[iOS] Personal VPN app vs VPN configuration?

If you have a working configuration profile then you should be able to create a working configuration via

NEVPNManager

. The two most common gotchas are:

• Server certificate —

  NEVPNManager

  provides no way to override server trust evaluation, so the server’s certificate must be trusted by the system. It sounds like you have this covered already.

• Keychain — Many folks run into problems setting up keychain items correctly. If you take a look at this thread you’ll find the

  VPNKeychain

  code that I use for this.

• Security association parameters — If you set up a VPN configuration via the UI and don’t specify these parameters, it uses some meta parameters that cause the VPN subsystem to negotiate parameters on the wire.

  NEVPNManager

  doesn’t support this; you have to give it concrete parameters. I’m not 100% sure how this affect profiles, but my recommendation is that you set your profile up to use concrete parameters, get that working, and then copy those parameters to your

  NEVPNManager

  code.

If the above doesn’t help then you should open a DTS tech support incident and I can look at the specifics of your issue in depth.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi, thank you for the response!
I think it's not about keychain, as IKEv1 implementation uses the same code for accessing password/shared secret and works fine.
Let me get this straight, when I add VPN configuration manually in iOS settings it has no advanced connection parameters, so it gets them from the endpoint and there's no way I can check them in logs or something?

What exactly is this configuration profile you are suggesting to play with, how can I set up a one?

What exactly is this configuration profile you are suggesting to play with, how can I set up a one?

Ah, I misread your earlier email. When you wrote “manually added VPN config” I automatically added “profile” to the end )-:

Anyway, a configuration profile is a property list that you can install on the device to configure various things, including VPN. It is typically used in managed environments (an MDM server can push configuration profiles to enrolled devices) but it’s also a good debugging tool for

NEVPNManager

, because it’s a lot easier to tweak a profile than to write code.

You can find details on the format in the Configuration Profile Reference. My recommendation, however, is that you create your profile using Apple Configurator. That tool also lets you install the profile (to do that, save the profile to disk and then drag it to the device icon in Configurator’s main window).

Once you have a working profile I don’t expect you to have any problems writing the equivalent

NEVPNManager

code, but post back if you do.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

—
WWDC runs Mon, 4 Jun through to Fri, 8 Jun. During that time all of DTS will be at the conference, helping folks out face-to-face.

Thanks for the suggestion, I've tried Apple Configurator and I couldn't connect with a config generated by it.
I assume this proves that something is wrong with the settings, but I failed to find a working combination. I believe I used the correct settings, as there isn't that much to tweak.
Regarding security association parameters there's basically 4 values of interest: encryption algorithm, integrity algorithm, diffie-hellman group and lifetime. According to server-side config:

conn ikev2
  auto=add
  ikelifetime=1440m
  keylife=60m
  rekeymargin=3m
  keyingtries=1
  compress=no
  type=tunnel
  keyexchange=ikev2
  fragmentation=yes
  forceencaps=yes
  ike=aes256-sha256-modp1024,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! # Win7 is aes256, sha-1, modp1024; iOS is aes256, sha-256, modp1024; OS X is 3DES, sha-1, modp1024
  esp=aes256-sha256,aes256-sha1,3des-sha1! // apparently win 7 is aes256-sha1, iOS is aes256-sha256, OS X is 3des-shal1
  rekey=no
  left=10.20.30.40 //some IP
  leftid=@*.myvpn.com //some host
  leftcert=server.crt
  leftsendcert=always
  leftsubnet=0.0.0.0/0
  right=%any
  rightid=%any
  rightauth=eap-radius
  eap_identity=%any
  rightdns=10.0.0.250
  rightsourceip=%radius
  rightsendcert=never
  dpdaction=clear
  dpdtimeout=5s
  dpddelay=50s

I set encryption to AES-256, integrity to sha-256, group to 2 and lifetime to 1440 for both IKE SA and Child SA params. I've tried different combinations with no result. (Should IKE and Child be the same btw?)
What am I missing? Is there a way to somehow find out (sniff?) the exact settings used by iOS-added config?

Should IKE and Child be the same btw?

There’s no requirement that they match, but a lot of folks do set things up that way.

Is there a way to somehow find out (sniff?) the exact settings used by iOS-added config?

The problem is that the configuration created via Settings uses special ‘negotiate’ values for SA parameters, and you can’t access these values via

NEVPNManager

. One option is to look at an RVI packet trace (per QA1176) to see what values actually got negotiated but that requires you to understand the details of IKEv2. Similarly, you can install the VPN profile (from our Bug Reporting > Profiles and Logs page) and look at the detailed logging it generates, but that’s also not easy.

Perhaps the server-side logs the negotiated parameters? Or you can escalate this via the server-side support channel? The issue of how to configure your server to support iOS clients via a configuration profile must have come up before.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

—
WWDC runs Mon, 4 Jun through to Fri, 8 Jun. During that time all of DTS will be at the conference, helping folks out face-to-face.