Apple IPSec Profile exporter tool exporting some invalid configs

beatvjiking

I was tinkering with the tool to build stronger IPSec remote access configs and I noticed something strange - the exporter doesn't export the proper keys for some encryption algorithms. For example, newer versions of iOS can use the AES-GCM algorithms for IKEv2 when the settings are applied via a .mobileconfig file. The tool can export corresponding keys. However, the keys aren't the correct ones:

The tool will export:

<string>AES256GCM-128</string>

When what is required is:

<string>AES-256-GCM</string>
```(iOS uses a 16-octet ICV so the -128 portion is redundant in this context.)

The failure to export correctly causes the iOS device to fall back to 3DES(!) and the connection to fail. Manual editing of the .mobileconfig XML can fix the issue but sort of defeats the purpose of the tool.

Here's the source for the correct keys and strings for iOS:

https://developer.apple.com/library/content/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html#//apple_ref/doc/uid/TP40010206-CH1-SW612

This seems like a bug report-worthy item but I figured I'd check here first to make sure I wasn't off. Anyone have thoughts?

beatvjiking

Another issue is that the tool doesn't export the EnablePFS key when applicable. Again, can be added manually, but kinda defeats the purpose.

jimp

I opened up an internal ticket to look into those issues, thanks for letting us know!

beatvjiking

Awesome, thanks so much!