9

I had a configuration profile that I had set up on iOS 6, so that when a certain URL is hit, the VPN kicks in.

I was doing this using the following configuration profile keys:

<key>OnDemandEnabled</key>
<integer>1</integer>
<key>OnDemandMatchDomainsAlways</key>
<array>
    <string>my_homepage.com</string>
</array>

On iOS 6, this appears to work fine. However, in iOS 7, it looks like OnDemandMatchDomainAlways has been deprecated in favor of the OnDemandRules key, and the default behavior of "OnDemandMatchDomainAlways" is to behave like "OnDemandMatchDomainsOnRetry". So now, i am trying to get my previous setup to work on iOS 7, by using the OnDemandRules key, as follows:

<key>OnDemandRules</key>
<array>
    <dict>
        <key>Action</key>
        <string>Connect</string>
        <key>DNSDomainMatch</key>
        <array>
            <string>my_homepage.com</string>
        </array>
    </dict>
</array>

I also tried setting it up using this method:

<key>OnDemandRules</key>
    <array>
        <dict>
                    <key>Action</key>
            <string>EvaluateConnection</string>
            <key>ActionParameters</key>
            <array>
                <dict>
                    <key>Domains</key>
                    <array>
                        <string>url-that-redirects-if-vpn-off.com</string>
                    </array>
                    <key>DomainAction</key>
                    <string>ConnectIfNeeded</string>
            </dict>
        </array>
    </dict>
</array>

However, none of these methods seems to work. Does anyone know how to set up an iOS VPN profile so that the VPN OnDemand feature works on iOS 7 the same way it did on iOS6?

Thanks in advance,

Hawkeye001
  • 701
  • 2
  • 10
  • 24

3 Answers3

5

I ran into the same problem and was able to get on-demand functionality again by placing the OnDemanRules key as part of the IPSec block, i.e.,

<key>IPSec</key>
<dict>
    <key>AuthenticationMethod</key>
    <string>Certificate</string>

    <!-- Other IPSEC VPN properties here. -->

    <key>OnDemandEnabled</key>
    <integer>1</integer>
    <key>OnDemandRules</key>
    <array>
        <dict>
        <key>Action</key>
        <string>Connect</string>
        <key>DNSDomainMatch</key>
        <array>
          <string>my_homepage.com</string>
        </array>
    </dict>
    </array>
</dict>

Note that this contradicts the published Configuration Profile Reference document. But, in my case, it made things work.

ricardog
  • 51
  • 1
  • Hi @ricardog : Very much thanks for your blog it is really helpful but i think you should give a sample configuration profile on your blog. – M.Shuaib Imran May 12 '14 at 14:35
4

this snippet worked for me. I've tried to emulate "always connect" behaviour

        <key>IPSec</key>
        <dict>
            <key>AuthenticationMethod</key>
            <string>Certificate</string>
            <key>OnDemandEnabled</key>
            <integer>1</integer>
                    <!-- on demand rules -->
                    <key>OnDemandRules</key>
                    <array>
                    <dict>
                    <key>Action</key>
                    <string>EvaluateConnection</string>
                    <key>ActionParameters</key>
                    <array>
                    <dict>
                    <key>Domains</key>
                    <array>
                    <string>domain.com</string>
                    </array>
                    <key>RequiredURLStringProbe</key>
                    <string>https://host.domain.com/nonexistent_url</string>                    
                    <key>DomainAction</key>
                    <string>ConnectIfNeeded</string>
                    </dict>
                    </array>
                    </dict>
                    </array>
                    <!-- on demand rules -->
            <key>PayloadCertificateUUID</key>
            <string>...</string>
            <key>PromptForVPNPIN</key>
            <false/>
            <key>RemoteAddress</key>
            <string>...</string>
        </dict>
mgorb
  • 41
  • 1
3

Here is an extract from my profile I use for VPN on Demand with iOS 7 and 7.1.

            <key>AuthenticationMethod</key>
            <string>Certificate</string>
            <key>OnDemandEnabled</key>
            <integer>1</integer>
            <key>OnDemandRules</key>
            <array>
                <dict>
                <key>Action</key>
                <string>Connect</string>
                <key>URLStringProbe</key>
                <string>http://internet-accessible-url.example.com</string>
                </dict>
            </array>
            <key>PayloadCertificateUUID</key>

With this whenever the iOS device tries to access the Internet via mobile data or via WiFi it triggers and automatic VPN on Demand connection with no user interaction required.

I am using a StrongSwan 5.1.2 server acting as a Cisco IPSec compatible VPN server with obviously certificate authentication but I have used Xauth-noauth to prevent the iOS device constantly asking for the username/password for the secondary i.e. xauth authentication.

Profile Manager does not allow the iOS client device to save the password for the secondary xauth credentials.

See my blog about this http://jelockwood.blogspot.co.uk/2014/03/how-to-do-vpn-on-demand-for-ios-at-zero.html

John Lockwood
  • 31
  • 1
  • I had managed to get it working with private domains before, but funnily enough, I was starting to look into getting it working with any entered domain, so this was great timing. Unfortunately, it looks like URLStringProbe was causing it to get activated on any url (it essentially enabled VPN as soon as i launched firefox, regardless of what was in my profile), so i might have to try getting it working in conjunction with other dictionary entries. – Hawkeye001 Mar 20 '14 at 04:17
  • Hi @john lockwood : Very much thanks for your blog it is really helpful but i think you should give a sample configuration profile on your blog. – M.Shuaib Imran May 13 '14 at 13:39
  • @john lockwood - `Action Connect ` it is working fine in iOS 7 but when VPN server is down the device has to use public internet so I turned it like this `Action ConnectURLStringProbe https://www.google.com ` But it doesn't even establishing VPN connection.Any help is appreciated ! – Rakesh patanga Aug 18 '14 at 14:34