I am trying to add IncludeAllNetworks to a fully working IKEv2 config but the tunnel fails to start with strange log messages.
I've tried removing mentioned enterprise vpn profiles until I reached one I don't want to remove.
What is happening?
default 19:05:54.374664+0200 nesessionmanager nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:SomeVPN_IKEv2:XXXX-XXXXX-XXXX-***:(null)]: got On Demand start message from pid 97846
default 19:05:54.374756+0200 nesessionmanager nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:SomeVPN_IKEv2:XXXX-XXXXX-XXXX-***:(null)]: Received a start command from com.apple.preference.network.re[97846]
default 19:05:54.374818+0200 nesessionmanager nesessionmanager Registering session NESMIKEv2VPNSession[Primary Tunnel:SomeVPN_IKEv2:XXXX-XXXXX-XXXX-***:(null)]
info 19:05:54.375046+0200 nesessionmanager nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:SomeVPN_IKEv2:XXXX-XXXXX-XXXX-***:(null)]: enabled = 1
default 19:05:54.375325+0200 nesessionmanager nesessionmanager <NESMServer: 0x7f883ff05e80>: Failed to register Personal IncludeAllNetworks VPN Session NESMIKEv2VPNSession[Primary Tunnel:SomeVPN_IKEv2:XXXX-XXXXX-XXXX-***:(null)] due to Enterprise VPN session NESMLegacySession[SomeVPN:XXXX-***-XXXX-XXXX-XXXXX]
default 19:05:54.375399+0200 nesessionmanager nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:SomeVPN_IKEv2:XXXX-XXXXX-XXXX-***:(null)]: Rejected start command from com.apple.preference.network.re[97846]
default 19:05:54.375456+0200 nesessionmanager nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:SomeVPN_IKEv2:XXXX-XXXXX-XXXX-***:(null)]: Removing all clients
also
default 08:51:29.062799+0200 nesessionmanager nesessionmanager <NESMServer: 0x7f883ff05e80>: Failed to register Personal IncludeAllNetworks VPN Session NESMIKEv2VPNSession[Primary Tunnel:SomeVPN_IKEv2:XXXX-XXXXX-XXXX-***:(null)] due to Enterprise VPN session NESMVPNSession[Primary Tunnel:SomeVPN_2:XXXX-XXXXX-XXXX-***:(null)]
Post
Replies
Boosts
Views
Activity
I am trying to run a Network System Extension (Packet Tunnel) that is successfully running as MAS Network Extension, but I'm facing a problem that neither app nor sysex gets app-group entitlement. Probably because of that my sysex can't find keychain items saved by the app.taskgated-helper ConfigurationProfiles Unsatisfied entitlements: com.apple.security.application-groupsI have app-groups configured in xcode for both targets, but provisioning profiles doesn't include them even though I have them selected on app ID's.I'm also getting a bunch of Security errors and NetworkExtension for some reason reports "Signature check failed: invalid signature (code or signature have been modified)"default 17:34:48.935971+0300 sysextd sysextd Extension point confirmed that extension com.company.appAbc.PacketTunnel-OpenVPN is runnable.
default 17:34:58.929349+0300 AppAbc Security Adding securityd connection to pool, total now 3
default 17:35:06.957159+0300 AppAbc NetworkExtension Saving configuration AppAbc with existing signature (null)
default 17:35:07.168468+0300 AppAbc NetworkExtension Successfully saved configuration AppAbc
default 17:35:07.192204+0300 AppAbc NetworkExtension Received a com.apple.neconfigurationchanged notification with token 38
default 17:35:07.308162+0300 AppAbc NetworkExtension Saving configuration AppAbc with existing signature {length = 20, bytes = 0xa032bdd71140be2af6788e2dc77930a115c17b25}
default 17:35:07.329977+0300 AppAbc NetworkExtension Received a com.apple.neconfigurationchanged notification with token 38
default 17:35:07.330511+0300 AppAbc NetworkExtension Successfully saved configuration AppAbc
default 17:35:07.336086+0300 AppAbc NetworkExtension Saving configuration AppAbc with existing signature {length = 20, bytes = 0x45e64b4ed5b0a1ad6061e3ba5cc05dddd003cd52}
default 17:35:07.382735+0300 AppAbc NetworkExtension Received a com.apple.neconfigurationchanged notification with token 38
default 17:35:07.383265+0300 AppAbc NetworkExtension Successfully saved configuration AppAbc
default 17:35:07.518667+0300 taskgated-helper ConfigurationProfiles allowing entitlement(s) for com.company.appAbc.PacketTunnel-OpenVPN due to provisioning profile (isUPP: 1)
error 17:35:07.526352+0300 taskgated-helper ConfigurationProfiles com.company.appAbc.PacketTunnel-OpenVPN: Unsatisfied entitlements: com.apple.security.application-groups
error 17:35:07.526380+0300 taskgated-helper ConfigurationProfiles Disallowing: com.company.appAbc.PacketTunnel-OpenVPN
