使用mobileconfig在ios系統上部署vpn配置和證書
阿新 • • 發佈:2019-02-06
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <!-- Set the name to whatever you like, it is used in the profile list on the device --> <key>PayloadDisplayName</key> <string>hk ikev2 config</string> <!-- This is a reverse-DNS style unique identifier used to detect duplicate profiles --> <key>PayloadIdentifier</key> <string>192.168.5.105</string> <!-- A globally unique identifier, use uuidgen on Linux/Mac OS X to generate it --> <key>PayloadUUID</key> <string>9f93912b-5fd2-4455-99fd-13b9a47b4581</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadContent</key> <array> <!-- It is possible to add multiple VPN payloads with different identifiers/UUIDs and names --> <dict> <!-- This is an extension of the identifier given above --> <key>PayloadIdentifier</key> <string>192.168.5.105</string> <!-- A globally unique identifier for this payload --> <key>PayloadUUID</key> <string>29e4456d-3f03-4f15-b46f-4225d89465b7</string> <key>PayloadType</key> <string>com.apple.vpn.managed</string> <key>PayloadVersion</key> <integer>1</integer> <!-- This is the name of the VPN connection as seen in the VPN application later --> <key>UserDefinedName</key> <string>hk ikev2 config</string> <key>VPNType</key> <string>IKEv2</string> <key>IKEv2</key> <dict> <!-- Hostname or IP address of the VPN server --> <key>RemoteAddress</key> <string>192.168.5.105</string> <!-- Remote identity, can be a FQDN, a userFQDN, an IP or (theoretically) a certificate's subject DN. Can't be empty. IMPORTANT: DNs are currently not handled correctly, they are always sent as identities of type FQDN --> <key>RemoteIdentifier</key> <string>192.168.5.105</string> <!-- Local IKE identity, same restrictions as above. If it is empty the client's IP address will be used --> <key>LocalIdentifier</key> <string></string> <!-- The server is authenticated using a certificate --> <key>AuthenticationMethod</key> <string>Certificate</string> <!-- The client uses EAP to authenticate --> <key>ExtendedAuthEnabled</key> <integer>1</integer> <!-- User name for EAP authentication. Since iOS 9 this is optional, the user is prompted when the profile is installed --> <key>AuthName</key> <string>test</string> <!--<key>AuthPassword</key> <string></string>--> </dict> </dict> <!-- This payload is optional but it provides an easy way to install the CA certificate together with the configuration --> <dict> <key>PayloadIdentifier</key> <string>caCert.ca</string> <key>PayloadUUID</key> <string>64988b2c-33e0-4adf-a432-6fbcae543408</string> <key>PayloadType</key> <string>com.apple.security.root</string> <key>PayloadVersion</key> <integer>1</integer> <!-- This is the Base64 (PEM) encoded CA certificate --> <key>PayloadContent</key> <data> MIIDVzCCAj+gAwIBAgIIUF9vCfksOkswDQYJKoZIhvcNAQEFBQAwOTELMAkGA1UE ................................................................ m5YbMsFYzWq4YEIOxAk09/6VUdLAskOKW73PWmZdu/IWyivKuNy1wh+UYw== </data> </dict> </array> </dict> </plist>
test.mobileconfig
不管證書認證還是使用者名稱認證AuthenticationMethod的值都是Certificate,如果證書認證ExtendedAuthEnabled=0,並且PayloadCertificateUUID=後面所附client證書的UUID,例如 <key>PayloadCertificateUUID</key> <string>d60488c6-328e-4944-9c8d-61db8095c864</string> 如果使用者名稱認證ExtendedAuthEnabled=1,並在下面加入使用者名稱密碼,如果沒有在安裝配置時iphone會提示輸入 <!-- User name for EAP authentication. Since iOS 9 this is optional, the user is prompted when the profile is installed --> <key>AuthName</key> <string>test</string> <!--<key>AuthPassword</key> <string></string>--> 末尾所附證書為pem格式,並且去掉begin,end行,不然證書不識別,把der證書轉為pem格式 openssl x509 -in caCert.der -inform DER -out caCert.pem -outform PEM 最後用郵件傳送或放到http伺服器上,放在http伺服器上時需要新增mime /etc/apache2/mods-enabled/mime.conf 加入 AddType application/x-apple-aspen-config .mobileconfig service apache2 restart