Error when connecting with NetworkExtension VPN using IKEv2 and PSK

The advice I give to all NEVPNManager developers is that they first try to configure the VPN using a configuration profile (typically created with Apple Configurator, possibly with custom modifications based on the info in the Configuration Profile Reference). That lets you determine whether the problem you’re seeing relates to your code or to your VPN configuration: if you can’t get things working with a configuration profile, there’s no point investigating your code.

Share and Enjoy
—
Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Have you succeeded in connecting your VPN? Looks like I'm currently facing similar issues with the same setup (IKEv2, PSK):

https://forums.developer.apple.com/message/63695#63695

Have you managed to provide a correct sharedSecredReference to NEVPNManager?

Thanks a lot.

Have you succeeded in connecting your VPN?

I’ve worked with developers who have managed to get NEVPNManager working on OS X, although I don’t know if they were using shared secret authentication so I’m not sure why that’s failing in your specific case.

Just as a test, have you tried configuring it using a configuration profile profile? Did it work?

If you get completely stuck you should open a DTS tech support incident and I’ll take an in-depth look.

Share and Enjoy
—
Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I could establish a connection over the Network Preferences (I created it there manually), so I believe it will also work over the configuration profile. My specific problem is described here:

https://forums.developer.apple.com/message/63695#63695

In short, somehow the persistent reference to the keychain item which is given to the NEVPNManager fails to provide the correct item. I observe the same issue also with certificates and passwords that I store in the keychain. I.e. in case of the certificate, the VPN manager reports to the log that it could not retrieve the certificate from the keychain, in case of EAP-MSCHAP2 auth I see the Password dialog popping up (so I presume it could not retrieve the password from the keychain). The code I use to work with keychain is based on the SecItemAdd / SecItemCopyMatching functions from the tutorials here:

https://developer.apple.com/library/mac/documentation/Security/Conceptual/keychainServConcepts/01introduction/introduction.html

The code also works very well for IOS 8/9, so I am really don't understand why it fails on OS X.

Hello,

I am facing the same exact problem with El Capitan in latest version and cannot solve it, I see that there are many people with the same issue. Is there anything apple can do to help?

Feb 7 11:38:33 Mac-TG nesessionmanager[13319]: NESMIKEv2VPNSession[VPN (IKEv2):F3749068-E922-4DB5-B59D-1299A1C23D81]: status changed to connecting

Feb 7 11:38:33 Mac-TG nesessionmanager[13319]: Failed to find the VPN app for plugin type com.apple.neplugin.IKEv2

Feb 7 11:38:33 Mac-TG neagent[14614]: IKEv2 Plugin: ikev2_dns_callback: Error -65554

Feb 7 11:38:33 Mac-TG kernel[0]: ipsec_ctl_connect: creating interface ipsec0

Feb 7 11:38:33 Mac-TG configd[54]: network changed

Feb 7 11:38:33 Mac-TG vmnet-bridge[1539]: Dynamic store changed

Feb 7 11:38:33 Mac-TG neagent[14614]: Certificate authentication data could not be verified

We also encountered the problem with "Certificate authentication data could not be verified" message for some of our Mac OS El Capitan clients, but all our iOS and Android (strongSwan) clients connected fine. After troubleshooting, we discovered that Mac OS didn't validate the full certificate chain (intermediate certificates).

We're running the IPsec strongSwan server on pfSense configured with IKEv2 EAP-MSChapv2 (user+password authentication). The server is configured with a Comodo PositiveSSL certificate, with two intermediate certificates between our certificate and the root certificate http://i.imgur.com/rdGzIFW.png One thing we missed during configuration, was that the strongSwan needs the intermediate certificates as well. This was solved by exporting the two certificates (see screenshot above) and placing in /etc/ipsec.d/cacerts/ (or in the case of pfSense, importing both certificates as CA Certificates in the Certificate Manager and simply restarting the IPsec service, since this automatically copies the certs to the proper ipsec.d/cacerts directory).

The problem could also be solved by manually importing the two intermediate certificates to the client Mac OS Login Keychain (no custom trust settings).