default 17:35:08.781878+0300 secinitd secinitd com.company.appAbc.PacketTunnel-OpenVPN[95856]: root path for bundle "" of main executable ""
default 17:35:09.165083+0300 secinitd secinitd com.company.appAbc.PacketTunnel-OpenVPN[95856]: AppSandbox request successful
default 17:35:09.240267+0300 com.company.appAbc.PacketTunnel-OpenVPN Security MacOS error: -25337
default 17:35:09.251136+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: 3 unknown error 3=3
default 17:35:09.253611+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.255763+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.259015+0300 com.company.appAbc.PacketTunnel-OpenVPN Security MacOS error: -25337
default 17:35:09.263010+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: 3 unknown error 3=3
default 17:35:09.267611+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.270637+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.273530+0300 com.company.appAbc.PacketTunnel-OpenVPN Security MacOS error: -25337
default 17:35:09.277920+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: 3 unknown error 3=3
default 17:35:09.283042+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.291778+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.296948+0300 com.company.appAbc.PacketTunnel-OpenVPN Security Adding securityd connection to pool, total now 1
default 17:35:09.296956+0300 com.company.appAbc.PacketTunnel-OpenVPN Security got event: Connection invalid
default 17:35:09.297116+0300 com.company.appAbc.PacketTunnel-OpenVPN Security Failed to talk to secd after 4 attempts.
default 17:35:09.297573+0300 com.company.appAbc.PacketTunnel-OpenVPN Security using system preferences
default 17:35:09.299722+0300 com.company.appAbc.PacketTunnel-OpenVPN Security MacOS error: -25337
default 17:35:09.303518+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: 3 unknown error 3=3
default 17:35:09.305860+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.308235+0300 com.company.appAbc.PacketTunnel-OpenVPN Security MacOS error: -25337
default 17:35:09.310523+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: 3 unknown error 3=3
default 17:35:09.314336+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.318363+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.320930+0300 com.company.appAbc.PacketTunnel-OpenVPN Security MacOS error: -25337
default 17:35:09.323378+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: 3 unknown error 3=3
default 17:35:09.325901+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.328656+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.332580+0300 com.company.appAbc.PacketTunnel-OpenVPN Security MacOS error: -25337
default 17:35:09.346565+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: 3 unknown error 3=3
default 17:35:09.352010+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.354244+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.356355+0300 com.company.appAbc.PacketTunnel-OpenVPN Security Failed to talk to secd after 4 attempts.
default 17:35:09.356903+0300 com.company.appAbc.PacketTunnel-OpenVPN Security MacOS error: -25337
default 17:35:09.360582+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: 3 unknown error 3=3
default 17:35:09.364850+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.368221+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CMSDecoderCopySignerStatus failed with kCMSSignerInvalidSignature error (3)
default 17:35:09.368253+0300 com.company.appAbc.PacketTunnel-OpenVPN Security MacOS error: -67061
default 17:35:09.369765+0300 com.company.appAbc.PacketTunnel-OpenVPN NetworkExtension Signature check failed: invalid signature (code or signature have been modified)
default 17:35:09.533751+0300 com.company.appAbc.PacketTunnel-OpenVPN NetworkExtension [Extension com.company.appAbc]: Calling startTunnelWithOptions with options 0x7fb447a0c640
default 17:35:09.636368+0300 kernel Sandbox Sandbox: 7 duplicate reports for com.company.appA deny(1) file-write-data /private/var/db/mds/system/mds.lock
default 17:35:13.275423+0300 com.company.appAbc.PacketTunnel-OpenVPN NetworkExtension [Extension com.company.appAbc]: provider set tunnel configuration to (null)
default 17:35:13.298472+0300 com.company.appAbc.PacketTunnel-OpenVPN NetworkExtension [Extension com.company.appAbc]: provider set tunnel configuration to
{ ... }
default 17:35:13.760461+0300 com.company.appAbc.PacketTunnel-OpenVPN CoreFoundation Attempting to add source to main runloop, but the main thread has exited. This message will only log once. Break on _CFRunLoopError_MainThreadHasExited to debug.
