IKEv2 Connection without Shared secret key neither a certificate

App & System Services Networking
zloy_molo4nik OP
Created May ’17
Replies 7
Boosts 0
Views 1.8k
Participants 2

Hello

I'm trying to make a IKEv2 connection from objective-c code.

Here is server details:

address: 176.9.2.35

remote identifier: cvpn.magora.team

password: 3f393b

username: zaher.zohbi@gmail.com

I don't have Shared Secret key. I should connect with username and password only.

So, i'm tried to connect with a differet authentification methods.

NEVPNIKEAuthenticationMethodSharedSecret - i had some hope with that

NEVPNIKEAuthenticationMethodNone - not working

But i can't connect. My config was saved but can't connect. Status NEVPNStatusDisconnected. With this credentials i can connect from my OS X and from iPod system setting but from code not. Here is my code

                NEVPNProtocolIKEv2 *protocol = [[NEVPNProtocolIKEv2 alloc] init];
              
                protocol.serverAddress = @"176.9.2.35";
                protocol.remoteIdentifier = @"cvpn.magora.team";
                protocol.username = @"zaher.zohbi@gmail.com";
                NSString *pass = @"3f393b";
                [self createKeychainValue:pass forIdentifier:@"VPN_PASSWORD"];
                protocol.passwordReference = [self searchKeychainCopyMatching:@"VPN_PASSWORD"];
                protocol.authenticationMethod = NEVPNIKEAuthenticationMethodNone;
                protocol.useExtendedAuthentication = YES;
                protocol.disconnectOnSleep = NO;
              
                [manager setLocalizedDescription:@"MyVpnConnection"];
                [manager setProtocolConfiguration:protocol];
              
                [manager setEnabled:YES];
              
                [manager saveToPreferencesWithCompletionHandler:^(NSError *error){
                    if (error) {
                        NSLog(@"Save Error: %@",error);
                    }else{
                        NSLog(@"Saved");
                        dispatch_after(dispatch_time(DISPATCH_TIME_NOW, (int64_t)(2 * NSEC_PER_SEC)), dispatch_get_main_queue(), ^{
                            completeHandle(YES,@"Save config success");
                        });
                    }
                }];


I tried protocol NEVPNProtocolIPSec but it's not working too.

Replies  7
Boosts  0
Views  1.8k
Participants  2
DTS Engineer OP
Apple
May ’17

When debugging NEVPNManager problems I recommend you start by creating a configuration profile for your VPN settings. That helps divide the problem in half: once the profile works you know you’ve fixed all the VPN-level issues and anything remaining is an API-level issue.

So, have you got this configured via a profile? If so, please post the profile. If not, try that, then get back to us once you’ve got that working.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
zloy_molo4nik OP
May ’17

I configured VPN on my device via vpn settings and i can connect.

Also i created profile (Nae VPNTemp) with Apple Configurator 2

Here link for profile

https://drive.google.com/open?id=0B26vRj6T7QQENUFoamhiOW12VzQ

Weird, i can't connect

0
DTS Engineer OP
Apple
May ’17

I configured VPN on my device via vpn settings and i can connect.

OK.

Also i created profile (Nae VPNTemp) with Apple Configurator 2 … Weird, i can't connect

Does that mean:

  • You can connect with the profile but not with your code?

  • You can’t connect with either the profile or your code?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
zloy_molo4nik OP
May ’17

I can't connect from my code and profile but i can connect from iPod system settings when i mannualy created new VPN configuration

0
DTS Engineer OP
Apple
May ’17

I can't connect from my code and profile but i can connect from iPod system settings when i mannualy created new VPN configuration

IMO it’s critical that you get your profile working first because it lets you isolate VPN configuration issues from programming issues.

I’ve recently helped a developer with a problem like this (s. 664720585), where manual configuration works but profile configuration does not, and the critical factor was the parent and child security association (SA) parameters. When you create a manual configuration the system tries all reasonable SA parameter combinations and manages to stumble across one that works. However, when you create a configuration via profile (or NEVPNManager) you have to explicitly configure the correct SA parameters, and if you get it wrong the VPN fails to connect.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
zloy_molo4nik OP
May ’17

Hello, Eskimo.

I solved my problem there was a problem on server side. But now i have another problem. My VPN connection wan't be alive after device sleep. I'm using same code for connection

NEVPNProtocolIKEv2 *protocol = [[NEVPNProtocolIKEv2 alloc] init];
              
                protocol.serverAddress = @"176.9.2.35";
                protocol.remoteIdentifier = @"cvpn.magora.team";
                protocol.username = @"zaher.zohbi@gmail.com";
                NSString *pass = @"3f393b";
                [self createKeychainValue:pass forIdentifier:@"VPN_PASSWORD"];
                protocol.passwordReference = [self searchKeychainCopyMatching:@"VPN_PASSWORD"];
                protocol.authenticationMethod = NEVPNIKEAuthenticationMethodNone;
                protocol.useExtendedAuthentication = YES;
                protocol.disconnectOnSleep = NO;
              
                [manager setLocalizedDescription:@"MyVpnConnection"];
                [manager setProtocolConfiguration:protocol];
              
                [manager setEnabled:YES];
              
                [manager saveToPreferencesWithCompletionHandler:^(NSError *error){
                    if (error) {
                        NSLog(@"Save Error: %@",error);
                    }else{
                        NSLog(@"Saved");
                        dispatch_after(dispatch_time(DISPATCH_TIME_NOW, (int64_t)(2 * NSEC_PER_SEC)), dispatch_get_main_queue(), ^{
                            completeHandle(YES,@"Save config success");
                        });
                    }
                }];

And here i took code for ViewConttroller. https://github.com/MoPellet/IOS-VPNTest/blob/master/VpnTest/VpnTest/ViewController.m Maybe i should use OnDemandRules?

0
DTS Engineer OP
Apple
May ’17

I’m not sure what’s going on here. Hey, I’m not even sure what “sleep” means in the context of the 

disconnectOnSleep
(-: However, I don’t think you’ll find any other direct controls over the VPN’s behaviour on sleep other than that property. If that’s not doing what you want, you’re in enhancement request territory.

In my experience most VPNs do disconnect on sleep, and the standard approach is to set up VPN On Demand so that it reconnects nicely when you wake the device and start using it to access the network.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"

WWDC runs Mon, 5 Jun through to Fri, 9 Jun. During that time all of DTS will be at the conference, helping folks out face-to-face. http://developer.apple.com/wwdc/

0
IKEv2 Connection without Shared secret key neither a certificate
First post date Last post date
 
 
Q