Ability to send IKEv2 Local ID as ASN.1 Distinguished Name

Number:rdar://FB9096647 Date Originated:2021-05-04
Status:Open Resolved:
Product:macOS Product Version:11.3
Classification:Suggestion Reproducible:Always
Please consider adding suport for ID_DER_ASN1_DN type of Local ID (LocalIdentifier)  which is defined in RFC 5996 https://tools.ietf.org/html/rfc5996

# Background

Current implentation of IKEv2 VPN in both iOS 14 and macOS 11 autedetects type of Local ID in following manner (AFAIK):

- No Local ID specified -> Use IP address as a local ID with type ID_IPV4_ADDR or presumably ID_IPV6_ADDR
- Local ID is set to email address -> Use type ID_RFC822_ADDR
- Local ID is set to anything else -> Use type ID_FQDN

When using IKEv2 with certificate authentication it would be super handy to be able to send the Local ID with ID_DER_ASN1_DN type.

For example Strongswan VPN server can use DN fields to compare it with certificate DN a match proper configuration based on values contained in these DNs. Imagine this situation. There are two machines each with one certificate: Certificate A subject contains OU=devops. Certificate B subject contains OU=sales. Strongswan can dynamicaly assign the VPN configuration based on this fact. DevOps machine would gain much higher level of network access than the sales machine. Even better, there is not need to use another system like RADIUS to achieve this.

Unfortunately there seems no way for Apple IKEv2 VPN client to send Local ID as ID_DER_ASN1_DN. This is know issue:
- https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile
- https://developer.apple.com/forums/thread/61122

Proposed solution:

1. Manual configuration. When Local ID starts with character / it is of type ID_DER_ASN1_DN. Example: /O=Company, i.n.c./OU=Management/CN=John Appleseed
2. Configuration profile configuration. Same as manual configuration + possibility to add option to VPN.IKEv2 payload which would set the type manually.


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!