5 Replies
      Latest reply on Nov 12, 2019 12:38 AM by eskimo
      sourabDream Level 1 Level 1 (0 points)

        Hello,

         

        I am using NEPacketTunnelProvider in my application to create a VPN configuration. I am using inbuilt IPSec/IKEv2 only as the VPN protocol. Now I am facing issues with the ISAKMP version of the protocol.

         

        There are two scenarios where I am getting two different versions of ISAKMP-

        Scenario 1 (Successful case): I have created a VPN Profile manually in my iPhone with server details and its connecting properly. I am getting this log in my VPN server where ISAKMP version is 2.0-

         


        Internet Security Association and Key Management Protocol

            Initiator SPI: 5da12cee4eac9d03

            Responder SPI: 526105b4b9cc92c0

            Next payload: Encrypted and Authenticated (46)

            Version: 2.0

                0010 .... = MjVer: 0x2

                .... 0000 = MnVer: 0x0


        Scenario 2 (Failure case): I am creating a VPN profile through NEPacketTunnelProvider and trying to connect to server where I am getting this log of ISAKMP version (0.8)-

         

        Internet Security Association and Key Management Protocol

            Initiator SPI: 4500004541930000

            Responder SPI: ff115ffa0a0a0001

            Next payload: Hash (8)

            Version: 0.8

                0000 .... = MjVer: 0x0

                .... 1000 = MnVer: 0x8


        Now I want to change this version to 0.8 from my application, but I cant see any keywords which is available to NEPacketTunnelProvider.
        Please let me know if I need to share more details on that.
        TIA.

        • Re: How to set ISAKPM version using NEPacketTunnelProvider with IKEv2 protocol
          eskimo Apple Staff Apple Staff (12,325 points)

          I am using NEPacketTunnelProvider in my application to create a VPN configuration. I am using inbuilt IPSec/IKEv2 only as the VPN protocol.

          I’m confused.  The NEPacketTunnelProvider class forms a basis for a NetworkExtension packet tunnel provider, which is only necessary if you’re implementing a custom VPN protocol.  By you’re also saying that you want to use the built-in VPN clients.  Are you implementing your own version of IPsec / IKEv2?  Or something else?

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: How to set ISAKPM version using NEPacketTunnelProvider with IKEv2 protocol
              sourabDream Level 1 Level 1 (0 points)

              We are using our application for Enterprise organisations. So, we need our application in ‘VPN CONFIGURATIONS’ instead of in ‘PERSONAL VPN’. Earlier we used NEVPNManager and it landed up in ‘PERSONAL VPN’ and it worked properly with our VPN Server which is using IPSec/IKEv2 Protocol.
              Now, we want the same profile to be in ‘VPN CONFIGURATIONS’ for which we need to use NETunnelProvider. As our backend VPN Server is using IPSec/IKEv2 Protocol so, we want to use inbuilt IPSec/IKEv2 Protocol of iOS as the VPN Protocol.


              How I tried to use inbuilt IKEv2 protocol is followed this-

               

              self.vpnManager.protocolConfiguration = self.ikev2Type()

               

              where the body of self.ikev2Type() is something like this-

               

              func ikev2Type() -> NEVPNProtocolIKEv2 {

                      let vpnProtocolIKEv2 = NEVPNProtocolIKEv2()

               

                      vpnProtocolIKEv2.serverAddress = Constant.serverAddress

                      vpnProtocolIKEv2.remoteIdentifier = Constant.remoteIdentifier

                // Other setup related to IKEv2 Protocol

                ……………

                ……………

                    

                      return vpnProtocolIKEv2

                  }

               

              What I have tried is to use inbuilt IKEv2 protocol as a helper and setting the same object of protocolConfiguration. Thats how I am trying to use inbuilt IKEv2 protocol of iOS. Please let me know, if I am going to right direction or not. Otherwise what I can do further to make it work.
              TIA.

                • Re: How to set ISAKPM version using NEPacketTunnelProvider with IKEv2 protocol
                  eskimo Apple Staff Apple Staff (12,325 points)

                  Earlier we used NEVPNManager and it landed up in ‘PERSONAL VPN’ and it worked properly with our VPN Server which is using IPSec/IKEv2 Protocol.

                  OK, that’s cool.  That means that your server is fundamentally compatible with the built-in IKEv2 client.

                  Now, we want the same profile to be in ‘VPN CONFIGURATIONS’ for which we need to use NETunnelProvider.

                  Whoah there!  How do you come to that conclusion?

                  Most folks in a managed environment set up VPN put pushing a configuration profile using MDM.  Such configurations are not Personal VPN and will show up in the VPN Configurations section of Settings.  That’s what you should be doing here.

                  Share and Enjoy

                  Quinn “The Eskimo!”
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"

                    • Re: How to set ISAKPM version using NEPacketTunnelProvider with IKEv2 protocol
                      sourabDream Level 1 Level 1 (0 points)

                      Here we don’t want to push our configuration profile via MDM. We want to create our VPN configuration profile programmatically, so that we can have all the controls over the VPN Profile (like switching on/off the VPN or other telemetry data).
                      That’s why I tried to use the inbuilt IPSec/IKEv2 Protocol of iOS as the VPN Protocol and used NETunnelProvider framework to create the profile in ‘VPN CONFIGURATIONS’ programmatically via our iOS App.

                        • Re: How to set ISAKPM version using NEPacketTunnelProvider with IKEv2 protocol
                          eskimo Apple Staff Apple Staff (12,325 points)

                          That’s why I tried to use the inbuilt IPSec/IKEv2 Protocol of iOS as the VPN Protocol and used NETunnelProvider framework to create the profile in ‘VPN CONFIGURATIONS’ programmatically via our iOS App.

                          OK, just to be clear, this won’t work.  The NE provider API is intended to be used by folks who are implementing their own custom VPN transport.  It does not let you configure the built-in VPN transports.  The only way to get this to work would be to create your own IKEv2 transport from scratch, which is ridiculous amount of extra work.

                          Share and Enjoy

                          Quinn “The Eskimo!”
                          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                          let myEmail = "eskimo" + "1" + "@apple.com"