(1) an SCEP request to obtain a key/cert pair signed by the SCEP server
(2) an OVPN profile that uses the cert that was signed/sent in step-1 above
I want this VPN to be used/initiated by the user when s/he wants it, instead of being tied to a connection rule, i.e., not based on domain names, but based on user swiping the connect button from 0 to 1.
So far, I am able to get the configuration profile accepted by the phone, and show the VPN profile under VPN settings, as well as showing it in the OpenVPN connection list.
However, this profile ends up being recognized as an "VPN-On-Demand profile". Net effect being twofold:
(1) iOS VPN settings screen tells me to use the OpenVPN app to start the connection
(2) OpenVPN does not allow me to start the connection; Connection button is greyed out / in OFF position.
QUESTIONS / REQUIREMENTS:
How can I allow my users:
(1) to start OpenVPN connection when they want,
(2) using a cert that was created part of the SCEP process,
(3) where the cert is used in OpenVPN authentication process (no username/password)
Final configuration profile that gets sent to the iPhone (in EncryptedPayloadContent format):
Code: Select all
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
<dict>
<key>PayloadContent</key>
<dict>
<key>Challenge</key>
<string>foo</string>
<key>Key Type</key>
<string>RSA</string>
<key>Key Usage</key>
<integer>5</integer>
<key>Keysize</key>
<integer>1024</integer>
<key>Name</key>
<string>VPNCertificate</string>
<key>Subject</key>
<array>
<array>
<array>
<string>O</string>
<string>bin919.tk</string>
</array>
</array>
<array>
<array>
<string>CN</string>
<string>VPNCertificate (ebbda99c-3b52-4602-9f44-1a0531dde2f7)</string>
</array>
</array>
</array>
<key>URL</key>
<string>https://x-wing-air13.local:5000/scep</string>
</dict>
<key>PayloadDescription</key>
<string>Provides device encryption identity</string>
<key>PayloadDisplayName</key>
<string>VPNCertificate</string>
<key>PayloadIdentifier</key>
<string>tk.bin919.encryption-cert-request</string>
<key>PayloadOrganization</key>
<string>bin919.tk</string>
<key>PayloadType</key>
<string>com.apple.security.scep</string>
<key>PayloadUUID</key>
<string>321387af-7a23-409f-8efa-1cafa2473dcc</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
<dict>
<key>PayloadDescription</key>
<string>Install this profile to access the VPN service</string>
<key>PayloadDisplayName</key>
<string>bin919.tk VPN Service Configuration</string>
<key>PayloadIdentifier</key>
<string>tk.bin919.vpn.VPNService</string>
<key>PayloadOrganization</key>
<string>bin919.tk</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadUUID</key>
<string>a3ca392b-2b8d-4b9d-8f97-bc0557c6316b</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>VPN</key>
<dict>
<key>AuthenticationMethod</key>
<string>Certificate</string>
<key>PayloadCertificateUUID</key>
<string>321387af-7a23-409f-8efa-1cafa2473dcc</string>
<key>RemoteAddress</key>
<string>vpn.bin919.tk</string>
</dict>
<key>VPNSubType</key>
<string>net.openvpn.OpenVPN-Connect.vpnplugin</string>
<key>VPNType</key>
<string>VPN</string>
<key>VendorConfig</key>
<dict>
<key>client</key>
<string>NOARGS</string>
<key>comp-lzo</key>
<string>NOARGS</string>
<key>dev</key>
<string>tun</string>
<key>nobind</key>
<string>NOARGS</string>
<key>redirect-gateway</key>
<string>NOARGS</string>
<key>remote</key>
<string>vpn.bin919.tk</string>
</dict>
</dict>
</array>
</plist>