{"id":4899,"date":"2015-01-06T21:38:17","date_gmt":"2015-01-06T20:38:17","guid":{"rendered":"http:\/\/blog.wenzlaff.de\/?p=4899"},"modified":"2021-11-22T17:15:07","modified_gmt":"2021-11-22T16:15:07","slug":"iphone-6-plus-vpn-on-demand-mit-ipsec-unter-ios-8-mit-shared-secret-moeglich","status":"publish","type":"post","link":"http:\/\/blog.wenzlaff.de\/?p=4899","title":{"rendered":"iPhone 6 plus: VPN on Demand mit IPSec unter iOS 8 mit \u201cshared secret\u201d m\u00f6glich"},"content":{"rendered":"

Wie kann mit einem iPhone automatisch eine VPN Verbindung hergestellt werden, ohne das man es immer manuell vorher anschalten muss? Also VPN on Demand<\/strong> mit IPSec und „schared secret“. Das ist hilfreich, wenn man in \u00f6ffentlichen WLANs unterwegs ist, so wird dann immer autom. eine VPN Verbindung aufgebaut, wenn sie ben\u00f6tigt wird. Es wird also nicht einmal vergessen. Und schon cool, wenn Anrufe auf dem Handy per VPN gef\u00fchrt werden k\u00f6nnen und Push-Benachrichtigungen autom. per VPN kommen.
\nUnd wie kann automatisch das VPN im eigenen bekannten WLAN und Hotspots deaktivert werden? Das alles mit einem orginal iPhone, es ist kein<\/strong> Jailbreak<\/a> n\u00f6tig.<\/p>\n

Hatte vor einiger Zeit schon mal versucht<\/a>, mit einem iPhone eine automatische VPN<\/strong> Verbindung (VPN on Demand) aufzubauen. Das hatte nicht geklappt, wie hier<\/a> beschrieben, weil diese M\u00f6glichkeit im Apple Konfigurationsprogramm nicht angeboten wird. <\/p>\n

Habe jetzt aber einen Hinweis auf diese Quelle<\/a> von Thomas Witt erhalten (Danke). Damit klappt es super. Wie muss man vorgehen?<\/p>\n

1. Die VPN_FritzBox_OnDemand.mobileconfig<\/a> laden.
\n2. Alle stellen die mit REPLACE<\/strong> gekennzeichnet sind, mit eigenen Werten ersetzen.
\n3. Die Profile Datei per E-Mail an das iPhone senden und das Profile installieren.
\n4. Manuell testen ob Verbindung l\u00e4uft.<\/p>\n

Habe es mit iPhone 6 Plus und iPadMini unter iOS 8.1.2 mit einer FritzBox 7490 (Version 06.23) getestet.<\/p>\n

Hier die n\u00f6tige Profile Datei von oben, mit Kommentaren von mir aus der Apple Referenz<\/a>, so kann man auf einem Blick sehen, was man anpassen kann bzw. muss:<\/p>\n

