iOS14 personal vpn bug

I use the ipsec protocol to connect to the VPN successfully in iOS14, and no network can be accessed. There is no such problem in iOS13. If you turn on the VPN in the system settings, it can be used normally, but when connected through NEVPNManager in my app, 90% of the cases are Not available

but when connected through NEVPNManager in my app, 90% of the cases are Not available

The 90% unavailable part is what has me concerned. Usually if you were running into a bug this would fail 100% of the time. Is there any more information or logs that you can share when you run into a connection issue with NEVPNManager?


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Multiline
The 90% unavailable part is what has me concerned. Usually if you were running into a bug this would fail 100% of the time. Is there any more information or logs that you can share when you run into a connection issue with NEVPNManager?
BlockQuote

  • After many tests, it was found that 90% of the expressions were not accurate. It should be 100% unable to access the Internet.

  • The newly discovered situation is that when I use NEVPNManager to connect to the VPN on a 4G network, I cannot access the Internet. I turn on the WiFi at this time, and then turn off the WiFi, after which the VPN can access the Internet.

  • After turning WiFi on and then turning off WiFi, the following log will be triggered. The previous NEVPNManager logs are the same, no matter if I turn on vpn in my app or turn on vpn in system settings.




We experience the same problem in a slightly different constellation (IKEv2 profile for iOS configured by XenMobile MDM).
Our IKEv2 profile is configured as "always on" for 4G and WiFi. It cannot switched on or off by the user. After the iOS 14 upgrade it is not possible to use the 4G network (VPN: Connecting...). As Qixin mentioned the workaorund that actually works is to use the WiFi connection (VPN: Connected), switch off WiFi and from that point on VPN on 4G is working as it is supposed to. The same procedure has to be repeated after rebooting.
Would be great to get some information on that issue.

11:19:57.283185+0800 nesessionmanager Changing primary physical interface: pdpip0 => en0
11:19:57.422416+0800 nesessionmanager Will update session NESMPathControllerSession[com.apple.commcenter.ne.cellularusage:624C6B62-7FF5-415A-82EA-150865FEA7B8] status to connected (fallback 0 non-default 1)
11:19:57.422532+0800 nesessionmanager Changing primary wifi interface: (null) => en0
11:19:57.422768+0800 nesessionmanager Session NESMPathControllerSession[com.apple.commcenter.ne.cellularusage:624C6B62-7FF5-415A-82EA-150865FEA7B8] status changing to connected after update
11:19:57.576920+0800 nesessionmanager Changing primary physical interface: en0 => pdp
ip0
11:19:57.595541+0800 nesessionmanager Will update session NESMPathControllerSession[com.apple.commcenter.ne.cellularusage:624C6B62-7FF5-415A-82EA-150865FEA7B8] status to connected (fallback 0 non-default 1)
11:19:57.597100+0800 nesessionmanager Changing primary wifi interface: en0 => (null)

In the logs it looks like your device starts off connected over the cellular interface, whether this is routing your VPN or not is another question. Then there is a an interface change to Wi-Fi and then from Wi-Fi back to cellular again. If you are seeing your VPN become reachable on the switch back from Wi-Fi to cellular then you need to look at the routing table to see what is configured for pdp_ip0 and tun{n} before and after the primary physical interface change. This will tell you what is happening and why the VPNs are in an unreachable state before the Wi-Fi flip. As to how to fix it may be another question. Does the cell carrier provide v4 and v6?


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Sorry, I just realized I forgot to mention how to check the routing table for you VPN on iOS. Install the following iOS debug profiles:
  • CFNetwork

  • Baseband

  • mDNSResponder (May not be needed)

  • Network Diagnostics

  • VPN (Network Extension)

Reproduce the issue. Note the timestamp. Trigger an iOS sysdiagnose.

Once you have the sysdiagnose there is a file in this archive called system_logs.logarchive. Using your timestamp checkout the logs in this file. The routing table should be visible here when a network interface change is made.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
similar problem

created a vpn application. implemented a connection with parameters:
  • iPhone 7

  • iOS 14.0

  • NEVPNManager

  • ikev2 protocol

  • shared secret

  • wi-fi or lte

  • server ipv4

In ios 14.0, from the application, the configuration is added successfully, but when trying to connect from the disconnected state, the transition to the connecting state and again to the disconnected state occurs.

