authentication and cannot find someone with a working config to go off of.
The permutations result in one of two error messages on the iPhone:
User authentication failed An unexpected error occurred With either of these errors, I did not see any hits on the NPS servers. So it looks like it is failing before trying to authenticate. I am trying to figure out how to read the logs under %windir%\tracing on the RRAS servers however I am not finding anything useful thus far.
Using MDM to configure iPhones, VPN settings are as follows (anonymized):
Connection name: Test VPN Profile Server IP: server.doman.com Split tunnel: disable Remote identifier: server.domain.com (Note: this matches the IKEv2 server certificate) Local identifier: null Client auth type: User Authentication Auth method: Certificates Certificate: For testing, I specified the one we are currently using for WiFi auth. Certificate type: RSA Dead peer detection rate: medium Perfect forward secrecy: Enabled Certificate revocation check: disabled Use IPv4/IPv6 internal subnet attributes: disabled Mobility and multihoming (MOBIKE): disabled Redirect: disabled Security Association Parameters
Encryption algorithm: AES-128 Integrity algorithm: SHA2-256 Diffie-Hellman group: 14 Lifetime (minutes): 1440 Child Security Association Parameters
Encryption algorithm: AES-128 Integrity algorithm: SHA2-256 Diffie-Hellman group: 14 Lifetime (minutes): 1440 The settings above give me: “An unexpected error occurred” error.
Does anyone have a known working iOS VPN settings for Microsoft IKEv2 with PKI they are willing to share?
Does anyone have any advice on how to read/parse the RRAS %windir%\tracing logs or other RRAS logs to help troubleshoot this?
Are there VPN logs on the iOS iPhone that I am unaware of that can help with this?
I welcome any other thoughts, experiences, resources, or suggestions?
Thank you!
No comments:
Post a Comment