I cant create my IKEv2 ConnectionApp

Hey to all

it's my first question here and I wish it helps me.

I want to create an IKEv2 VPN connection with swift, I tried to find a sample or a place for learning how to do it , but I can't find anything (I watched WWDC15 , but it doesn't work on swift 4.2 or more)

However I tried to create it with StackOverFlow's issues. but there is a bunch of question

- How can I prepare my cert Key for put it on NEVPNProtocolIKEv2() variable??? ( is .data(using: String.Encoding.utf8) enough???)

- Does cert's string need -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- ???

- How can I prepare my password like first question???

and finally here is my code, But it doesn't work 😟 :



import NetworkExtension
import UIKit
public final class IKEV2Connection {

    public func initProfile() {
        let vpnManager = NEVPNManager.shared()
        let server = "My server IP"
        let userName = "VPNUserName"
        let remoteIdentifier = server
        let cert = """
-----BEGIN CERTIFICATE-----
MIIFQjCCAyqgAwIBAgIIeB6GOr0OS80wDQYJKoZIhvcNAQEMBQAwPzELMAkGA1UE
......
U4Yqeart5YXLigwZ2cPOATEmv6SNIlp68eUVsPg4gvdYbe6Or0kBiScCKcH3
shfuLOjSTEIcedpQEy7b
-----END CERTIFICATE-----
""".data(using: .utf8)
        
        vpnManager.loadFromPreferences { (error) in
            
            if error != nil {
                print("Load config faild : \(error!.localizedDescription)")
                return
            }
            let weakP = vpnManager.protocolConfiguration as? NEVPNProtocolIKEv2
            var p: NEVPNProtocolIKEv2!
            if weakP != nil {
                p = weakP!
            } else {
                p = NEVPNProtocolIKEv2()
            }
            p.username = userName
            p.serverAddress = server
            p.certificateType = .RSA
            p.passwordReference = "VPNPassword".data(using: .utf8)
            p.sharedSecretReference = cert
            p.authenticationMethod = NEVPNIKEAuthenticationMethod.sharedSecret
            p.remoteIdentifier = remoteIdentifier
            p.useExtendedAuthentication = true
            p.disconnectOnSleep = true
            
            vpnManager.protocolConfiguration = p
            vpnManager.localizedDescription = "IPSec IKEv2 Demo3"
            vpnManager.isEnabled = true
            
            vpnManager.saveToPreferences(completionHandler: { (error) in
                if error != nil {
                    print("Save config failed : \(error!.localizedDescription)")
                }
            })
            do {
            try vpnManager.connection.startVPNTunnel()
            } catch let ex {
                print("error is \(ex)")
            }
        } 
    }   
}
Up vote post of mohsen_Kh Down vote post of mohsen_Kh
1.8k views
Posted by
mohsen_Kh
Reply
Add a Comment

Replies

Before starting with 

NEVPNManager
, it’s important to first confirm that your VPN is working as expected. My recommendation is that you:

  1. Use Apple Configurator to create a configuration profile with your VPN settings.

    IMPORTANT You configuration profile must not include a custom root certificate (

    com.apple.security.root
    ). If you’re VPN server uses a custom root, there’s no way to set up the configuration with 
    NEVPNManager
    .

  2. Install that on your device.

  3. Test that it works.

Once that’s working, getting the equivalent effect with 

NEVPNManager
should be relatively straightforward. If you get stuck, post the contents of your VPN payload ( 
com.apple.vpn.managed
) here and I can take a look. Feel free to redact any security-sensitive stuff, like passwords.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Hi Eskimo or others,


In response to:

Use Apple Configurator to create a configuration profile with your VPN settings.
IMPORTANT You configuration profile must not include a custom root certificate (com.apple.security.root). 
If you’re VPN server uses a custom root, there’s no way to set up the configuration with NEVPNManager.


My VPN is working very good when I configure it manually in Settings (install the cert from Mail). My questions are these:


1) What do you mean custom root cert? Is that the same as a self-signed cert?

2) I know that Apple trusts Let's Encypt root cert (ISRG Root X1) would that be an acceptable cert for building a VPN app.

3) Can you help me understand how to include the certificate authority in the IKEv2 submission to the server? Like the code below? I see no option in NEVPNProtocolIKEv2. Do I reference the cert in Settings some how?


let cert = """  
-----BEGIN CERTIFICATE-----  
MIIFQjCCAyqgAwIBAgIIeB6GOr0OS80wDQYJKoZIhvcNAQEMBQAwPzELMAkGA1UE  
......  
U4Yqeart5YXLigwZ2cPOATEmv6SNIlp68eUVsPg4gvdYbe6Or0kBiScCKcH3  
shfuLOjSTEIcedpQEy7b  
-----END CERTIFICATE---
--  
""".data(using: .utf8)

Thanks so much!

Posted by
devyen936
Up vote reply of devyen936 Down vote reply of devyen936
Add a Comment