default 17:35:14.230487+0300 com.company.appAbc.PacketTunnel-OpenVPN Security MacOS error: -25337
default 17:35:14.236639+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: 3 unknown error 3=3
default 17:35:14.244544+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:14.249541+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:14.300451+0300 com.company.appAbc.PacketTunnel-OpenVPN NetworkExtension [Extension com.company.appAbc]: provider set tunnel configuration to (null)
error 17:35:14.315789+0300 com.company.appAbc.PacketTunnel-OpenVPN CocoaLumberjack [Error] [openvpn-adapter.connection] [AAOpenVPNPacketTunnelProvider.swift:304] openVPNAdapter(_:handleError:) > [OVPN] Did recieve fatal error:
Error Domain=me.ss-abramchuk.openvpn-adapter.error-domain Code=70 "Failed to establish connection with OpenVPN server" UserInfo={NSLocalizedDescription=Failed to establish connection with OpenVPN server, me.ss-abramchuk.openvpn-adapter.error-key.message=ClientState::attach() can only be called once per ClientState instantiation, me.ss-abramchuk.openvpn-adapter.error-key.fatal=true, NSLocalizedFailureReason=Unknown error.}
error 17:35:14.326776+0300 com.company.appAbc.PacketTunnel-OpenVPN CocoaLumberjack [Error] [openvpn-adapter.connection] [AAPacketTunnelProvider.swift:68] cancelTunnelWithError(_:) > Canceling tunnel due to the error:
Error Domain=me.ss-abramchuk.openvpn-adapter.error-domain Code=70 "Failed to establish connection with OpenVPN server" UserInfo={NSLocalizedDescription=Failed to establish connection with OpenVPN server, me.ss-abramchuk.openvpn-adapter.error-key.message=ClientState::attach() can only be called once per ClientState instantiation, me.ss-abramchuk.openvpn-adapter.error-key.fatal=true, NSLocalizedFailureReason=Unknown error.}
default 17:35:14.351120+0300 com.company.appAbc.PacketTunnel-OpenVPN NetworkExtension [Extension com.company.appAbc]: IPC detached
default 17:35:14.357134+0300 AppAbc NetworkExtension Last disconnect error for AppAbc changed from "none" to "Failed to establish connection with OpenVPN server"
I am trying to activate a Network System Extension (Packet Tunnel), but all I get is OSSystemExtensionErrorDomain Code=4 "Extension not found in App bundle". Tried passing in different extension identifiers (prefixed with team ID, no team ID, prefixed with app-group, etc) with no luck.I can confirm that the sysex is in app bundle at /Applications/app_name.app/Contents/Library/SystemExtensions/sysex name.systemextensionApp and sysex are signed with Developer ID certificate and Notarized.What am I missing?App entitlements:<key>Entitlements</key>
<dict>
<key>com.apple.developer.ubiquity-container-identifiers</key>
<array>
<string>...redacted...</string>
<string>...redacted...</string>
</array>
<key>com.apple.developer.system-extension.install</key>
<true/>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>packet-tunnel-provider-systemextension</string>
<string>app-proxy-provider-systemextension</string>
<string>content-filter-provider-systemextension</string>
<string>dns-proxy-systemextension</string>
</array>
<key>com.apple.application-identifier</key>
<string>TEAM_ID.com.company.appabc</string>
<key>keychain-access-groups</key>
<array>
<string>TEAM_ID.*</string>
</array>
<key>com.apple.developer.team-identifier</key>
<string>TEAM_ID</string>
<key>com.apple.developer.ubiquity-kvstore-identifier</key>
<string>TEAM_ID.*</string>
<key>com.apple.developer.icloud-services</key>
<string>*</string>
<key>com.apple.developer.icloud-container-environment</key>
<string>Production</string>
<key>com.apple.developer.aps-environment</key>
<string>production</string>
<key>com.apple.developer.icloud-container-identifiers</key>
<array>
<string>iCloud.com.company.appabc</string>
<string>iCloud.com.company.appabc</string>
</array>
<key>com.apple.developer.networking.vpn.api</key>
<array>
<string>allow-vpn</string>
</array>
