Apple IPSec Profile exporter tool exporting some invalid configs



  • I was tinkering with the tool to build stronger IPSec remote access configs and I noticed something strange - the exporter doesn't export the proper keys for some encryption algorithms. For example, newer versions of iOS can use the AES-GCM algorithms for IKEv2 when the settings are applied via a .mobileconfig file. The tool can export corresponding keys. However, the keys aren't the correct ones:

    The tool will export:

    <string>AES256GCM-128</string>
    

    When what is required is:

    <string>AES-256-GCM</string>
    ```(iOS uses a 16-octet ICV so the -128 portion is redundant in this context.)
    
    The failure to export correctly causes the iOS device to fall back to 3DES(!) and the connection to fail. Manual editing of the .mobileconfig XML can fix the issue but sort of defeats the purpose of the tool.
    
    Here's the source for the correct keys and strings for iOS:
    
    https://developer.apple.com/library/content/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html#//apple_ref/doc/uid/TP40010206-CH1-SW612
    
    This seems like a bug report-worthy item but I figured I'd check here first to make sure I wasn't off. Anyone have thoughts?


  • Another issue is that the tool doesn't export the EnablePFS key when applicable. Again, can be added manually, but kinda defeats the purpose.


  • Rebel Alliance Developer Netgate

    I opened up an internal ticket to look into those issues, thanks for letting us know!



  • Awesome, thanks so much!