1 Reply
      Latest reply on Mar 14, 2019 2:58 AM by eskimo
      yashipallav Level 1 Level 1 (0 points)

        I am working on implementation of vpn app on ios that use the NEVPNManger api to set an ipsec ikev2 vpn.

        The vpn server is Strongswan and the client is an ios device.

        The authentication method is certificate based, so during authentication the client send his certificate to the server, and the vpn server send his certificate to the client.

        The vpn server certificate was signed by custom root ca (e.g. which is not in the default cert store), and in order to close a “chain of trust”, the client must install the root ca that signed the vpn server certificate.

        If I install the vpn root ca via profile, everything works as expected. I don’t even need to enable trust for the certificate manually via setting app, installing the certificate is probably enough.

        My goal is to install the vpn root ca NOT via profile, and as “silently” as I can.

        What I have is the DER Format String for the Root CA Certificate and I added the certficate in keychain using SecCertificateCreateWithData. Firstly I converted the DER Format String in Data Format. Then I have converted this in the form of certificate using SecCertificateCreateWithData. Then adding the same in keychain. It has been added successfully also. But at the time of vpn configuration setup it is not working and not accepting it as the certificate for authentication.

        Any idea how to use that certificate for the ipsec ikev2 authentication?

        • Re: NEVPNManager | ipsec ikev2 certificate authentication | installing ‘vpn root ca’ without profile
          eskimo Apple Staff Apple Staff (11,275 points)

          NEVPNManager does not allow you to override the server trust evaluation done by the IKEv2 client.  If you want to set up a VPN configuration using NEVPNManager, you must configure your server with a certificate that’s issued by CA that’s trusted by the system [1].

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

          [1] You can, of course, require that the user install your custom CA’s root certificate, but that’s not appropriate for a consumer app.