NEVPNManager or NEPacketTunnelProvider for VPN.

Question

Created Oct ’20

Replies 3

Boosts 0

Participants 2

Hello.

I am try create VPN using NEVPNManager, I am use Certificate authentication and IKEv2 protocol. When vpn was installed on iPhone and I am try connect to server, I get this error:

Code Block Connection 8: received failure notification
nw_flow_add_write_request [C8.1 (Ip&Port) failed channel-flow (satisfied (Path is satisfied), viable, interface: en0, ipv4, dns)] cannot accept write requests
nw_write_request_report [C8] Send failed with error "Socket is not connected"
Connection 5: received failure notification

only FIRST time after installation, then I am nothing get from VPN.

In this question
https://developer.apple.com/forums/thread/84679

If you want to continue down the NEVPNManager path you will have to get a trusted CA to issue you a certificate for your VPN server answer by eskimo.

I am decide create VPN use NEPacketTunnelProvider but I am don't understand completely all what should I am expected when I will be try that.

How more lot of work will be there?

I can create VPN with IKEv2 for users without certificate CA trusted?

Or good reason will be change authentication method from certificate to login and password for IKEv2 or change protocol on IPsec and use login, pass & secret to authentication method?

Regards, Ihor.

Answered by Systems Engineer in 637978022

I am decide create VPN use NEPacketTunnelProvider but I am don't understand completely all what should I am expected when I will be try that.

When using NEPacketTunnelProvider, typically you have a need to define the custom transport for your VPN. For example a custom tunneling protocol or a specific technique used for encapsulating IP packets that are pulled out of the TUN interface.

How more lot of work will be there?

Using NEPacketTunnelProvider is typically done to integrate with a custom tunneling protocol to a VPN server. This can take time to developer and get right. So, this is usually more work that creating a personal VPN with NEVPNManager because a personal VPN handles the transport for you.

I can create VPN with IKEv2 for users without certificate CA trusted?

Like Quinn mentioned, to continue with IKEv2 it is best to get a leaf certificate from a CA that exists in the device trust store already and then use an identity that contains that leaf for authentication with your VPN server.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Boost

Answer 1

Systems Engineer OP

Apple

Oct ’20

Accepted Answer

I am decide create VPN use NEPacketTunnelProvider but I am don't understand completely all what should I am expected when I will be try that.

When using NEPacketTunnelProvider, typically you have a need to define the custom transport for your VPN. For example a custom tunneling protocol or a specific technique used for encapsulating IP packets that are pulled out of the TUN interface.

How more lot of work will be there?

Using NEPacketTunnelProvider is typically done to integrate with a custom tunneling protocol to a VPN server. This can take time to developer and get right. So, this is usually more work that creating a personal VPN with NEVPNManager because a personal VPN handles the transport for you.

I can create VPN with IKEv2 for users without certificate CA trusted?

Like Quinn mentioned, to continue with IKEv2 it is best to get a leaf certificate from a CA that exists in the device trust store already and then use an identity that contains that leaf for authentication with your VPN server.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0

Answer 2

IlLoganlI OP

Oct ’20

Thank you, very helpful information.
If I don't take certificate from CA, I can create VPN use NEVPNManager and IKEv2 Protocol( auth only use login and pass without certificate ) or I will be get trouble if I will be use this way?

Regards , Ihor.

0

Answer 3

Systems Engineer OP

Apple

Oct ’20

I can create VPN use NEVPNManager and IKEv2 Protocol( auth only use login and pass
without certificate ) or I will be get trouble if I will be use this way?

Take a look at NEVPNIKEAuthenticationMethod, this details the NEVPNProtocolIKEv2 for authenticationMethod. This does allow for username / password for NEVPNIKEAuthenticationMethodNone. Note that:

Code Block textFor IKE version 2, when using extended authentication, the authenticationMethod only affects how the client validates the authentication payload presented by the server.
...
If this property is set to NEVPNIKEAuthenticationMethodNone, extended authentication will still be negotiated if useExtendedAuthentication is set to true.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0