Failed to register Personal IncludeAllNetworks VPN Session NESMIKEv2VPNSession

I am trying to add IncludeAllNetworks to a fully working IKEv2 config but the tunnel fails to start with strange log messages.

I've tried removing mentioned enterprise vpn profiles until I reached one I don't want to remove.

What is happening?

Code Block log
default 19:05:54.374664+0200 nesessionmanager nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:SomeVPN_IKEv2:XXXX-XXXXX-XXXX-***:(null)]: got On Demand start message from pid 97846
default 19:05:54.374756+0200 nesessionmanager nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:SomeVPN_IKEv2:XXXX-XXXXX-XXXX-***:(null)]: Received a start command from com.apple.preference.network.re[97846]
default 19:05:54.374818+0200 nesessionmanager nesessionmanager Registering session NESMIKEv2VPNSession[Primary Tunnel:SomeVPN_IKEv2:XXXX-XXXXX-XXXX-***:(null)]
info 19:05:54.375046+0200 nesessionmanager nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:SomeVPN_IKEv2:XXXX-XXXXX-XXXX-***:(null)]: enabled = 1
default 19:05:54.375325+0200 nesessionmanager nesessionmanager <NESMServer: 0x7f883ff05e80>: Failed to register Personal IncludeAllNetworks VPN Session NESMIKEv2VPNSession[Primary Tunnel:SomeVPN_IKEv2:XXXX-XXXXX-XXXX-***:(null)] due to Enterprise VPN session NESMLegacySession[SomeVPN:XXXX-***-XXXX-XXXX-XXXXX]
default 19:05:54.375399+0200 nesessionmanager nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:SomeVPN_IKEv2:XXXX-XXXXX-XXXX-***:(null)]: Rejected start command from com.apple.preference.network.re[97846]
default 19:05:54.375456+0200 nesessionmanager nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:SomeVPN_IKEv2:XXXX-XXXXX-XXXX-***:(null)]: Removing all clients

also
Code Block log
default 08:51:29.062799+0200 nesessionmanager nesessionmanager <NESMServer: 0x7f883ff05e80>: Failed to register Personal IncludeAllNetworks VPN Session NESMIKEv2VPNSession[Primary Tunnel:SomeVPN_IKEv2:XXXX-XXXXX-XXXX-***:(null)] due to Enterprise VPN session NESMVPNSession[Primary Tunnel:SomeVPN_2:XXXX-XXXXX-XXXX-***:(null)]


What type of VPN is this you are trying to install? Does it use NETunnelProviderManager ? If so, it looks like you are hitting the Enterprise VPN conflict that is described here.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
From log: NESMIKEv2VPNSession...
I am creating NEVPNProtocolIKEv2 profile (Native IKEv2 Personal VPN).
I also have no other vpn profile connected at the same time.
I've tried clearing all previous profiles with no success.

default 19:05:54.375325+0200 nesessionmanager nesessionmanager <NESMServer: 0x7f883ff05e80>: Failed to register Personal IncludeAllNetworks VPN Session

Okay, the line above does mean that a Personal and Enterprise VPN on your system cannot both have the flag for IncludeAllNetworks. The Enterprise VPN will take precedence here and the Personal VPN will be stopped with this message that you are seeing.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Matt, you mean even if none of the profiles are active (connected)?
Ok, there's definitely a strange behaviour.
If I delete all of the vpn profiles in Network preferences, only then I can connect NEVPNProtocolIKEv2 profile with IncludeAllNetworks flag.
As soon as I add any other vpn profile I am no longer able to connect my IKEv2 profile. Even if I manually add some IPSec profile via Network prefeneces 🤯.
This makes IncludeAllNetworks flag impossible to use in my vpn app.

Matt, you mean even if none of the profiles are active (connected)?
If I delete all of the vpn profiles in Network preferences, only then I can connect
NEVPNProtocolIKEv2 profile with IncludeAllNetworks flag.
As soon as I add any other vpn profile I am no longer able to connect my IKEv2 profile.

The rules I had previously researched and posted about were logical rules that exist on the system under the hood. It sounds like your test is confirming that it is you can have a conflicting VPN profile if you have another VPN profile (Personal or Enterprise) that is installed on the system, but not active, and also contains the includeAllNetworks flag. Is that correct? If so, you should file an enhancement request to document this behavior.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
No, I don't think this is the case.
The conflicting VPN profile is NESMLegacySession (IPSec) added manually to the Network preferences panel by the user and NOT the app. I don't think this profile has includeAllNetworks flag set or if it even can have one.
Failed to register Personal IncludeAllNetworks VPN Session NESMIKEv2VPNSession
 
 
Q