I am not sure I understand why I would get an OSStatus error before calling startVpnTunnel since the authentication is done by the server?
An OSStatus error can be thrown for a query to
SecItemCopyMatching, which would query a credential that is used for authentication. For example, an
identityReference or an
passwordReference. Getting one of these errors before
startVPNTunnelAndReturnWithErrors is called would give you an indication of a preemptive authentication failure for an invalid credential.
As for the errors you have listed, yes, keying on an
NEVPNErrorConnectionFailed and notifying the user to check their credentials on a NEVPNStatus disconnected state would be one option here. In this sequence you may see the NEVPNStatus go from NEVPNStatusConnecting -> NEVPNStatusDisconnecting -> NEVPNStatusDisconnected.
You could also try examining the
localizedDescription of NSError that you are receiving from
startVPNTunnelAndReturnWithErrors for more information. Digging into this a bit more VPN disconnect errors are attempting to be reasoned about and set here, so you may be able to see some useful information here on why the VPN transport when down in this property.
When debugging this on your own you will also see useful information with your device tethered to your macOS machine in the Console.app, that you did not see in the Xcode console. For example:
"Last disconnect error for 'name here' changed from 'none' to 'The VPN session failed because an internal error occurred.'"
Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com