<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<!DOCTYPE plist PUBLIC \"-\/\/Apple\/\/DTD PLIST 1.0\/\/EN\" \"http:\/\/www.apple.com\/DTDs\/PropertyList-1.0.dtd\">\r\n<!-- https:\/\/developer.apple.com\/library\/ios\/featuredarticles\/iPhoneConfigurationProfileRef\/Introduction\/Introduction.html#\/\/apple_ref\/doc\/uid\/TP40010206-CH1-SW7 -->\r\n<plist version=\"1.0\">\r\n        <dict>\r\n        <!-- VPN Payload\r\n         The VPN payload is used for traditional systemwide VPNs based on L2TP, PPTP, and IPSec.\r\n         This payload should not be confused with the Per-App VPN, described in Per-App VPN Payload.\r\n         The VPN payload is designated by specifying com.apple.vpn.managed as the PayloadType value.\r\n         In addition to the settings common to all payload types, the VPN payload defines the following keys\r\n     -->\r\n                <key>PayloadContent<\/key>\r\n                <array>\r\n                        <dict>\r\n                        <!-- Determines the settings available in the payload for this type of VPN connection.  IPSec (Cisco) -->\r\n                                <key>IPSec<\/key>\r\n                                <dict>\r\n                                     <!-- Either SharedSecret or Certificate. Used for L2TP and Cisco IPSec. -->\r\n                                        <key>AuthenticationMethod<\/key>\r\n                                        <!-- The shared secret for this VPN account. Only present if AuthenticationMethod is SharedSecret. Used for L2TP and Cisco IPSec. -->\r\n                                        <string>SharedSecret<\/string>\r\n                                        <!-- 1 if the VPN connection should be brought up on demand, else 0. -->\r\n                                        <key>OnDemandEnabled<\/key>\r\n                                        <integer>1<\/integer>\r\n                                        <!-- Determines when and how an on-demand VPN should be used. -->\r\n                                        <key>OnDemandRules<\/key>\r\n                                        <array>\r\n                                                <dict>\r\n                                                    <!-- The action to take if this dictionary matches the current network. -->\r\n                                                        <key>Action<\/key>\r\n                                                        <!-- Disconnect\u2014Tear down the VPN connection and do not reconnect on demand as long as this dictionary matches. -->\r\n                                                        <string>Disconnect<\/string>\r\n                                                        <!-- An interface type. If specified, this rule matches only if the primary network interface hardware matches the specified type.\r\n                                                             Supported values are Ethernet, WiFi, and Cellular.\r\n                                                          -->\r\n                                                        <key>InterfaceTypeMatch<\/key>\r\n                                                        <string>WiFi<\/string>\r\n                                                        <!-- An array of SSIDs to match against the current network. If the network is not a Wi-Fi network or if the SSID does not appear in this array, the match fails.\r\n                                                             Omit this key and the corresponding array to match against any SSID.\r\n                                                          -->\r\n                                                        <key>SSIDMatch<\/key>\r\n                                                        <array>\r\n                                                        <!-- TODO: eine oder mehree Netzwerk SSID einf\u00fcgen -->\r\n                                                                <string>REPLACE_secure_wpa2_network_ssid<\/string>\r\n                                                                <string>REPLACE_my_private_wpa_network_ssid<\/string>\r\n                                                        <\/array>\r\n                                                <\/dict>\r\n                                                <dict>\r\n                                                <!-- The action to take if this dictionary matches the current network. -->  \r\n                                                        <key>Action<\/key>\r\n                                                        <!-- Connect \u2014 Unconditionally initiate a VPN connection on the next network attempt. -->\r\n                                                        <string>Connect<\/string>\r\n                                                        <!-- An interface type. If specified, this rule matches only if the primary network interface hardware matches the specified type.\r\n                                 Supported values are Ethernet, WiFi, and Cellular.\r\n                              -->                                                        \r\n                                                        <key>InterfaceTypeMatch<\/key>\r\n                                                        <string>WiFi<\/string>\r\n                                                        <!-- An array of SSIDs to match against the current network.\r\n                                                             If the network is not a Wi-Fi network or if the SSID does not appear in this array, the match fails.\r\n                                 Omit this key and the corresponding array to match against any SSID.\r\n                             -->                                                        \r\n                                                        <key>SSIDMatch<\/key>\r\n                                                        <array>\r\n                                                            <!