3 Replies
      Latest reply: Oct 3, 2016 1:25 AM by eskimo RSS
      singy Level 1 Level 1 (0 points)

        Hey there,

         

        I have set up an IKEv2 server (strongSwan, for those interested), that I've been able to successfully connect my iOS client to using the NEVPNManager framework.


        The issue is, I'd like to define a set of domains (or a set of IP subnets) for which my device does not route to the VPN and instead just routes through the iPhone's default networking interface. This, from what I understand, is called a split-exclude tunnel.

         

        strongSwan does implement a plugin that supposedly enables this functionality, but iOS does not respect these blacklists. What I've read in the documentation is the only way to express a blacklist is to create a list of subnets that are the inverse of the blacklist, which is a bit onerous.

         

        Ideally, I'd like a way to just route all traffic to the VPN, with the exception of a small handful of domains. Is there a way to do this using iOS' built-in IPSec or IKEv2 clients, or will I need to implement an NEPacketTunnelProvider in order to do this?

         

        If the latter, would I lterally need to implement the entire IKEv2 protocol in order to do this?

        • Re: IKEv2 server, but iOS doesn't seem to respect any form of blacklisting (split-exclude). Is NEPacketTunnelProvider the answer?
          jianpx Level 1 Level 1 (0 points)

          I have the same issue. I want to connect vpn using IKEV2 protocol, but I only want some IP flows go through the VPN tunnel, the other go through the default network interface. To implement this , I know I should use NEPacketTunnelProvider and use setNetworkSettings & NEIpv4Route to make the route, but using built-in vpn type IKEV2 will not start the tunnel in NEPacketTunnelProvider . How should I do ? Implement the whole IKEV2 protocol in NEPacketTunnelProvider.m ? I think that is not a good idea. Please Help.

            • Re: IKEv2 server, but iOS doesn't seem to respect any form of blacklisting (split-exclude). Is NEPacketTunnelProvider the answer?
              simmanni Level 1 Level 1 (0 points)

              Hi there,

               

              I have the same issue. I am trying to implement IPSec VPN using IKEV2 that is provided by the Personal VPN (NEVPNManager) on iOS. I am able to Connect and Disconnect, but I would like to implement split tunneling i.e., route certain traffic through the tunnel and other through the device default networking interface. Also would like to use certain DNS server settings for the tunnel. Is it possible to configure the Tunnel Settings while using the NEVPNManager? Or should I use the NEPacketTunnelProvider and implement the whole IKEV2 protocol from scratch? Please help and advise.

                • Re: IKEv2 server, but iOS doesn't seem to respect any form of blacklisting (split-exclude). Is NEPacketTunnelProvider the answer?
                  eskimo Apple Staff Apple Staff (6,470 points)

                  Is it possible to configure the Tunnel Settings while using the NEVPNManager?

                  No.

                  Or should I use the NEPacketTunnelProvider and implement the whole IKEV2 protocol from scratch?

                  Well, you could, but it’s a horrendous amount of work.

                  The built-in IKEv2 transport supports both split and full tunnels [1], based on the configuration returned to it by the VPN server.  I don’t have a lot of experience setting this this up myself, but perhaps someone else will chime it.

                  Share and Enjoy

                  Quinn “The Eskimo!”
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"

                  [1] This is different from the ‘split exclude’ mechanism that started this thread; I don’t know if the built-in IKEv2 transport supports that.