How to set ISAKPM version using NEPacketTunnelProvider with IKEv2 protocol

Hello,


I am using NEPacketTunnelProvider in my application to create a VPN configuration. I am using inbuilt IPSec/IKEv2 only as the VPN protocol. Now I am facing issues with the ISAKMP version of the protocol.


There are two scenarios where I am getting two different versions of ISAKMP-

Scenario 1 (Successful case): I have created a VPN Profile manually in my iPhone with server details and its connecting properly. I am getting this log in my VPN server where ISAKMP version is 2.0-


Internet Security Association and Key Management Protocol

Initiator SPI: 5da12cee4eac9d03

Responder SPI: 526105b4b9cc92c0

Next payload: Encrypted and Authenticated (46)

Version: 2.0

0010 .... = MjVer: 0x2

.... 0000 = MnVer: 0x0

Scenario 2 (Failure case): I am creating a VPN profile through NEPacketTunnelProvider and trying to connect to server where I am getting this log of ISAKMP version (0.8)-


Internet Security Association and Key Management Protocol

Initiator SPI: 4500004541930000

Responder SPI: ff115ffa0a0a0001

Next payload: Hash (8)

Version: 0.8

0000 .... = MjVer: 0x0

.... 1000 = MnVer: 0x8

Now I want to change this version to 0.8 from my application, but I cant see any keywords which is available to NEPacketTunnelProvider.
Please let me know if I need to share more details on that.
TIA.

Replies

I am using

NEPacketTunnelProvider
in my application to create a VPN configuration. I am using inbuilt IPSec/IKEv2 only as the VPN protocol.

I’m confused. The

NEPacketTunnelProvider
class forms a basis for a NetworkExtension packet tunnel provider, which is only necessary if you’re implementing a custom VPN protocol. By you’re also saying that you want to use the built-in VPN clients. Are you implementing your own version of IPsec / IKEv2? Or something else?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

We are using our application for Enterprise organisations. So, we need our application in ‘VPN CONFIGURATIONS’ instead of in ‘PERSONAL VPN’. Earlier we used NEVPNManager and it landed up in ‘PERSONAL VPN’ and it worked properly with our VPN Server which is using IPSec/IKEv2 Protocol.
Now, we want the same profile to be in ‘VPN CONFIGURATIONS’ for which we need to use NETunnelProvider. As our backend VPN Server is using IPSec/IKEv2 Protocol so, we want to use inbuilt IPSec/IKEv2 Protocol of iOS as the VPN Protocol.

How I tried to use inbuilt IKEv2 protocol is followed this-


self.vpnManager.protocolConfiguration = self.ikev2Type()


where the body of self.ikev2Type() is something like this-


func ikev2Type() -> NEVPNProtocolIKEv2 {

let vpnProtocolIKEv2 = NEVPNProtocolIKEv2()


vpnProtocolIKEv2.serverAddress = Constant.serverAddress

vpnProtocolIKEv2.remoteIdentifier = Constant.remoteIdentifier

// Other setup related to IKEv2 Protocol

……………

……………

return vpnProtocolIKEv2

}


What I have tried is to use inbuilt IKEv2 protocol as a helper and setting the same object of protocolConfiguration. Thats how I am trying to use inbuilt IKEv2 protocol of iOS. Please let me know, if I am going to right direction or not. Otherwise what I can do further to make it work.
TIA.

Earlier we used

NEVPNManager
and it landed up in ‘PERSONAL VPN’ and it worked properly with our VPN Server which is using IPSec/IKEv2 Protocol.

OK, that’s cool. That means that your server is fundamentally compatible with the built-in IKEv2 client.

Now, we want the same profile to be in ‘VPN CONFIGURATIONS’ for which we need to use

NETunnelProvider
.

Whoah there! How do you come to that conclusion?

Most folks in a managed environment set up VPN put pushing a configuration profile using MDM. Such configurations are not Personal VPN and will show up in the VPN Configurations section of Settings. That’s what you should be doing here.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Here we don’t want to push our configuration profile via MDM. We want to create our VPN configuration profile programmatically, so that we can have all the controls over the VPN Profile (like switching on/off the VPN or other telemetry data).
That’s why I tried to use the inbuilt IPSec/IKEv2 Protocol of iOS as the VPN Protocol and used NETunnelProvider framework to create the profile in ‘VPN CONFIGURATIONS’ programmatically via our iOS App.

That’s why I tried to use the inbuilt IPSec/IKEv2 Protocol of iOS as the VPN Protocol and used

NETunnelProvider
framework to create the profile in ‘VPN CONFIGURATIONS’ programmatically via our iOS App.

OK, just to be clear, this won’t work. The NE provider API is intended to be used by folks who are implementing their own custom VPN transport. It does not let you configure the built-in VPN transports. The only way to get this to work would be to create your own IKEv2 transport from scratch, which is ridiculous amount of extra work.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"