I'm trying to set up a Personal VPN in my application.
The Apple docs state that a personal VPN configuration uses one of the built-in VPN protocols (IKEv2 in my case).
The basic configuration is fairly straightforward, however, when specifying the settings for the IKEv2 configuration, the official documentation seems to lack some information/some parts are not fully documented.
The NEVPNProtocolIKEv2 class has two getters, ikeSecurityAssociationParameters and childSecurityAssociationParameters. Good to know that I can get that data, but is there a way to set it? Seems like by default, iOS proposes the following algorithms to establish an IKE SA: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024.
Since 3DES is considered a weak encryption algorithm, SHA1 being an outdated hash function and 1024b Dh-group is considered deprecated as well, I'd like to change certain parameters accordingly.
My question: is that possible with a personal VPN or do I have to move to a Packet Tunnel Provider and use my "custom" VPN protocol implementation? Also, why does Apple set such weak parameters by default?
The ikeSecurityAssociationParameters and childSecurityAssociationParameters properties are get-only but you can modify the properties of the objects referred to by these properties before you establish your connection:
let protocol = NEVPNProtocolIKEv2()
protocol.ikeSecurityAssociationParameters.encryptionAlgorithm = .algorithmAES256GCM