NEVPNProtocolIKEv2 identity on MacOS

App & System Services Networking
yangyang_2020 OP
Created Apr ’20
Replies 2
Boosts 0
Views 947
Participants 2

Hi All:

I have implemented a personal VPN on macos. I use NEVPNProtocolIKEv2 to configure IKEv2 protocol. When I set parameter, I am a bit confused with Apple developer documents.


As below shown, I set authentication method to certificate, and passed p12 certificate data and password.


ikev2.authenticationMethod = NEVPNIKEAuthenticationMethodCertificate;
ikev2.identityData = [NSData dataWithContentsOfFile:certificatePath];
ikev2.identityDataPassword = password;


However, from Apple documents.

In macOS, this property is ignored for NEVPNProtocolIKEv2 and NETunnelProviderProtocol objects. On iOS, this property is ignored for NETunnelProviderProtocol objects. In cases where this property is ignored, the identity should be set using the identityReference property.


Even I do not set identityReference, I found I can still connect successful with remote VPN server on MacOS 10.14.6 and MacOS 10.15.3.


I have also tried to set all (identityData, identityDataPassword, identityReference) value, It still can connect to server.

so what is the meaning document here, should it correct or not?

Even current code is work, I think use identityReference is still suggested. Please give your suggestions. Thanks.

Replies  2
Boosts  0
Views  947
Participants  2
Systems Engineer OP
Apple
Apr ’20

It looks like you are setting a certificate to the identityData, when what you will want to set there is the digital identity containing both the certificate and key, in a PKCS12 (p12) format. For macOS the identityReference is a reference to the identity contained within the keychain. For iOS the identityData can be set, but because a password is typically used to open this archive (p12), the identityDataPassword is also provided.


Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

0
yangyang_2020 OP
Apr ’20

Actually, I have set identityData with p12 format certificate data.


After I done some more testing on macOS. Below are some strange test result,

#1. when I only set identityData (pass p12 format certificate data ) and identityDataPassword, Client can connected to server.


#2. If I do not set identityData and identityDataPassword, just use SecPKCS12Import to import p12 certificate data and return the reference to identityReference, Client can also connect to server.


From document, identityData property will be ignored for NEVPNProtocolIKEv2 , we should use identityReference, but my testing result is opposite. Please kindly check this. Thanks.

0
NEVPNProtocolIKEv2 identity on MacOS
First post date Last post date
 
 
Q