VPN Certificate

App & System Services Core OS
Aliaksandr Tozik OP
Created Apr ’23
Replies 3
Boosts 0
Views 784
Participants 2

I think so i've got the last point of the issue why is IKEv2 and deployed server can't establish connection.

eskimo did a big job to answer for everybody.

But, i've don't found the answer.

I've get iOS/mac clients, i understand that its possible to setup NEVPNProtocolIKEv2 for NEVPNManager.

But the main issue, is that digital identity of certificate is not trusted.

For example, when i've installing mobileconfig, its working, but warning on every step when installing mobileconfig.

NEVPNManager doesn't provide possibility to run VPN based on information contains on mobileconfig.

And if remove full section of com.apple.security.root, it wouldn't be work (the same behavior as app.

And the question is, how, and where get trusted certificate, trusted identity, to run ikeV2 vpn from the app?

Answered by DTS Engineer in 752208022

i need to have for each of them Domain name.

Yes. You should be doing this anyway, to ensure compatibility with IPv6-only networks.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Replies  3
Boosts  0
Views  784
Participants  2
DTS Engineer OP
Apple
Apr ’23

And if remove full section of com.apple.security.root, it wouldn't be work …

where get trusted certificate, trusted identity, to run ikeV2 vpn from the app?

You don’t. There are two options here, but neither solves this problem:

  • You might imagine a world where the Personal VPN API allowed you to customise the server trust evaluation done by IKEv2. However, the current Personal VPN API has no such facility [1]. The VPN server’s certificate must be trusted by the system.

  • There is no API to add new trusted anchors to the system’s trust store [2].

The only solution is to reconfigure your VPN server with a certificate that was issued by a CA that’s trusted by iOS. This shouldn’t be too much of an ‘ask’. I’ve talked with other folks about this and they tell me that Let’s Encrypt certs work for this.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] You could certainly file an enhancement request for such an API, but that doesn’t help you today.

[2] And it’s very unlikely that there ever will be one. On macOS, which does have this API, it’s been increasingly restricted on recent OS releases.

0
Aliaksandr Tozik OP
Apr ’23

Terrible, i thought that it can be solved.

Ok

About Lets Encrypt, as i know he can work just with DNS, but if i have dynamic IP address on VPN server, or i have bulk of servers, as the result i need to have for each of them Domain name.

If lets encrypt solve it just with DNS its difficult way for me. But without, i'll try

And thank you for your answer.

0
DTS Engineer OP
Apple
May ’23
Accepted Answer

i need to have for each of them Domain name.

Yes. You should be doing this anyway, to ensure compatibility with IPv6-only networks.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
VPN Certificate
First post date Last post date
 
 
Q