NEIKEv2Provider connection disconnects and includeAllNetworks

Hi all,

I'm working on deploying a VPN for users of our enterprise app, using the built-in IKEv2 provider (configured either by a configuration profile or an app). I'm struggling to get the user experience right and was curious to hear if the behaviors I'm observing have been seen by other developers.

The main behavior I am observing is that the client tends to randomly disconnect, and it does not attempt to reconnect. This is particularly problematic when paired with the includeAllNetworks option.

Paired with includeAllNetworks:

  • The device does not attempt to reconnect the tunnel
  • Once the tunnel disconnects, onDemandRules don't seem to evaluate. Even if a NEOnDemandRuleConnect rule matches the current network, the connection does not reestablish.
  • All network traffic remains blocked on both WiFi and Cellular (rendering any network-dependent app unusable) until the user intervenes and toggles the connection in the Settings app

This seems like a problematic user experience and I would be surprised if this is by design.

As for the disconnects themselves, I have had a hard time correlating them to any particular network condition or protocol behavior. I've seen a connection drop after as little as 10 minutes and stay up for over 16 hours (including while the device roamed from WiFi to Cellular networks and in and out of connectivity).

We confirmed with server logs that the clients were able to successfully re-key both the IKE SA and CHILD SAs. I had difficulty retrieving system logs from iOS, but on macOS I was able to observe this error from NEIKEv2Provider that lined up with one of the disconnect events: "Internal: Initiate MOBIKE failed to migrate child SAs" (server logs showed a successful rekey exchange at the same time).

Thanks,

Lucas

When setting things up with the Personal VPN API, my general advice is that you try to reproduce any problems with a configuration profile. If you can, that confirms that your code isn’t a factor, and whatever issue you’re seeing is either in your VPN server or in iOS itself.

A good place to get started with a VPN configuration profile is Apple Configurator. You might then need to tweak things by hand, per the info in Device Management.

So, if you set up your VPN in this way, do you still see the problem?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thanks for your engagement on this.

I did switch to configuration profiles as it is much faster to iterate on the settings. However, I continue to see the same behavior no matter what combinations I try.

NEIKEv2Provider connection disconnects and includeAllNetworks
 
 
Q