Overview

Internet Key Exchange version 2 (IKEv2) is a tunneling protocol, based on IPsec. It is responsible for setting up a Security Association (SA) for secure communication between VPN clients and VPN servers within IPSec. IKEv2 supports all major platforms, including Windows, macOS, Android, iOS, Linux, and routers. The protocol is also compatible with smart devices like Smart TVs and some streaming devices. 

The VPN protocol is widely implemented in mobile devices mainly due to its fast speed, stability, and high reliability when switching between networks. In this guide, we will cover how you can connect your iOS or Android device to the GFI KerioControl firewall over an IKEv2 VPN connection. 
 

iOS devices: Using a certificate

In this section, we will cover how you can connect your iOS device to the GFI KerioControl firewall over an IKEv2 connection using a certificate. 

Server-side configuration

Configure the VPN interface as below:
ikev2-vpn-settings.png

iOS device configuration

  • Description: <choose any>
  • Server: Domain name of the GFI KerioControl certificate
  • Remote ID: Domain name of the GFI KerioControl certificate
  • Local ID: Leave blank
  • User Authentication: Set to “username” 
  • Username: KerioControl user having permission to use VPN connections
  • Password: KerioControl user's password

Android devices: Using a certificate

In this section, we will cover how you can connect your Android device to the KerioControl firewall over an IKEv2 connection using a certificate. 

Server-side configuration

Configure the VPN interface as below:
ikev2-vpn-settings.png

Client-side configuration

  • Name: <choose any>
  • Type: IKEv2/IPSEC MSCHAPv2
  • Server address: Domain name of the KerioControl certificate
  • IPSec identifier: Kerio Control user having permission to use VPN connections
  • IPSec CA certificate: In case of self-signed certificates issued by KerioControl, it should be set to the imported 'Local Authority' Kerio Control's certificate
  • IPSec server certificate: received from the server
  • Username: KerioControl user having permission to use VPN connections
  • Password: KerioControl user's password

Note: If you’re using a LetsEncrypt-issued certificate and face any issues, please add the certificate https://letsencrypt.org/certs/lets-encrypt-r3.pem into trusted CA roots on the Android device.

Download PDF

Device Compatibility and Known Issues

Our IKEv2 VPN connection has been thoroughly tested across a range of mobile devices to ensure compatibility and performance. Below is a summary of our findings.


Compatible Devices

  • StrongSwan Application: Successfully tested with Samsung S22/S23, Poco GT, and Xiaomi Redmi Note 12.
  • Native VPN Clients: Smooth operation observed on iPhone (models 7, 12 Pro Max, 13 Pro), Samsung S23, Poco GT, and Xiaomi Redmi Note 12.

Known Issues

  • Samsung S22 Ultra & Samsung S22 with StrongSwan: Encountered connectivity issues when using Let's Encrypt certificates, indicating a potential compatibility issue with Let's Encrypt on certain Samsung models.

While it's not feasible to test every possible phone model, our efforts have covered the primary devices on the market to ensure a broad compatibility range.