We do some authentication in the app and then start the VPN. All connections in the VPN extension are done by IP address, so there is no name resolution required.
The connection setup in the VPN extension involves some HTTP GETS & responses. I'm seeing a couple of problems.
It looks like includeAllNetworks has to be set on the VPN configuration when it's defined. Is that correct? When I try setting it at other points, either in the NEPacketTunnelProvider protocolConfiguration or in the NEVPNManager protocol configuration it has no effect. The protocol itself appears to be inaccessible.
When I set it in the NEVPNManager's protocolConfiguration before I start the connection it shows includeAllNetworks as set, but when I start the connection the nesessionmanager debug output shows that it's not set in the protocol and it's not in effect.
Is there any way to set this on-the-fly? In our particular VPN interaction the Gateway tells the VPN client whether it wants the client to use includeAllNetworks, so we can't just hard-code it.
When I do set this in the VPN configuration I can't reach the Gateway. I see that the nesessionmanager shows it as set, but the initial URLSession call gets a .cfurlErrorNotConnectedToInternet result in didCompleteWithError. I've verified that the URI specifies an IP address, not as a hostname, so for example
Code Block https://10.0.1.10/someapi
There is no network traffic after I start the connection until the connection fails, and transitions from Connecting to Disconnecting. (well, except for things like MDNS and a couple of others that aren't blocked by the setting)
Since I'm connecting by IP address I'd expect that this would work.
In the console I see
default 13:42:57.476293-0700 VPNExtension [C10 Hostname#0a01000a:443 failed path (unsatisfied (Path was denied by NECP policy), interface: en0, ipv4)] event: null:null @4.222s
I haven't seen any good examples of VPN setup with the new flags, and the documentation is frustratingly vague. Are there any good resources for this?
Kevin