IKEv2 server, but iOS doesn't seem to respect any form of blacklisting (split-exclude). Is NEPacketTunnelProvider the answer?

Hey there,


I have set up an IKEv2 server (strongSwan, for those interested), that I've been able to successfully connect my iOS client to using the NEVPNManager framework.

The issue is, I'd like to define a set of domains (or a set of IP subnets) for which my device does not route to the VPN and instead just routes through the iPhone's default networking interface. This, from what I understand, is called a split-exclude tunnel.


strongSwan does implement a plugin that supposedly enables this functionality, but iOS does not respect these blacklists. What I've read in the documentation is the only way to express a blacklist is to create a list of subnets that are the inverse of the blacklist, which is a bit onerous.


Ideally, I'd like a way to just route all traffic to the VPN, with the exception of a small handful of domains. Is there a way to do this using iOS' built-in IPSec or IKEv2 clients, or will I need to implement an NEPacketTunnelProvider in order to do this?


If the latter, would I lterally need to implement the entire IKEv2 protocol in order to do this?

Up vote post of singy Down vote post of singy
3.0k views
Posted by
singy
Reply
Add a Comment

Replies

I have the same issue. I want to connect vpn using IKEV2 protocol, but I only want some IP flows go through the VPN tunnel, the other go through the default network interface. To implement this , I know I should use NEPacketTunnelProvider and use setNetworkSettings & NEIpv4Route to make the route, but using built-in vpn type IKEV2 will not start the tunnel in NEPacketTunnelProvider . How should I do ? Implement the whole IKEV2 protocol in NEPacketTunnelProvider.m ? I think that is not a good idea. Please Help.

Posted by
jianpx
Up vote reply of jianpx Down vote reply of jianpx
Add a Comment

Hi there,


I have the same issue. I am trying to implement IPSec VPN using IKEV2 that is provided by the Personal VPN (NEVPNManager) on iOS. I am able to Connect and Disconnect, but I would like to implement split tunneling i.e., route certain traffic through the tunnel and other through the device default networking interface. Also would like to use certain DNS server settings for the tunnel. Is it possible to configure the Tunnel Settings while using the NEVPNManager? Or should I use the NEPacketTunnelProvider and implement the whole IKEV2 protocol from scratch? Please help and advise.

Posted by
simmanni
Up vote reply of simmanni Down vote reply of simmanni
Add a Comment

Is it possible to configure the Tunnel Settings while using the NEVPNManager?

No.

Or should I use the NEPacketTunnelProvider and implement the whole IKEV2 protocol from scratch?

Well, you could, but it’s a horrendous amount of work.

The built-in IKEv2 transport supports both split and full tunnels [1], based on the configuration returned to it by the VPN server. I don’t have a lot of experience setting this this up myself, but perhaps someone else will chime it.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"

[1] This is different from the ‘split exclude’ mechanism that started this thread; I don’t know if the built-in IKEv2 transport supports that.

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment