We have a VPN app in the app store which has worked great until our users updated to iOS 10.3. As an aside, macOS also broke with the latest update, 10.12.4, but I'll focus on iOS in this post unless directed otherwise.
From devices system logs on iPhone 6 running iOS 10.3:
nesessionmanager(NetworkExtension)[398] <Notice>: NESMIKEv2VPNSession[APPNAME:6736EF81-160B-40BD-BA71-B65C486EEB2D]: status changed to connecting
nesessionmanager(NetworkExtension)[398] <Error>: Plugin com.apple.neplugin.IKEv2 does not have a bundle URL
APPNAME(CFNetwork)[393] <Notice>: TIC TCP Conn Event [4:0x17019a820]: 3 Err(50)
APPNAME(CFNetwork)[393] <Notice>: TIC TCP Conn Event [3:0x17419aea0]: 3 Err(50)
APPNAME(CFNetwork)[393] <Notice>: TIC TCP Conn Cancel [3:0x17419aea0]
APPNAME(libsystem_network.dylib)[393] <Error>: nw_endpoint_handler_add_write_request [3.1 <IP>:443 failed socket-flow (satisfiable)] cannot accept write requests
APPNAME(CFNetwork)[393] <Notice>: TIC TCP Conn Cancel [4:0x17019a820]
APPNAME(CFNetwork)[393] <Notice>: TIC TCP Conn Destroyed [4:0x17019a820]
APPNAME(libsystem_network.dylib)[393] <Error>: nw_endpoint_handler_add_write_request [4.1 <IP>:443 failed socket-flow (satisfiable)] cannot accept write requests
APPNAME(libsystem_network.dylib)[393] <Error>: tcp_connection_write_eof_block_invoke Write close callback received error: [22] Invalid argument
APPNAME(CFNetwork)[393] <Notice>: TIC TCP Conn Destroyed [3:0x17419aea0]
kernel(Sandbox)[0] <Notice>: SandboxViolation: nesessionmanager(398) deny(1) file-issue-extension target: /System/Library/Frameworks/NetworkExtension.framework/PluginIKEv2.vpnplugin class: com.apple.vpn-plugin
nesessionmanager(NetworkExtension)[398] <Error>: sendInitCommand: failed to create a com.apple.vpn-plugin sandbox extension for /System/Library/Frameworks/NetworkExtension.framework/PluginIKEv2.vpnplugin
nesessionmanager(NetworkExtension)[398] <Notice>: NESMIKEv2VPNSession[APPNAME:6736EF81-160B-40BD-BA71-B65C486EEB2D]: Skip a start command from APPNAME[393]: session in state connecting
kernel(Sandbox)[0] <Notice>: SandboxViolation: neagent(400) deny(1) process-exec* /Developer/usr/libexec/neagent
nehelper(libsystem_network.dylib)[96] <Notice>: checkInterfaceSettings checking interface settings for (
ipsec3
)
configd[32] <Notice>: network changed
kernel[0] <Notice>: SIOCPROTODETACH_IN6: pdp_ip0 error=6
kernel[0] <Notice>: SIOCPROTODETACH_IN6: pdp_ip1 error=6
securityd[97] <Notice>: cert[1]: AnchorTrusted =(leaf)[force]> 0
neagent(Security)[400] <Notice>: [root AnchorTrusted]
securityd[97] <Notice>: cert[0]: AnchorTrusted =(leaf)[force]> 0
neagent(Security)[400] <Notice>: [leaf AnchorTrusted]
neagent(EAP8021X)[400] <Notice>: server certificate not trusted status 1001 -9807
neagent(NetworkExtension)[400] <Error>: Failed to process IKE Auth (EAP) packet
nesessionmanager(NetworkExtension)[398] <Notice>: NESMIKEv2VPNSession[APPNAME:6736EF81-160B-40BD-BA71-B65C486EEB2D]: status changed to disconnecting
kernel[0] <Notice>: SIOCPROTODETACH_IN6: ipsec3 error=6
configd[32] <Notice>: network changed
nesessionmanager(NetworkExtension)[398] <Notice>: NESMIKEv2VPNSession[APPNAME:6736EF81-160B-40BD-BA71-B65C486EEB2D]: status changed to disconnected, last stop reason Plugin initiated
nesessionmanager(NetworkExtension)[398] <Notice>: NESMIKEv2VPNSession[APPNAME:6736EF81-160B-40BD-BA71-B65C486EEB2D]: Received a stop command from APPNAME[393] with reason 1
The same logs are produced whether I run the app store version or build from Xcode. Several errors are listed but I'm leaning towards an entitlements problem given line 3 regarding the SandboxViolation. Alternatively the requirements for VPN server certs have been tightened?
From this guide I was able to extract the .app file's entitlements:
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>app-proxy-provider</string>
<string>content-filter-provider</string>
<string>packet-tunnel-provider</string>
</array>
<key>com.apple.developer.networking.vpn.api</key>
<array>
<string>allow-vpn</string>
</array>
In Xcode I also see both Personal VPN and Network Extensions enabled with all the lines 'checked' and, similarly, our App ID in the developer portal shows both as enabled for both development and production.
I also get this back from the Network Extension API on startVPNTunnel():
Error Domain=VPN Code=1 "(null)"
What other information can I provide? I'm still digging through other related posts to find something to latch onto. Thanks for looking!
Edit 2: Would the combination of (1) an on-demand profile and (2) the requirement for clients to authenticate via client certificates lead to the need for the
com.apple.managed.vpn.shared
requirement? We clearly do not have that (seen in the entitelment list above) and I can see how a request would fail via SandboxException in that case even if it wasn't in previous iOS/macOS versions. I see eskimo's note on this here in note #9: https://forums.developer.apple.com/thread/67613. I just don't want to consume a TSI if that's not the issue.