Search results for

includeAllNetworks

150 results found

Post

Replies

Boosts

Views

Activity

Reply to includeAllNetwork Problems.
Hello Kevin, It looks like includeAllNetworks has to be set on the VPN configuration when it's defined. Is that correct? Yes. Is there any way to set this on-the-fly? In our particular VPN interaction the Gateway tells the VPN client whether it wants the client to use includeAllNetworks, so we can't just hard-code it. Since includeAllNetworks forces all traffic through the virtual interface, if you need to make a configuration network call that needs to go outside the tunnel then this needs to be done while the tunnel is not configured or active. default 13:42:57.476293-0700 VPNExtension [C10 Hostname#0a01000a:443 failed path (unsatisfied (Path was denied by NECP policy), interface: en0, ipv4)] event: null:null @4.222s Right, if possible, I would gather the network configuration information before the tunnel is started, otherwise using this flag will not work for this case. Matt Eaton DTS Engineering, CoreOS meaton3@apple.com
Topic: App & System Services SubTopic: Networking Tags:
Mar ’21
Reply to Failed to register Personal IncludeAllNetworks VPN Session NESMIKEv2VPNSession
Is there any other place in the system where VPN configs can be found? For macOS, System Preferences - Network is the standard place. You can use % scutil also to take a look at the Network Configurations via % scutil --nc list. If you do not include IncludeAllNetworks are you able to connect your tunnel? Matt Eaton DTS Engineering, CoreOS meaton3@apple.com
Topic: App & System Services SubTopic: Networking Tags:
Mar ’21
Reply to includeAllNetwork Problems.
Hi, from what I understand it appears this is not possible to set on-the-fly and it can be configured only when installing the profile.. In my testing this includeAllNetworks behaves quite similarly to settings includedRoutes on the IPV4Settings to NEIPv4Route.default(). This could possibly be set when starting the tunnel, so you would need to stop and start again to toggle this.
Topic: App & System Services SubTopic: Networking Tags:
Mar ’21
Reply to NEPacketTunnelProvider does not seem to be capturing all the traffic
Apologies for talking to myself there 🤪 but I made interesting discovery. If I use the includeAllNetworks configuration - https://developer.apple.com/documentation/networkextension/nevpnprotocol/3131931-includeallnetworks, then this finally seems to rein in Messenger and does not let is around the tunnel. That is great but it has the side-effect of once again breaking Signal, WhatsApp and probably other similar apps. I checked Signal debug logs and found that I cannot find a server by hostname. Which suggested DNS issue. So I re-added DNS configuration, added these IPs to the excludedRoutes and now Signal works but only one way. I can send messages, they are delivered but I cannot receive messages. I still think that the fact that Messenger can just go around the tunnel is the main issue.
Topic: App & System Services SubTopic: Networking Tags:
Mar ’21
Reply to Traffic originated at the PacketTunnelProvider [lib-curl]
I'm using lib-curl from the provider. The traffic is not going via the tunnel. Is it possible to pass this traffic to the tunnel? I just want to confirm; are you including libcurl interfaces or a custom version of libcurl in your Packet Tunnel Provider, sending traffic via these APIs, and not seeing this traffic pass through the tunnel? If this is the case, you could look into using an In-Provider networking class like NWTCPConnection. - https://developer.apple.com/documentation/networkextension/nwtcpconnection If you are using libcurl for the HTTP stack you could also take a look at the CFMessage APIs, depending on how complicated your requests are. What should happen if I'll set the 'capture all traffic' flag? Will the traffic created from lib-curl at the provider will reach the tunnel? If you mean setting the flag for includeAllNetworks on NEVPNProtocol then, yes, all traffic should go through the provider in this instance. Matt Eaton DTS Engineering, CoreOS meaton3@apple.com
Topic: App & System Services SubTopic: Networking Tags:
Feb ’21
Failed to register Personal IncludeAllNetworks VPN Session NESMIKEv2VPNSession
I am trying to add IncludeAllNetworks to a fully working IKEv2 config but the tunnel fails to start with strange log messages. I've tried removing mentioned enterprise vpn profiles until I reached one I don't want to remove. What is happening? default 19:05:54.374664+0200 nesessionmanager nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:SomeVPN_IKEv2:XXXX-XXXXX-XXXX-XXX:(null)]: got On Demand start message from pid 97846 default 19:05:54.374756+0200 nesessionmanager nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:SomeVPN_IKEv2:XXXX-XXXXX-XXXX-XXX:(null)]: Received a start command from com.apple.preference.network.re[97846] default 19:05:54.374818+0200 nesessionmanager nesessionmanager Registering session NESMIKEv2VPNSession[Primary Tunnel:SomeVPN_IKEv2:XXXX-XXXXX-XXXX-XXX:(null)] info 19:05:54.375046+0200 nesessionmanager nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:SomeVPN_IKEv2:XXXX-XXXXX-XXXX-XXX:(null)]: enabled = 1 default 19:05:54.375325+0200 nesessionmanager nesessionmanager : Fa
Topic: App & System Services SubTopic: Networking Tags:
7
0
2.5k
Dec ’20
Reply to Failed to register Personal IncludeAllNetworks VPN Session NESMIKEv2VPNSession
