Configure iOS and macOS Devices for Mobile VPN with IKEv2

You can configure the native IKEv2 VPN client on iOS and macOS devices for a VPN connection to your Firebox. Fireboxes with Fireware v12.1 or higher support Mobile VPN with IKEv2.

To add the VPN connection, you can:

For information about which operating systems are compatible with each mobile VPN type, see the Operating System Compatibility list in the Fireware Release Notes. You can find the Release Notes for your version of Fireware OS on the Fireware Release Notes page of the WatchGuard website.

WatchGuard provides interoperability instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about configuring a non-WatchGuard product, see the documentation and support resources for that product.

Automatically Configure VPN Settings

To automatically configure a VPN connection with a profile provided by WatchGuard, you must download a .TGZ file from your Firebox and extract the contents. This compressed file contains a README.txt instruction file and a .MOBILECONFIG profile. For information about how to download this file, see Configure Client Devices for Mobile VPN with IKEv2.

The profile creates a new IKEv2 VPN connection. It also installs the required CA certificate for the VPN connection.

In Fireware v12.9 or higher, the Mobile VPN with IKEv2 configuration on the Firebox includes settings for split tunneling. If you configure split tunneling, the .MOBILECONFIG profile that you download from the Firebox and run on macOS and iOS devices includes a key that indicates clients should use the routes sent by the Firebox.

After you install the client configuration files:

  • The internal resources that you added to the Allowed Network Addresses list in the Mobile VPN with IKEv2 configuration are added to the routing table on the client. These routes are added on the client only when the connection is established.
  • These routes are bound to the specified VPN connection on the client. If the user computer has multiple VPN connections configured, these routes are not bound to the other VPN connections.
  • When the connection disconnects, these routes are deleted from the routing table on the client.

If you edit the Allowed Network Addresses list on the Firebox after you download and install the client configuration files on user computers:

  • Download updated client configuration files from the Firebox and reinstall those on user computers.
  • If you remove a host or network from the Allowed Network Addresses list, but you do not install updated client configuration files on user computers, VPN clients can initiate traffic to that host or network, but the Firebox denies the traffic.

You can also configure a full tunnel (default route) VPN. For information about split tunnel and full tunnel settings on the Firebox, see Edit the Mobile VPN with IKEv2 Configuration.

For information about split tunnel and full tunnel settings on clients, see Internet Access Through a Mobile VPN with IKEv2 Tunnel.

In Fireware v12.8.x or lower, you cannot configure split tunneling in the Mobile VPN with IKEv2 configuration on the Firebox. Fireware v12.8.x or lower supports connections from Mobile VPN with IKEv2 clients configured for split tunneling. However, you must manually configure IKEv2 clients for split tunneling. For example, you must manually add routes on the client computer for each remote network that you require access to. For Fireboxes with Fireware v12.8.x or lower, we do not provide customer support for split tunnel configurations on IKEv2 clients. See the documentation provided by your VPN client vendor. If you require split tunneling in Fireware v12.8.x or lower, we recommend that you use Mobile VPN with SSL. For information about Mobile VPN with SSL and split tunneling, see Options for Internet Access Through a Mobile VPN with SSL Tunnel.

In Fireware v12.9 or higher, the WatchGuard .MOBILECONFIG profile includes a domain name suffix if you specify one in the network (global) DNS settings on the Firebox. In the Mobile VPN with IKEv2 configuration on the Firebox, you must select Assign the Network DNS/WINS settings to mobile clients. Mobile VPN clients inherit the domain name suffix.

For information about how to configure the network (global) DNS settings on the Firebox, see Configure Network DNS and WINS Servers.

For information about DNS settings in the Mobile VPN with IKEv2 configuration on the Firebox, see Edit the Mobile VPN with IKEv2 Configuration.

In the WatchGuard .MOBILECONFIG profile, the DomainName key in the IKEv2 dictionary value sets domain name suffix. The DomainName key is available in iOS 10.0 or later and macOS 10.12 or later.

In Fireware v12.8.x or lower, Mobile IKEv2 clients do not inherit a domain name suffix from the Firebox.

