Tutorial: Make your own .mobileconfig for OSX IKEv2 Certificate VPNs

StefanZ

OK, since I am a friend of having computers do my work for me, I started looking into those configuration profiles for OSX/iOS. Who wants to manually set up three dozen VPN-profiles by hand for various users? I sure don't!

Basically a profile lets you administer certain parts of OSX and iOS – from very basic things like forbidding background images on the users' desktop to corporate stuff like "this Mac may only use eth0 via this proxy, LDAP and this certificate – anything alse will be logged and blocked". Same goes for pre-configured VPN-profiles that allow simple, reproduceable deployment, revocation and replacement.

You send a user the profile, the user opens it and it becomes availiable in System Preferences > Profiles From there it can be installed or rejected.

My FLEX series (and other Zyxel devices) can gerenate profiles – but ONLY in the context of using the wizard. Since the wizard messes around with existing settings and doesn't even offer all options you might need – let allowing you to change details of the config afterwards – I decided to do it manually.

This tutorial is about that…

WARNINGS

• Anyone in possession of your profile can connect to your VPN gateway. Let that sink in and act accordingly!
• When you embed the user-pass in the file, it will be clear text. It's more secure to type in the password after installation of the profile. You can do that in System > Preferences > Network > Authentification Settings.
• After installation, OSX copies the profile to a very secure place. The profile you sent the user is possibly still in their mail account, on their desktop or where ever they put it. Make sure to delete these non-secured copies, or use a deployment tool for OSX admins to remote-install profiles so they never get exposed in the first place.

What you need:

1 - A Mac OSX or iOS device that will be our VPN client (the wizard also generates Android/Windows profiles, I haven't looked into those)

2 - A new Certificate on your Zyxel FLEX. Default values work for me, tick all useage options on the bottom. The Subject Information you enter here will later have to match the VPN gateway Local-ID. I use Host Domain Name with the DDNS hostname of the corresponding WAN interface.
Generate the cert, then open it and copy the Certificate in PEM (Base-64) Encoded Format part on the bottom – that is the public key we will implant into the .mobileconfig

3 - A new VPN Gateway preset. Make sure to click Show Advanced Options! Use IKEv2 and set the hostname/subject information you used for the certificate, so you can chose that cert for auth. The servers' local ID Type & Content will also be defined by this. The phase-1 proposal seen here works for me on OSX/iOS, not sure if they are "optimal". Enable Extended Authentication Protocol and pick the users you want to allow on this gateway.

4 - A new VPN Connection preset. Set Remote Access (Server Role), the gateway we just added, chose a Local Policy and a suitable Configuration Payload > IP Address Pool to drop your clients into once they are connected.

This concludes the preparations, now we will edit the .mobileconfig…

I based my file on one I downloaded from the wizard. I added some options and put in comments for most things. Find a template .mobileconfig attached on the bottom of this post.
I marked all the options you must / can edit with #EDIT# – so search for those.

You will need a couple of UUIDs, so use terminal.app and uuidgen to generate those conveniently. UUIDs distinguish profiles/payloads from each other. If you don't make those unique, a new profile will replace an existing one. Or a cert will be wrongfully registered/used, resulting in a failed connection.

Fill in the PEM key, UUIDs, your texts and names.

Then save and double click the profile – it should now be available for install in System preferences > Profiles.

In case you have a bad typo in your profile (remember: xml!), you might get a constant warning when trying to access Profiles – only way to get rid of this is to reboot the Mac, so OSX clears the profiles cache. There is a OSX commandline tool named profiles that can show / manipulate profiles, but it seems that even sudo ain't cuttin' it anymore these days (OSX 12/13). It's one of those folders only the kernel has access to. You can list profiles, but not remove/edit anything.

Here is the template .mobileconfig file:

IKEv2_cert_tutorial.mobileconfig.zip

Side notes on OSX and VPN connection settings:

• When you use "email" as an ID – be it local or remote – OSX expects this mail to be correctly formatted as in xxx.yyy.com. Zyxel documentation states "any string" and while that might be correct in terms of "adhering to the RFC", on OSX you need to make it a well formed string!
• Authentification Settings has three options – and even though those are made to look mutually exclusive by using a select-menu, they are not! You can set a user/pass and still enter a PSK in the other section (if you use PSK plus user/pass). The cert used by this profile is automatically chosen, it will not show up when you press "Certificate…" here.

Some side notes towards Zyxel devs:

• Please add an option to generate profiles from the GUI – without going through the wizard!
• I am no XML expert, but the Apple documentation states to use values 0 | 1 for boolean values, while the FLEX wizard generates <true /> / <false /> for some keys. XML is pretty flexible tho (as in: "offers half a dozen ways to set a bool"), no idea if it matters.

Zyxel_Jeff

Hi @StefanZ

Really appreciate for sharing useful and valuable experience👍! Besides, regarding this requirement

"Please add an option to generate profiles from the GUI – without going through the wizard!", it has already been transferred to our new feature development queue. Thanks.

StefanZ

It has already been transferred to our new feature development queue.

Oh, that's great news!