Matt, you mean even if none of the profiles are active (connected)? If I delete all of the vpn profiles in Network preferences, only then I can connect NEVPNProtocolIKEv2 profile with IncludeAllNetworks flag. As soon as I add any other vpn profile I am no longer able to connect my IKEv2 profile. The rules I had previously researched and posted about were logical rules that exist on the system under the hood. It sounds like your test is confirming that it is you can have a conflicting VPN profile if you have another VPN profile (Personal or Enterprise) that is installed on the system, but not active, and also contains the includeAllNetworks flag. Is that correct? If so, you should file an enhancement request - https://developer.apple.com/bug-reporting/ to document this behavior. Matt Eaton DTS Engineering, CoreOS meaton3@apple.com
Topic: App & System Services SubTopic: Networking Tags:
Dec ’20
Reply to Failed to register Personal IncludeAllNetworks VPN Session NESMIKEv2VPNSession
Ok, there's definitely a strange behaviour. If I delete all of the vpn profiles in Network preferences, only then I can connect NEVPNProtocolIKEv2 profile with IncludeAllNetworks flag. As soon as I add any other vpn profile I am no longer able to connect my IKEv2 profile. Even if I manually add some IPSec profile via Network prefeneces 🤯. This makes IncludeAllNetworks flag impossible to use in my vpn app.
Topic: App & System Services SubTopic: Networking Tags:
Dec ’20
Reply to Failed to register Personal IncludeAllNetworks VPN Session NESMIKEv2VPNSession
default 19:05:54.375325+0200 nesessionmanager nesessionmanager : Failed to register Personal IncludeAllNetworks VPN Session Okay, the line above does mean that a Personal and Enterprise VPN on your system cannot both have the flag for IncludeAllNetworks. The Enterprise VPN will take precedence here and the Personal VPN will be stopped with this message that you are seeing. Matt Eaton DTS Engineering, CoreOS meaton3@apple.com
Topic: App & System Services SubTopic: Networking Tags:
Dec ’20
Unable to start packettunnel on Mac OS
Hi - We have had a packettunnel working well on iOS for a long time and now looking into one for Mac OS. However, we haven't been able to get it to work.Summary of what we see:The app can successfully install the VPN profile:nesessionmanager 11:06:26.027252-0700 NESMVPNSession[Primary Tunnel:XyzCatalyst:E2A089D5-A18B-4543-94F5-827E4DB3357D :(null)]: handling configuration changed: { name = XyzlizeCatalyst identifier = E2A089D5-A18B-4543-94F5-827E4DB3357D applicationName = XyzCatalyst application = com.xyz.mac.vpn grade = 1 VPN = { enabled = YES onDemandEnabled = NO disconnectOnDemandEnabled = NO protocol = { type = plugin identifier = 0A3DA48C-EE69-479C-A2CD-994028B01CC0 serverAddress = 127.0.0.1 identityDataImported = NO disconnectOnSleep = NO disconnectOnIdle = NO disconnectOnIdleTimeout = 0 disconnectOnWake = NO disconnectOnWakeTimeout = 0 disconnectOnUserSwitch = NO disconnectOnLogout = NO includeAllNetworks = NO excludeLocalNetworks = NO pluginType = com.xyz.mac.vpn authenticationMethod = 0 reas
Topic: App & System Services SubTopic: Networking Tags:
7
0
2.8k
Oct ’20
Managed app is unable to start its network extension in iOS 14
I have an app that contains an NEPacketTunnelProvider network extension. Some users are reporting that after upgrading their devices to iOS 14 they are no longer able to start the VPN. We have manage to reproduce the issue, and it only happens when all the following conditions are true: The app is managed by MDM The App Store version of the app is installed (not an enterprise signed ipa) The device is running iOS 14 If any of the above conditions are not true, the VPN can be started without any issues. Because of the requirement to use the App Store version of the app to reproduce, it's very difficult to debug. What I would like to understand is if something changed in iOS 14 that would make an app with a network extension behave differently when under MDM management. I did try sysdiagnose, and I see this pattern of messages generated by nesessionmanager: default 2020-09-25 14:42:32.086975 -0700 nesessionmanager : Register Enterprise VPN Session: NESMVPNSession[Primary Tunnel::5FC13677-04FA-46AD-B91B-4BB9E630
Topic: Business & Education SubTopic: Device Management Tags:
3
0
718
Oct ’20
Reply to With VPN switched on no messages can be seen on console and can not connect with Xcode
First, thank you for opening the bug report. I see it internally and have copied myself on it. A few things to note here; You mentioned: A VPN application coded with NETunnelProvider, set 'includeAllNetworks' to be true (if it's false then cannot reproduce this issue); Install the VPN application on the iPhone and switch it on; Connect the iPhone to the Mac Book Pro with a USB cable; If you test with either includeAllNetworks to be false or plugging in the iPhone device before you start the tunnel does it workaround this issue? Matt Eaton DTS Engineering, CoreOS meaton3@apple.com
Topic: App & System Services SubTopic: Core OS Tags:
Oct ’20
Reply to With VPN switched on no messages can be seen on console and can not connect with Xcode
Thanks Matt. Just raised a bug report: FB8815876 (With VPN switched on no messages can be seen on console and can not connect with Xcode) Also add more details here for others to see if they can reproduce the same issue step by step. Description of the issue: When I tested with my iPhone SE(1st generation, iOS 14.0.1) on Mac OS Catalina 10.15.7 / Xcode 12.0.1 I found that with the VPN(NETunnelProvider, 'includeAllNetworks' set to be true) switched on there are no messages being shown on the console, and also on Xcode it shows 'iPhone(unavailable)'. After I switched off the VPN it came back to normal. I was using a USB cable to connect the iOS device with the MBP's left side USB port. Steps to reproduce: An iPhone SE(1st generation, iOS 14.0.1) / Mac OS Catalina 10.15.7 / Xcode 12.0.1; A VPN application coded with NETunnelProvider, set 'includeAllNetworks' to be true (if it's false then cannot reproduce this issue); Install the VPN application on the iPhone and switch it on; Connect the iPhon
Topic: App & System Services SubTopic: Core OS Tags:
Oct ’20