iOS 14 supported ciphers for VPN (IKEv2)

I opened up a report in the Feedback app because our VPNs weren't working in our App (Personal VPN using NEVPNManager, not manually in the Settings app). I got back the following answer:

"Server does not seem to like the cipher proposal negotiated by the client. In iOS 14, we have upgraded the default ciphers proposed to more secure ciphers."

Can anybody find any documentation that shows supported ciphers? For the life of me I can't find them listed anywhere.

Replies

I am not aware of a documented list anywhere either. One thing you could try is digging around in NEVPNProtocolIKEv2, but it sounds like you have already done that. If you turn up nothing there, you could also take a packet trace from the iOS device to your server and watch the SSL handshake attempt to go up. During the client hello exchange there should be an exchange of supported cipher suites between your device the and server. This should prompt a negotiation on what the device and your server will use to perform the handshake. In these packets you should be able to see the supported cipher suites being sent from the device to the server. Check out these cipher suites as it sounds like you need to update your supported cipher suites on your server.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Great, I will take a shot at tracing the packets. Thanks for the help!
From what I can gather this is what macOS 11 & iOS 14 send in the proposal:

Code Block
ENCR_AES_CBC
PRF_HMAC_SHA2_256
AUTH_HMAC_SHA2_256_128
2048 bit MODP Group / Diffie-Hellman Group (D-H)

Not cool Apple... You've change the supported ciphers on iOS 14 and didn't even mention it in your release notes or the following documentation which can now be considered outdated: https://developer.apple.com/documentation/devicemanagement/vpn/ikev2/ikesecurityassociationparameters
After manually tracing the packets, I found out that these are the accepted cipher proposals on iOS 14:
Code Block
Transform Type: Encryption Algorithm (ENCR) Transform ID (ENCR): ENCR_AES_CBC
Transform Type: Pseudo-random Function (PRF) Transform ID (PRF): PRF_HMAC_SHA2_256
Transform Type: Integrity Algorithm (INTEG) Transform ID (INTEG): AUTH_HMAC_SHA2_256_128
Transform Type: Diffie-Hellman Group (D-H) Transform ID (D-H): 2048 bit MODP group

And these are the accepted ciphers, tested on iOS 13.7:
Code Block
Transform Type: Encryption Algorithm (ENCR) Transform ID (ENCR): ENCR_3DES
Transform Type: Pseudo-random Function (PRF) Transform ID (PRF): PRF_HMAC_SHA1
Transform Type: Integrity Algorithm (INTEG) Transform ID (INTEG): AUTH_HMAC_SHA1_96
Transform Type: Diffie-Hellman Group (D-H) Transform ID (D-H): Alternate 1024-bit MODP group

If this is not meant to be, then it needs to be patched asap. Otherwise, please document the changes properly.
Thank you for reporting what you have captured. I think the best thing to do here would be to update your Feedback to request further documentation on what is to be expected. Make sure that you indicate which type of negotiation you are performing also. For example, negotiation for NEVPNManager with IKESecurityAssociationParameters with a provisioning profile, or programmatically.

Please follow up with the Feedback ID.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Here are all proposals I received from an iPhone with iOS 14.2:

Phase 1:
Code Block
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024


Phase 2:
Code Block
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536,
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536,
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024

FWIW, proposals on iPhone with iOS 15.2.1:

Phase 1:

ID:ENCR/PRF/D-H

IKE:AES-CBC-256/SHA2-256/MODP-2048
IKE:AES-CBC-256/SHA1/MODP-2048
IKE:AES-CBC-256/MD5/MODP-2048
IKE:AES-CBC-256/SHA2-512/MODP-2048
IKE:AES-CBC-256/SHA1/MODP-1024
IKE:AES-CBC-256/MD5/MODP-1024

IKE:AES-CBC-128/SHA1/MODP-1024
IKE:AES-CBC-128/MD5/MODP-1024

IKE:3DES-CBC/SHA1/MODP-1024
IKE:3DES-CBC/MD5/MODP-1024

IKE:DES-CBC/SHA1/MODP-1024
IKE:DES-CBC/MD5/MODP-1024

Phase 2:

ID:ENCR/PRF

IKE:AES-CBC-256/SHA2-256
IKE:AES-CBC-256/SHA1
IKE:AES-CBC-256/MD5

IKE:AES-CBC-128/SHA2-256
IKE:AES-CBC-128/SHA1
IKE:AES-CBC-128/MD5

IKE:3DES/SHA2-256
IKE:3DES/SHA1
IKE:3DES/MD5