Apple iOS IKEv2 VPN to Microsoft RRAS

We have a fully functioning AlwaysOn VPN setup for our Windows 10 devices using IKEv2 to two load balanced Windows RRAS servers. We are using certificate authentication, and have separate servers for Radius AAA, two Microsoft NPS servers.

We would like to utilize this same infrastructure for VPN for our iPhones. I have tried numerous permutations of settings on the iOS client and I cannot find a variant that works. I have also looked for anyone else doing iOS with IKEv2 and PKI authentication and cannot find someone with a working config to go off of.

The permutations result in one of two error messages on the iPhone:

User authentication failed
An unexpected error occurred

With either of these errors, I did not see any hits on the NPS servers. So it looks like it is failing before trying to authenticate. I am trying to figure out how to read the logs under %windir%\tracing on the RRAS servers however I am not finding anything useful thus far.

Using MDM to configure iPhones, VPN settings are as follows (anonymized):

Connection name: Test VPN Profile
Server IP: server.doman.com
Split tunnel: disable
Remote identifier: server.domain.com (Note: this matches the IKEv2 server certificate)
Local identifier: null
Client auth type: User Authentication
Auth method: Certificates
Certificate: For testing, I specified the one we are currently using for WiFi auth.
Certificate type: RSA
Dead peer detection rate: medium
Perfect forward secrecy: Enabled
Certificate revocation check: disabled
Use IPv4/IPv6 internal subnet attributes: disabled
Mobility and multihoming (MOBIKE): disabled
Redirect: disabled

Security Association Parameters

Encryption algorithm: AES-128
Integrity algorithm: SHA2-256
Diffie-Hellman group: 14
Lifetime (minutes): 1440

Child Security Association Parameters

Encryption algorithm: AES-128
Integrity algorithm: SHA2-256
Diffie-Hellman group: 14
Lifetime (minutes): 1440

The settings above give me: “An unexpected error occurred” error.

Does anyone have a known working iOS VPN settings for Microsoft IKEv2 with PKI they are willing to share?

Does anyone have any advice on how to read/parse the RRAS %windir%\tracing logs or other RRAS logs to help troubleshoot this?

Are there VPN logs on the iOS iPhone that I am unaware of that can help with this?

I welcome any other thoughts, experiences, resources, or suggestions?

Thank you!

I came across your question while trying to connect iOS devices to RRAS servers with IKEv2.

Microsoft apparently uses the following parameters for IPsec:

• Encryption: 3DES
• Authentication/Integrity: SHA-1
• Key Size: DH Group 2 (1024 bit)

iOS however, does not. Using PowerShell, you can adjust these (weak) defaults:

Set-VpnServerConfiguration -CustomPolicy -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PFSgroup PFS2048 -SADataSizeForRenegotiationKilobytes 102400

In my case, I just configured a VPN profile using Microsoft Intune and distributed the parameters. Great success! It seems iOS does not allow to adjust parameters in the GUI, so you might have to create a profile using a mac (or MDM solution).

I found all the required commands and information here: https://directaccess.richardhicks.com/2018/12/10/always-on-vpn-ikev2-security-configuration/

Hope this helps!

Did anyone get this working yet? We have had an open call to MS for about 4 weeks and we still can’t get it working using certs. The VPN works using a username and password on the iPad but just not a user cert.

Thank you for the response. This is great information.

I am a little confused as to what settings you used in Intune, was it the first set of parameters or the second? I am using Intune as well and trying both did not yeld different results. If it would not be too much trouble, could you screenshot or type out what settings you used to get it to work incase it is something as simple as a toggle switch, etc. that I am missing? Also are you using certificates or username/password for authentication?

Thank you in advanced

So my configuration in Intune looks like this:

• Encryption algorithm AES-128
• Integrity algorithm SHA-256
• Diffie-Hellman group 14
• Lifetime (minutes) 480

I am using these parameters for Security Association Parameters as well as Child Security Association Parameters. Also I’ve enabled Perfect forward secrecy.

I’m using RSA certificates for user authentication.

​

Edit: The first set of parameters (3DES, …) are the RRAS default values. I’ve changed them using the powershell command.

Hey mate did you get this working?

We are trying to get the exact same thing working at my work and same issue our iPad comes back with user authentication error as soon as we try to connect!

Cheers

Thanks for your interest in posting to this subreddit. To combat spam new accounts can’t immediately submit or post.

Please DO NOT message the mods requesting your post be approved.

You are welcome to resubmit your thread or comment in ~24 hrs or so.

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

I have not gotten it working yet, I have tried a few things, with no success. However I have not had a lot of time to spend on it. I am hoping to prioritize looking into it in November. I will post if I find a solution or make progress.

Best of luck!

to two load balanced Windows RRAS servers. We are using certificate authenticati

Hi Mate, How about now? Any joy?

Unfortunately I have not. I ended up purchasing a Cisco Anyconnect solution in the end. Wish I had better news for you.