IKEv2 engine does not recognize remote identifiers of type ASN1DN

Number:rdar://18179190 Date Originated:29-Aug-2014 11:57 AM
Status:Open Resolved:
Product:iOS Product Version:iOS 8.0 (12A4345d)
Classification:Other Bug Reproducible:Always
When configuring IKEv2 on iOS 8, the RemoteIdentifier key is documented (vaguely) as accepting FQDN, UserFQDN, Address, and ASN1DN formats. If you use an ASN1DN value in this field, iOS will mistakenly identify it as FQDN and report it as such to the server. If the server is expecting an ASN1DN value, it will reject the connection.

Steps to Reproduce:
1. Add an IKEv2 VPN configuration with a RemoteIdentifier of, say, "C=US, ST=California, C=Apple". Point it to a server that it can at least try to connect to.
2. Turn on the VPN and capture the device logs.

Expected Results:
As part of the negotiation, the device should send a payload of type ASN1DN with the given DN.

Actual Results:
The device sends the given DN with a payload type of FQDN. This is clearly visible in the client logs. You can also verify it on the sever side if you like.

iOS 8.0 (12A4345d)


iPod Touch (MD723LL/A)



Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!