-- TODO: evl. SSID f\u00fcr Hotspots oder Firma ergaenzen -->\r\n                                                                <string>REPLACE_UNSECURE_PUBLIC_SSID<\/string>\r\n                                                                <string>REPLACE_Public<\/string>\r\n                                                                <string>REPLACE_Telekom<\/string>\r\n                                                        <\/array>\r\n                                                <\/dict>\r\n                                                <dict>\r\n                                                        <key>Action<\/key>\r\n                                                        <string>Connect<\/string>\r\n                                                        <key>InterfaceTypeMatch<\/key>\r\n                                                        <string>WiFi<\/string>\r\n                                                <\/dict>\r\n                                                <dict>\r\n                                                        <key>Action<\/key>\r\n                                                        <!-- Ignore \u2014 Leave any existing VPN connection up, \r\n                                                              but do not reconnect on demand as long as this dictionary matches. \r\n                                                          -->\r\n                                                        <string>Connect<\/string>\r\n                                                        <key>InterfaceTypeMatch<\/key>\r\n                                                        <string>Cellular<\/string>\r\n                                                <\/dict>\r\n                                                <dict>\r\n                                                        <key>Action<\/key>\r\n                                                        <string>Ignore<\/string>\r\n                                                <\/dict>\r\n                                        <\/array>\r\n                                        <!-- Present only if AuthenticationMethod is SharedSecret.\r\n                                             The name of the group to use. If Hybrid Authentication is used,\r\n                                             the string must end with [hybrid]. Used for Cisco IPSec.\r\n                                             -->\r\n                                        <key>LocalIdentifier<\/key>\r\n                                        <!-- TODO: VPN Login eingeben -->\r\n                                        <string>REPLACE_VPN_LOGIN<\/string>\r\n                                        <!-- Present only if AuthenticationMethod is SharedSecret. The value is KeyID. Used for L2TP and Cisco IPSec. -->\r\n                                        <key>LocalIdentifierType<\/key>\r\n                                        <string>KeyID<\/string>\r\n                                       \r\n                                        <!-- IP address or host name of the VPN server. Used for Cisco IPSec. -->\r\n                                        <key>RemoteAddress<\/key>                                        \r\n                                        <!-- TODO: VPN Server eintragen z.B. xxxxxxxxxxxxxxxxx.myfritz.net oder DynDNS der Fritzbox -->\r\n                                        <string>REPLACE_VPN_SERVER<\/string>\r\n                                        <!-- The shared secret for this VPN account. Only present if AuthenticationMethod is SharedSecret. Used for L2TP and Cisco IPSec. -->\r\n                                        <key>SharedSecret<\/key>\r\n                                        <!-- TODO: shared secret f\u00fcr den VPN Account eingeben. z.B. Shared-Secret-Fritzbox-VPN-User-Config -->\r\n                                        <string>REPLACE_SHARED_SECRET<\/string>\r\n                                       \r\n                                        <!-- 1 if Xauth is on, 0 if it is off. Used for Cisco IPSec. -->\r\n                                        <key>XAuthEnabled<\/key>\r\n                                        <integer>1<\/integer>\r\n                                        <!-- User name for VPN account. Used for Cisco IPSec. -->\r\n                                        <key>XAuthName<\/key>\r\n                                        <!-- TODO VPN Login Name (Gruppenname) eingeben -->\r\n                                        <string>REPLACE_VPN_LOGIN<\/string>\r\n                                        <!-- Keine Doku zu den Parameter, evl. Xauth auf 0 setzen -->\r\n                                        <key>XAuthPassword<\/key>\r\n                                        <!-- TODO: VPN Passwort eingeben -->\r\n                                        <string>REPLACE_VPN_PASSWORD<\/string>\r\n                                <\/dict>\r\n                                <key>IPv4<\/key>\r\n                                <dict>\r\n                                    <!-- Specifies whether to send all traffic through the VPN interface. If true, all network traffic is sent over VPN. -->\r\n                                        <key>OverridePrimary<\/key>\r\n                                        <integer>1<\/integer>\r\n                                <\/dict>\r\n                                <!-- Optional. A description of the profile, shown on the Detail screen for the profile.\r\n                                     This should be descriptive enough to help the user decide whether to install the profile.\r\n                                  -->\r\n                                <key>PayloadDescription<\/key>\r\n                                <!-- TODO: Beschreibung eingeben -->\r\n                                <string>Configures VPN settings<\/string>\r\n                                <!-- Optional. A human-readable name for the profile. This value is displayed on the Detail screen. It does not have to be unique. -->\r\n                                <key>PayloadDisplayName<\/key>\r\n                                <!-- TODO: Beschreibung eingeben -->\r\n                                <string>VPN<\/string>\r\n                                <!-- A reverse-DNS style identifier (com.example.myprofile, for example) that identifies the profile.\r\n                                     This string is used to determine whether a new profile should replace an existing one or should be added.\r\n                                 -->\r\n                                <key>PayloadIdentifier<\/key>\r\n                                <!