NEVPNProtocolIKEv2: How to Handle Identity Data from .mobileconfig?

I am trying to establish a connection using NetworkExtension and NEVPNProtocolIKEv2. It needs to work on an iOS device. I have a test.mobileconfig file and I have set up all configurations based on its content. However, I am unsure how to assign the value for identityData. I have tried multiple methods, but each time, I receive the following errors on my server:

"ikev2-cp"[200] "my_ip_address" #1387: Peer attempted EAP authentication, but IKE_AUTH is required
"ikev2-cp"[200] "my_ip_address" #1387: responding to IKE_AUTH message (ID 1) from "my_ip_address" with encrypted notification AUTHENTICATION_FAILED
"ikev2-cp"[200] "my_ip_address" #1387: encountered fatal error in state STATE_V2_PARENT_R1

First of all, I used the first PayloadContent value inside the .mobileconfig file that I tested. I should mention that there is a certificate inside the file. However, the certificate is not password-protected.

func getIKEv2Protocol(address: NSString, username: NSString, password: NSString) -> NEVPNProtocolIPSec {
        
        let p = NEVPNProtocolIKEv2()
        let kcs = KeychainService()

        p.certificateType = .RSA
        p.authenticationMethod = .certificate
    
        kcs.save(key: "ikev2_password", value: password as String)
        p.passwordReference = kcs.load(key: "ikev2_password")
        p.identityDataPassword = "cHH....B3"
        
        p.ikeSecurityAssociationParameters.encryptionAlgorithm = .algorithmAES256GCM
        p.ikeSecurityAssociationParameters.integrityAlgorithm = .SHA256
        p.ikeSecurityAssociationParameters.diffieHellmanGroup = .group19
        p.ikeSecurityAssociationParameters.lifetimeMinutes = 1410

        p.childSecurityAssociationParameters.encryptionAlgorithm = .algorithmAES256GCM
        p.childSecurityAssociationParameters.integrityAlgorithm = .SHA256
        p.childSecurityAssociationParameters.diffieHellmanGroup = .group19
        p.childSecurityAssociationParameters.lifetimeMinutes = 1410

        if let certData = Data(base64Encoded: base64String) {
            p.identityData = certData
            p.authenticationMethod = .certificate
        
        } 
        p.serverCertificateIssuerCommonName = "***"
        p.serverCertificateCommonName = "***-2"
        p.deadPeerDetectionRate = .medium
        p.disableRedirect = true
        p.enableRevocationCheck = false
        p.useExtendedAuthentication = true
        p.remoteIdentifier = address as String
        p.localIdentifier = username as String
        p.serverAddress = address as String
        p.enablePFS = false
     return p;
    }


and

let vpnManager = NEVPNManager.shared()
// inside > vpnManager.loadFromPreferences { (error) -> Void in
let p = self.getIKEv2Protocol(address: address, username: username, password: password)
vpnManager.protocolConfiguration = p
vpnManager.localizedDescription = "IKEv2 VPN"
vpnManager.isEnabled = true


vpnManager.saveToPreferences(completionHandler: { (error) -> Void in
 ...
   vpnManager.loadFromPreferences(completionHandler: { error in
    ...
    try vpnManager.connection.startVPNTunnel() 
    // And this section starts without any errors.

How can I properly provide the value for p.identityData and .mobileconfig password?

Please explain in detail if there is an answer, as I am inexperienced with Swift and VPNs.

So, lemme see if I understanding this correctly:

  • You have a configuration profile (.mobileconfig) file that includes a VPN payload (com.apple.vpn.managed).

  • If you install that profile on your device, you’re able to successfully connect to the VPN server.

  • You’re trying to replicate that setup with the Personal VPN API.

Is that right?

If so, what other payloads are within your configuration profile? Specifically, if you open the profile in a text editor and search for PayloadType properties within the PayloadContent array, what values do you see?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

The file (actually it is a string) contains CA and PKCS12. Yes, I am trying to connect with personal VPN.

NEVPNProtocolIKEv2: How to Handle Identity Data from .mobileconfig?
 
 
Q