Configure iOS and macOS Devices for Mobile VPN with IKEv2

You can configure the native IKEv2 VPN client on iOS and macOS devices for a VPN connection to your Firebox. Fireboxes with Fireware v12.1 or higher support Mobile VPN with IKEv2.

To add the VPN connection, you can:

For information about which operating systems are compatible with each mobile VPN type, see the Operating System Compatibility list in the Fireware Release Notes. You can find the Release Notes for your version of Fireware OS on the Fireware Release Notes page of the WatchGuard website.

WatchGuard provides interoperability instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about configuring a non-WatchGuard product, see the documentation and support resources for that product.

Automatically Configure VPN Settings

To automatically configure a VPN connection with a profile provided by WatchGuard, you must download a .TGZ file from your Firebox and extract the contents. This compressed file contains a README.txt instruction file and a .MOBILECONFIG profile. For information about how to download this file, see Configure Client Devices for Mobile VPN with IKEv2.

The profile creates a new IKEv2 VPN connection. It also installs the required CA certificate for the VPN connection.

To automatically add a new IKEv2 VPN profile in macOS:

  1. Send the .mobileconfig file to your macOS computer.
  2. To import the file, double-click it. A Profile Installation message appears.
  3. Select System Preferences > Profiles.
  4. In the Profiles window, select the client profile.
  5. Click Install.
  6. When prompted to confirm the installation, click Install.
  7. From the Apple menu, select System Preferences > Network.
  8. To connect to the VPN, click the VPN connection that you added and click Connect.

To automatically add a new IKEv2 VPN profile in iOS:

  1. Send the .mobileconfig file to your iOS device.
  2. Open the message in the native iOS mail app and tap the .mobileconfig file.
    A Profile Downloaded message appears.
  3. Open the profile:
    (iOS 16) Tap Settings > General > VPN & Device Management.
    (iOS 15) Tap Settings > General > VPN & Device Management.
    (iOS 14) Tap Settings > General > Profile. In the Downloaded Profile section, tap the profile.
  4. Tap Install > Next > Install > Install.
  5. (Required) Specify the username and password.
  6. On iOS devices, you must type the user name and password when prompted. If you do not specify a user name and password, the VPN profile is created but does not work.

  7. Tap Done.
  8. On the Settings screen, tap VPN.
  9. To connect to the VPN, tap the VPN connection that you added.
  10. Slide the Status toggle to Connecting.

Manually Configure VPN Settings

You can manually add a new VPN connection rather than use the profile provided by WatchGuard.

To manually add a new IKEv2 VPN connection in macOS:

  1. Send the rootca.crt or rootca.pem file to your macOS computer.
  2. To install the certificate, click it.
    The Keychain Access application opens.
  3. Add the certificate to the existing list.
  4. Find the certificate in the list and double-click it.
  5. Expand the Trust menu. Change When using this certificate to Always Trust.
  6. From the Apple menu, select System Preferences > Network.
  7. To add a new service, click the + symbol.
  8. To configure the VPN, specify these settings:
  • Interface: VPN
  • VPN Type: IKEv2
  • Service Name: [Descriptive name such as MyCompany IKEv2 VPN]
  1. Click Create.
  2. On the next screen, specify these settings:
  • Server Address: [Firebox domain name or IP address configured for IKEv2 client connections]
  • Remote ID: [Firebox domain name or IP address configured for IKEv2 client connections]
  1. Click Authentication Settings and specify the user information:
  • Authentication Settings: Username
  • Username: [Your mobile VPN username]
  • Password: (Optional) To save your password for later use, specify it now.
  1. Click OK and then click Apply.
  2. To connect to the VPN, from the Apple menu, select System Preferences > Network.
  3. Click the VPN connection you added and click Connect.

To manually add a new IKEv2 VPN connection in iOS:

  1. Send the rootca.crt or rootca.pem file to your iOS device.
  2. To install the certificate, tap it. A Profile Downloaded message appears.
  3. (iOS 15) Tap Settings > General > VPN & Device Management > Install > Install > Done.
  4. Add a VPN Configuration:
    (iOS 16) Tap Settings > General > VPN & Device Management > VPN.
    (iOS 15) Tap Settings > General > VPN & Device Management > VPN.
    (iOS 14) Tap Settings > VPN.
  5. Click Add VPN Configuration.
  6. To configure the VPN, specify these settings:
  • Type: IKEv2
  • Description: [Descriptive name such as MyCompany IKEv2 VPN]
  • Server: [Host name or IP address of the Firebox]
  • Remote ID: [Host name or IP address of the Firebox]
  • User Authentication: Username
  • Username: [Firebox domain name or IP address configured for IKEv2 client connections]
  • Password: [Firebox domain name or IP address configured for IKEv2 client connections]
  • On iOS devices, you must type the user name and password when prompted. If you do not specify a user name and password, the VPN profile is created but does not work.

  1. Tap Done.
  2. To connect to the VPN, on the VPN screen, slide the Status toggle to Connecting.

Related Topics

About Mobile VPN with IKEv2

Configure Client Devices for Mobile VPN with IKEv2

Configure Android Devices for Mobile VPN with IKEv2

Configure Windows Devices for Mobile VPN with IKEv2

Internet Access Through a Mobile VPN with IKEv2 Tunnel

Troubleshoot Mobile VPN with IKEv2