-- TODO: Eingeben -->\r\n                                <string>REPLACE_UUID1.com.apple.vpn.managed.REPLACE_UUID2<\/string>\r\n                                <!-- The VPN payload is designated by specifying com.apple.vpn.managed as the PayloadType value. -->\r\n                                <key>PayloadType<\/key>                                \r\n                                <string>com.apple.vpn.managed<\/string>\r\n                                <!-- A globally unique identifier for the payload.\r\n                                     The actual content is unimportant, but it must be globally unique.\r\n                                     In OS X, you can use uuidgen to generate reasonable UUIDs.\r\n                                  -->\r\n                                <key>PayloadUUID<\/key>\r\n                                <!-- TODO: UUID eingeben -->\r\n                                <string>REPLACE_UUID2<\/string>\r\n                                <!-- The version number of the individual payload. A profile can consist of payloads with different version numbers.\r\n                                     For example, changes to the VPN software in iOS might introduce a new payload version to support additional features,\r\n                                     but Mail payload versions would not necessarily change in the same release.\r\n                                  -->\r\n                                <key>PayloadVersion<\/key>\r\n                                <real>1<\/real>\r\n                                <key>Proxies<\/key>\r\n                                <dict \/>\r\n                                <!-- Description of the VPN connection displayed on the device. -->\r\n                                <key>UserDefinedName<\/key>\r\n                                <!-- TODO: Anpassen -->\r\n                                <string>VPN OnDemand<\/string>\r\n                                <!-- Determines the settings available in the payload for this type of VPN connection. IPSec (Cisco)... -->\r\n                                <key>VPNType<\/key>\r\n                                <string>IPSec<\/string>\r\n                        <\/dict>\r\n                <\/array>\r\n               \r\n                <!-- Payload Dictionary Keys Common to All Payloads\r\n             If a PayloadContent value is provided in a payload, each entry in the array is a dictionary representing a configuration payload.\r\n             The following keys are common to all payloads:\r\n          -->\r\n                <!-- Optional. A human-readable name for the profile payload. This name is displayed on the Detail screen. It does not have to be unique. -->\r\n                <key>PayloadDisplayName<\/key>\r\n                <!-- TODO: Anpassen -->\r\n                <string>VPN OnDemand<\/string>\r\n                <!-- A reverse-DNS-style identifier for the specific payload.\r\n                     It is usually the same identifier as the root-level PayloadIdentifier value with an additional component appended.\r\n                  -->\r\n                <key>PayloadIdentifier<\/key>\r\n                <!-- TODO: UUID eingeben -->\r\n                <string>REPLACE_UUID1<\/string>\r\n                <!-- Optional. If present and set to true, the user cannot delete the profile (unless the profile has a removal password and the user provides it). -->\r\n                <key>PayloadRemovalDisallowed<\/key>\r\n                <false \/>\r\n                <!-- The only supported value is Configuration. -->\r\n                <key>PayloadType<\/key>\r\n                <string>Configuration<\/string>\r\n                <!-- A globally unique identifier for the payload.\r\n                     The actual content is unimportant, but it must be globally unique.\r\n                     In OS X, you can use uuidgen to generate reasonable UUIDs.  \r\n                  -->\r\n                <key>PayloadUUID<\/key>\r\n                <!-- TODO: UUID einf\u00fcgen -->\r\n                <string>REPLACE_UUID3<\/string>\r\n                <!-- The version number of the individual payload.\r\n             A profile can consist of payloads with different version numbers.\r\n             For example, changes to the VPN software in iOS might introduce a new payload version to support additional features,\r\n             but Mail payload versions would not necessarily change in the same release.\r\n          -->\r\n                <key>PayloadVersion<\/key>\r\n                <integer>1<\/integer>\r\n        <\/dict>\r\n<\/plist> <\/pre>\n
In welcher Umbebung l\u00e4uft es bei Euch? Oder einfach nur einen like hinterlassen.<\/p>\n","protected":false},"excerpt":{"rendered":"
Wie kann mit einem iPhone automatisch eine VPN Verbindung hergestellt werden, ohne das man es immer manuell vorher anschalten muss? Also VPN on Demand mit IPSec und „schared secret“. Das ist hilfreich, wenn man in \u00f6ffentlichen WLANs unterwegs ist, so wird dann immer autom. eine VPN Verbindung aufgebaut, wenn sie ben\u00f6tigt wird. Es wird also … <\/p>\n
\u201eiPhone 6 plus: VPN on Demand mit IPSec unter iOS 8 mit \u201cshared secret\u201d m\u00f6glich\u201c <\/span>weiterlesen<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_import_markdown_pro_load_document_selector":0,"_import_markdown_pro_submit_text_textarea":"","footnotes":""},"categories":[220,229,214,254,1101,1319],"tags":[1896,1894,1046,1895,1892,1890,1891,1893,989,1187],"class_list":["post-4899","post","type-post","status-publish","format-standard","hentry","category-anleitung","category-imac-2","category-ipad","category-os-x-2","category-reisen","category-sicherheit-2","tag-1896","tag-fb","tag-fritzbox","tag-fritzbox-7940","tag-ios-8","tag-iphone-6-plus","tag-ipsec","tag-shared-secret","tag-vpn","tag-vpn-on-demand"],"_links":{"self":[{"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/posts\/4899","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4899"}],"version-history":[{"count":0,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/posts\/4899\/revisions"}],"wp:attachment":[{"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4899"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4899"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4899"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}