</dict>SysEx entitlements:<key>Entitlements</key>
<dict>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>packet-tunnel-provider-systemextension</string>
<string>app-proxy-provider-systemextension</string>
<string>content-filter-provider-systemextension</string>
<string>dns-proxy-systemextension</string>
</array>
<key>com.apple.application-identifier</key>
<string>TEAM_ID.com.company.appabc.PacketTunnelName</string>
<key>keychain-access-groups</key>
<array>
<string>TEAM_ID.*</string>
</array>
<key>com.apple.developer.team-identifier</key>
<string>TEAM_ID</string>
</dict>App Info.plist<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>BuildMachineOSBuild</key>
<string>19E287</string>
<key>CFBundleDevelopmentRegion</key>
<string>en</string>
<key>CFBundleDisplayName</key>
<string>AppAbc</string>
<key>CFBundleExecutable</key>
<string>AppAbc</string>
<key>CFBundleIconFile</key>
<string>macOS_AppIcon</string>
<key>CFBundleIconName</key>
<string>macOS_AppIcon</string>
<key>CFBundleIdentifier</key>
<string>com.company.appabc</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
<string>AppAbc</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleShortVersionString</key>
<string>1.2.3</string>
<key>CFBundleSupportedPlatforms</key>
<array>
<string>MacOSX</string>
</array>
<key>CFBundleVersion</key>
<string>123</string>
<key>DTCompiler</key>
<string>com.apple.compilers.llvm.clang.1_0</string>
<key>DTPlatformBuild</key>
<string>11E146</string>
<key>DTPlatformVersion</key>
<string>GM</string>
<key>DTSDKBuild</key>
<string>19E258</string>
<key>DTSDKName</key>
<string>macosx10.15</string>
<key>DTXcode</key>
<string>1140</string>
<key>DTXcodeBuild</key>
<string>11E146</string>
<key>ITSAppUsesNonExemptEncryption</key>
<false/>
<key>LSApplicationCategoryType</key>
<string>public.app-category.productivity</string>
<key>LSBackgroundOnly</key>
<false/>
<key>LSMinimumSystemVersion</key>
<string>10.12</string>
<key>LSUIElement</key>
<false/>
<key>NSHumanReadableCopyright</key>
<string>Copyright...</string>
<key>NSPrincipalClass</key>
<string>NSApplication</string>
<key>UIDeviceFamily</key>
<array>
<integer>1</integer>
<integer>2</integer>
</array>
</dict>
</plist>SysEx Info.plist<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>BuildMachineOSBuild</key>
<string>19E287</string>
<key>CFBundleDevelopmentRegion</key>
<string>en</string>
<key>CFBundleDisplayName</key>
<string>AppAbc. Tunnel</string>
<key>CFBundleExecutable</key>
<string>AppAbc. Tunnel sysex</string>
<key>CFBundleIdentifier</key>
<string>com.company.appabc.PacketTunnel-Tunnel</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
<string>AppAbc. Tunnel sysex</string>
<key>CFBundlePackageType</key>
<string>SYSX</string>
<key>CFBundleShortVersionString</key>
<string>1.2.3</string>
<key>CFBundleSupportedPlatforms</key>
<array>
<string>MacOSX</string>
</array>
<key>CFBundleVersion</key>
<string>123</string>
<key>DTCompiler</key>
<string>com.apple.compilers.llvm.clang.1_0</string>
<key>DTPlatformBuild</key>
<string>11E146</string>
<key>DTPlatformVersion</key>
<string>GM</string>
<key>DTSDKBuild</key>
<string>19E258</string>
<key>DTSDKName</key>
<string>macosx10.15</string>
<key>DTXcode</key>
<string>1140</string>
<key>DTXcodeBuild</key>
<string>11E146</string>
<key>LSMinimumSystemVersion</key>
<string>10.12</string>
<key>LSUIElement</key>
<true/>
<key>NSHumanReadableCopyright</key>
<string>Copyright ...</string>
<key>NSSystemExtensionUsageDescription</key>
<string>System Extension enables AppAbc app to connect using Tunnel protocol.</string>
<key>NetworkExtension</key>
<dict>
<key>NEMachServiceName</key>
<string>TEAM_ID.app_group.PacketTunnel-Tunnel</string>
<key>NEProviderClasses</key>
<dict>
<key>com.apple.networkextension.packet-tunnel</key>
<string>AppAbc__Tunnel_sysex.AATunnelPacketTunnelProvider</string>
</dict>
</dict>
<key>UIDeviceFamily</key>
<array>
<integer>1</integer>
<integer>2</integer>
</array>
</dict>
</plist>