Looking for an example .mobileconfig macOS profile for IKEv2 VPN XAuth

[gctwnl]

I have a setup where I have a working IKEv2 using a certificate for the server and username/password (FreeRADIUS on the OPNsense side). This works for macOS and not for iOS. And it only works if I tell Phase 2 on the OPNsense side to tell the client to tunnel only to my OPNsense LAN network (Local Subnet)

I would like to be able to send all traffic through that IPsec link, for that I can enter Network 0.0.0.0/0 in Phase 2. But when I do that, the client cannot send or receive traffic from the internet at large. It only works with a partial VPN.

I have seen some information that I need to set that "send all traffic over VPN" at the macOS side as well, but the only way to do that is to create a .mobileconfig in Apple Configurator and edit that to include that setting (by hand) in the XML:

Code: [Select]

<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
<integer>1</integer>
</dict>
But maybe that no longer works.

So, as a first step, I tried recreating the manually created IKEv2 VPN on the macOS client (the one that works). But if I try that, macOS (Monterey) complains that there is a 'configuration error' and it immediately fails without trying to set up the VPN.

So, exactly the same VPN connection, one entered by hand and one entered via a profile, one works, one not. I tried a lot of other things based on internet articles, but I haven't been able to create a .mobileconfig that works and that combines a certificate for IKEv2 in combination with Xauth (username password) so that I can use FreeRADIUS on the opnsense router.

Is there anyone who has a working .mobileconfig (even without 'all traffic over VPN') so that I can use that as a basis to solve the 'all traffic' issue?

[gctwnl]

I have a setup where I have a working IKEv2 using a certificate for the server and username/password (FreeRADIUS on the OPNsense side). This works for macOS and not for iOS. And it only works if I tell Phase 2 on the OPNsense side to tell the client to tunnel only to my OPNsense LAN network (Local Subnet)
...

I was able to get IKEv2 EAP-RADIUS to work with iOS with all traffic over the VPN without a .mobileconfig file and macOS/iOS devices where each device gets its own IP based o the RADIUS User info. The key elements were:

• In FreeRADIUS Users:
  
  • Provide the IP Address and the Subnet Mask
  • In Routes, add the IP-range of your LAN
• In Mobile Clients:
  
  • Do not provide a range in Virtual IPv4 Address Pool (if you do, it overrides the RADIUS settings)
  • Provide a domain name and a list of split domain names (probably not important)
• In Phase 1:
  
  • Connection method: default, Key Exchange V2
  • Method EAP-RADIUS, My Identifier: Distinguished Name and name is the reverse resolvable FQDN
  • encryption algorithms: AES256, hash algorithms: SHA1 & SHA256, DH: 14
• In Phase 2:
  
  • set Local Network to "Network, 0.0.0.0/0" (all traffic over the tunnel)
  • encryption algorithms: AES256, hash algorithms: SHA1 & SHA256
• In Firewall settings:
  
  • Disable force gateway turned on

On the device (macOS, iOS) make sure the certificate and the 'certificate authority' certificate are installed.  Make sure in macOS that they are trusted.