NEVPNProtocolIKEv2 certificate auth without certificate file.

App & System Services Hardware
Aliaksandr Tozik OP
Created Apr ’23
Replies 2
Boosts 0
Views 743
Participants 2

I've developing app which can connect to the VPN using NEVPNProtocolIKEv2. I have a case when i can have some VPN servers. And each of them has own certificate.

I've setup VPN server to return .mobileconfig file, which i can install manually and VPN will work.

I've trying to parse .mobileconfig and create a object of NEVPNProtocolIKEv2 for run VPN from the app.

I've trying to get string value of private key, and create the IdentityData, but VPN is immidiately disconecting.

Is it possible to use NEVPNProtocolIKEv2 and .certificate authorisation, and create a initialize authentication/identity fields from string value of PayloadContent of mobileconfig file?

Replies  2
Boosts  0
Views  743
Participants  2
DTS Engineer OP
Apple
Apr ’23

When you create a configuration profile for an IKEv2 VPN that uses certificate authentication, the profile includes two payloads:

  • com.apple.vpn.managed — This holds the VPN configuration itself.

  • com.apple.security.pkcs12 — This holds the digital identity used to authenticate.

IMPORTANT A digital identity is the combination of a certificate and a private key that matches the public key in that certificate.

The former references the latter via its UUID. Specifically, its PayloadCertificateUUID property will match the PayloadUUID property of the digital identity payload.

The digital identity payload has two properties:

  • PayloadContent

  • Password

The first is a PKCS#12 blob you can import using SecPKCS12Import. The second is an optional password for the import. If the property is missing, you’ll have to prompt the user for it.

In the Personal VPN API, you save your configuration with a protocol of type NEVPNProtocolIKEv2. Its superclass, NEVPNProtocol, has identityReference and identityData properties. What you here depends on your platform:

  • On iOS, put the PKCS#12 data directly into identityData. And if you have a password, put that in identityDataPassword.

  • On macOS, import the PKCS#12 data into the keychain and then put a persistent reference into identityReference.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
Aliaksandr Tozik OP
Apr ’23

Thanks for your answer, its rely help to understand some things.

By the way, currently i've getting connecting... and disconnecting

on iOS


`return IKEv2Model(serverAddress: ip,

                      remoteIdentifier: ip,

                      localIdentifier: ip,

                      serverCertificateIssuerCommonName: ip,

                      useExtendedAuthentication: false,

                      

                      ikeSecurityAssociationParametersEncryptionAlgorithm: .algorithmAES256,

                      ikeSecurityAssociationParametersDiffieHellmanGroup: .group14,

                      ikeSecurityAssociationParametersIntegrityAlgorithm: .SHA256,

                      ikeSecurityAssociationParametersLifetimeMinutes: 1410,

                      

                      childSecurityAssociationParametersEncryptionAlgorithm: .algorithmAES128GCM,

                      childSecurityAssociationParametersDiffieHellmanGroup:.group14,

                      childSecurityAssociationParametersIntegrityAlgorithm: nil,

                      childSecurityAssociationParametersLifetimeMinutes: 1410,

                      

                      deadPeerDetectionRate: .medium,

                      disableRedirect: true,

                      disableMOBIKE: false,

                      enableRevocationCheck: false,

                      enablePFS: false,

                      useConfigurationAttributeInternalIPSubnet: false,

                      disconnectOnSleep: false,

                      certificateType: .ECDSA256,

                      identityData: identityData!,

                      password: pass)`

where is

`    let identityData = Data(base64Encoded: cert, options: .ignoreUnknownCharacters)

    let options: NSDictionary = [kSecImportExportPassphrase: pass]

    var items : CFArray?

    

    let status: OSStatus = SecPKCS12Import(identityData! as NSData, options, &items)`

and

let cert = """

MIIQ9AIBAzCCELoGCSqGSIb3DQEHAaCCEKsEghCnMIIQozCCCPcG

CSqGSIb3DQEHBqCCCOgwggjkAgEAMIII3QYJKoZIhvcNAQcBMBwG

CiqGSIb3DQEMAQMwDgQIU9lsYPYNUzUCAggAgIIIsJz58NghTdos

...........

"

from PayloadContent of com.apple.security.pkcs12

and

this model is using for create

`        #if os(iOS)

        IKEv2Protocol.identityData = config.identityData

        #else

        IKEv2Protocol.identityReference = config.identityData

        #endif

        

        IKEv2Protocol.identityDataPassword = config.password`

currently i thing that possible certificate type is wrong, i've also tried RSA, but nothing

logs on the server side is the beggest for RCA but not helped to understand whats wrong, maybe you can give some advice please?

@eskimo

`2023-04-25T21:00:07.473671+00:00 ipsec-vpn-server pluto[482]: "ikev2-cp"[8] MyIp adddr #34: deleting incomplete state after 200 seconds

2023-04-25T21:00:07.473753+00:00 ipsec-vpn-server pluto[482]: "ikev2-cp"[8] MyIp adddr #34: deleting state (STATE_V2_PARENT_R1) aged 200.016332s and NOT sending notification

2023-04-25T21:00:07.594665+00:00 ipsec-vpn-server pluto[482]: "ikev2-cp"[8] MyIp adddr #35: deleting incomplete state after 200 seconds

2023-04-25T21:00:07.594710+00:00 ipsec-vpn-server pluto[482]: "ikev2-cp"[8] MyIp adddr #35: deleting state (STATE_V2_PARENT_R1) aged 200.004168s and NOT sending notification

2023-04-25T21:01:29.347037+00:00 ipsec-vpn-server pluto[482]: "ikev2-cp"[8] MyIp adddr #27: STATE_V2_ESTABLISHED_IKE_SA: 300 second timeout exceeded after 10 retransmits. No response (or no acceptable response) to our IKEv2 message

2023-04-25T21:01:29.347698+00:00 ipsec-vpn-server pluto[482]: "ikev2-cp"[8] MyIp adddr #27: liveness action - clearing connection kind CK_INSTANCE

2023-04-25T21:01:29.348127+00:00 ipsec-vpn-server pluto[482]: "ikev2-cp"[8] MyIp adddr #28: ESP traffic information: in=0B out=0B

2023-04-25T21:01:29.388964+00:00 ipsec-vpn-server pluto[482]: "ikev2-cp"[8] MyIp adddr #27: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged 543.259052s and NOT sending notification

2023-04-25T21:01:29.389123+00:00 ipsec-vpn-server pluto[482]: "ikev2-cp"[8] MyIp adddr: deleting connection instance with peer MyIp adddr {isakmp=#0/ipsec=#0}

2023-04-25T21:06:48.525678+00:00 ipsec-vpn-server pluto[482]: "ikev2-cp"[14] MyIp adddr #36: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048[first-match]

2023-04-25T21:06:48.530929+00:00 ipsec-vpn-server pluto[482]: "ikev2-cp"[14] MyIp adddr #36: sent IKE_SA_INIT reply {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}

2023-04-25T21:06:48.644748+00:00 ipsec-vpn-server pluto[482]: "ikev2-cp"[14] MyIp adddr #37: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048[first-match]

2023-04-25T21:06:48.648190+00:00 ipsec-vpn-server pluto[482]: "ikev2-cp"[14] MyIp adddr #37: sent IKE_SA_INIT reply {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}`

0
NEVPNProtocolIKEv2 certificate auth without certificate file.
First post date Last post date
 
 
Q