mobileconfig not working on macOS 10.12.4

[thegranddesign]

OS / Environment

macOS 10.12.4
iOS 10.2

Ansible version

2.2.2.0

Summary of the problem

• I installed the Algo server both as a standalone and also running on an existing server.
• I retrieved the mobileconfig file and send it to my phone. VPN connects and works great.
• I opened it on my Mac and approved it. VPN will not connect.

Troubleshooting steps:

1. I enabled verbose logging for the network extension:

sudo defaults write /Library/Preferences/com.apple.networkextension.control.plist LogToFile 1
sudo defaults write /Library/Preferences/com.apple.networkextension.control.plist LogLevel 6

2. I attempted to connect to the VPN
3. Console app shows the following output:

Not hashing value with class __NSDate
NESMIKEv2VPNSession[Algo VPN <myip> IKEv2:<a UUID>]: Received a start command from SystemUIServer[266]
NESMIKEv2VPNSession[Algo VPN <myip> IKEv2:<a UUID>]: status changed to connecting
Failed to find the VPN app for plugin type com.apple.neplugin.IKEv2
pfkey received SA is NULL
Failed to receive IKE SA Init packet
NESMIKEv2VPNSession[Algo VPN <myip> IKEv2:<a UUID>]: status changed to disconnecting
NESMIKEv2VPNSession[Algo VPN <myip> IKEv2:<a UUID>]: status changed to disconnected, last stop reason Plugin initiated

The way of deployment (cloud or local)

Both

Full log

https://gist.github.com/thegranddesign/b8e8f213fcf974d5ec1f1ad28f98e287

[dguido]

10.12.4 is not the issue. It works fine on that OS (using it right now). It's more likely your local install (option 5) didn't go right. Try redeploying to a new cloud server and try it again.

[boriskroeger]

Same effect here on macOS and iOS with local install.
Any hints on where to start debugging the issue as I need a setup on my machine?

[dguido]

You should make sure that strongswan and iptables are set up correctly on your local install.

[thegranddesign]

@dguido did you not read the issue? This happens on both local install and full install. Please reopen the issue.

[dguido]

Sorry, I can't reproduce this issue. It's not a problem with 10.12.4. Maybe a conflict with other software on your machine or a broken macOS setting. Try with a friend's computer.

[DazChong]

my experience deploying at DO (Ubuntu 16 x64 fresh droplet):

1st time setup:

• mobileconfig work on iOS, work on macos too.
• Connect on Demand option visible.

After adding more users and ran ./algo update-users

• old mobileconfig work.
• updated mobileconfig (timestamp updated) not working on both iOS & macos.
• all new users mobileconfig not working.
• Connect on Demand option not visible.

[dguido]

That's a separate issue. Please file a bug for update-users not producing working mobileconfig files.

[thegranddesign]

I figured out the issue (for me at least) for those coming after me. My router had IPSec NAT Passthrough disabled. This is required to be enabled when you have NAT enabled. Once I allowed that, the connection worked immediately.