To automatically add a new IKEv2 VPN profile in macOS:

  1. Send the .mobileconfig file to your macOS computer.
  2. To import the file, double-click it. A Profile Installation message appears.
  3. Select System Preferences > Profiles.
  4. In the Profiles window, select the client profile.
  5. Click Install.
  6. When prompted to confirm the installation, click Install.
  7. From the Apple menu, select System Preferences > Network.
  8. To connect to the VPN, click the VPN connection that you added and click Connect.

To automatically add a new IKEv2 VPN profile in iOS:

  1. Send the .mobileconfig file to your iOS device.
  2. Open the message in the native iOS mail app and tap the .mobileconfig file.
    A Profile Downloaded message appears.
  3. Open the profile:
    (iOS 15) Tap Settings > Profile Downloaded.
    (iOS 14) Tap Settings > General > Profile. In the Downloaded Profile section, tap the profile.
  4. Tap Install > Next > Install > Install.
  5. (Required) Specify the username and password.

    6. On iOS devices, you must type the user name and password when prompted. If you do not specify a user name and password, the VPN profile is created but does not work.

  6. Tap Done.
  7. On the Settings screen, tap VPN.
  8. To connect to the VPN, tap the VPN connection that you added.
  9. Slide the Status toggle to Connecting.

Manually Configure VPN Settings

You can manually add a new VPN connection rather than use the profile provided by WatchGuard.

To manually add a new IKEv2 VPN connection in macOS:

  1. Send the rootca.crt or rootca.pem file to your macOS computer.
  2. To install the certificate, click it.
    The Keychain Access application opens.
  3. Add the certificate to the existing list.
  4. Find the certificate in the list and double-click it.
  5. Expand the Trust menu. Change When using this certificate to Always Trust.
  6. From the Apple menu, select System Preferences > Network.
  7. To add a new service, click the + symbol.
  8. To configure the VPN, specify these settings:
  • Interface: VPN
  • VPN Type: IKEv2
  • Service Name: [Descriptive name such as MyCompany IKEv2 VPN]
  1. Click Create.
  2. On the next screen, specify these settings:
  • Server Address: [Firebox domain name or IP address configured for IKEv2 client connections]
  • Remote ID: [Firebox domain name or IP address configured for IKEv2 client connections]
  1. Click Authentication Settings and specify the user information:
  • Authentication Settings: Username
  • Username: [Your mobile VPN username]
  • Password: (Optional) To save your password for later use, specify it now.
  1. Click OK and then click Apply.
  2. To connect to the VPN, from the Apple menu, select System Preferences > Network.
  3. Click the VPN connection you added and click Connect.

To manually add a new IKEv2 VPN connection in iOS:

  1. Send the rootca.crt or rootca.pem file to your iOS device.
  2. To install the certificate, tap it. A Profile Downloaded message appears.
  3. (iOS 15) Tap Settings > Profile Downloaded > Install > Install > Done.
  4. Add a VPN Configuration:
    (iOS 15) Tap Settings > General > VPN & Device Management > VPN.
    (iOS 14) Tap Settings > VPN.
  5. Click Add VPN Configuration.
  6. To configure the VPN, specify these settings:
  • Type: IKEv2
  • Description: [Descriptive name such as MyCompany IKEv2 VPN]
  • Server: [Host name or IP address of the Firebox]
  • Remote ID: [Host name or IP address of the Firebox]
  • User Authentication: Username
  • Username: [Firebox domain name or IP address configured for IKEv2 client connections]
  • Password: [Firebox domain name or IP address configured for IKEv2 client connections]

    • On iOS devices, you must type the user name and password when prompted. If you do not specify a user name and password, the VPN profile is created but does not work.

  1. Tap Done.
  2. To connect to the VPN, on the VPN screen, slide the Status toggle to Connecting.

See Also

About Mobile VPN with IKEv2

Configure Client Devices for Mobile VPN with IKEv2

Configure Android Devices for Mobile VPN with IKEv2

Configure Windows Devices for Mobile VPN with IKEv2

Internet Access Through a Mobile VPN with IKEv2 Tunnel

Troubleshoot Mobile VPN with IKEv2