Moreover, if you create a configuration not through the application, but manually (with the same parameters), the connection is successful.

Reproduced 100 out of 100 cases.

I also tested it on a device with ios 13.7 - connecting to a similar server and with the same code is successful both from the application and when added manually.
We have encountered exactly the same problem as you. Have you found a repair plan so far? Can we share it? (We found that the VPN link is available on iOS14.2 Beta, which may be a system Bug)。
Apple Team,
still need your help!

console log

CALL LOAD TO PREFERENCES AGAIN...

NEVPNConnection: Disconnected

Starting VPN...

2020-09-24 22:38:37.049787+0300 VPN [22884:2923865] [connection] nwreadrequestreport [C1] Receive failed with error "Software caused connection abort"

NEVPNConnection: Connecting

2020-09-24 22:38:37.200825+0300 VPN [22884:2923865] Connection 2: received failure notification

2020-09-24 22:38:37.201898+0300 VPN [22884:2923865] [connection] nw
flowaddwriterequest [C2.1 23.21.126.66:443 failed channel-flow (satisfied (Path is satisfied), viable, interface: en0, ipv4, dns)] cannot accept write requests

2020-09-24 22:38:37.201999+0300 VPN [22884:2923865] [connection] nw
writerequestreport [C2] Send failed with error "Socket is not connected"

2020-09-24 22:38:37.216222+0300 VPN [22884:2923865] [connection] nwreadrequestreport [C2] Receive failed with error "Socket is not connected"

2020-09-24 22:38:37.216349+0300 VPN [22884:2923865] Connection 2: write error 1:57

2020-09-24 22:38:37.218597+0300 VPN [22884:2923865] [connection] nw
flowaddwriterequest [C2.1 23.21.126.66:443 failed channel-flow (satisfied (Path is satisfied), viable, interface: en0, ipv4, dns)] cannot accept write requests

2020-09-24 22:38:37.220645+0300 VPN [22884:2923865] [connection] nw
writerequestreport [C2] Send failed with error "Socket is not connected"

NEVPNConnection: Disconnecting

NEVPNConnection: Disconnected
@egorfrommoscow the logs you added match the description of Qixin's error. If you are experiencing this issue the only way to debug it is to take a look at the routing table using a sysdiagnose and the profiles I have mentioned here. If you feel this is a bug, please open a bug report, but be prepared to add a sysdiagnose while including the logging profiles to that bug report as well.

If you open a bug report please follow up with the Feedback ID.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Accepted Answer
@meaton
  • I recently updated the iOS system to 14.0.1. After connecting to vpn, the network is available.

  • Apple fixed this issue?

@meaton

Reproduce the issue. Note the timestamp. Trigger an iOS sysdiagnose. 
Once you have the sysdiagnose there is a file in this archive called system_logs.logarchive. Using your timestamp checkout the logs in this file. The routing table should be visible here when a network interface change is made.

  • Unfortunately, this issue still exists in iOS 14.0.1 system

  • I followed the documentation and failed to trigger Sysdiagnose



@meaton
The problem persists in 14.0.1 and 14.2 Beta.
Do you have a hint for what to look in the system_logs.logarchive?
I think that when the VPN is connected, the iPhone’s network is interrupted and then reconnected when the VPN tunnel is successfully established, and iOS14 may not interrupt the network connection.
After testing, I found that if after the first VPN connection, if the network is found to be interrupted, then turn on the airplane mode, and then immediately turn off the airplane mode, which is equivalent to the user manually disconnecting and reconnecting, then the VPN network is immediately available.
In the personal VPN of iOS14.2Beta, I will be prompted to enter the vpn password every time I log in. I have always saved the vpn password in the keychain. I have not had this issue in iOS14.0.1 and previous versions.
Code Block
- iPhoneX
- IPsec personal vpn
- iOS 14.0/14.0.1
- Network Extension
- NEVPNManager+NEVPNProtocolIPSec

  • In iOS14.0.1, occasionally personal VPN is unavailable, but it is available in most cases.

  • In iOS14.0, VPN is unavailable in most cases

iOS14 personal vpn bug
 
 
Q