How can I track down the process that started a VPN interface on Catalina?
https://apple.stackexchange.com/questions/384800
-
26-05-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianDomanda
This seems to happen each time I connect to a WiFi, the ipsec interface goes up with a PTP VPN config with description, VPN: ProtonVPN.
I've deleted every ProtonVPN artifact I can find and still the problem persists.
I have no VPN profiles configured, and scutil --nc yields an empty response.
Same with lsof, no mention of ipsec0
ProtonVPN support has not helped resolve the issue.
How can I determine which process / service is doing this?
ifconfig -a -vv ipsec0 -- Note the agent domain desc:"VPN: ProtonVPN" [App Cleaner used to remove ProtonVPN several times]
ipsec0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1400 index 17
eflags=5002080<TXSTART,NOAUTOIPV6LL,ECN_ENABLE,CHANNEL_DRV>
xflags=4<NOAUTONX>
options=6403<RXCSUM,TXCSUM,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM>
inet 10.6.5.206 --> 10.6.5.206 netmask 0xff000000
netif: E22A3DA9-EA52-41DE-9C1F-5F4598DEF26F
flowswitch: E79F3C2B-56E4-4816-B390-7DB240E9664E
type: 0x1 family: 18 subfamily: 0
functional type: wifi
agent domain:Skywalk type:NetIf flags:0x8443 desc:"Userspace Networking"
agent domain:Skywalk type:FlowSwitch flags:0x4403 desc:"Userspace Networking"
agent domain:NetworkExtension type:VPN flags:0xf desc:"VPN: ProtonVPN"
link quality: -1 (unknown)
state availability: 0 (true)
scheduler: FQ_CODEL
effective interface: en0
qosmarking enabled: no mode: none
low power mode: disabled
multi layer packet logging (mpklog): disabled
netstat -nr
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default link#17 UCS ipsec0
default 192.168.16.1 UGScI en0
1.2.3.4 link#17 UHW3I ipsec0 29
3.82.239.106 link#17 UHWIi ipsec0
3.228.164.50 link#17 UHWIi ipsec0
10.6.5.206 10.6.5.206 UH ipsec0
10.6.9.1 link#17 UHWIi ipsec0
13.107.136.9 link#17 UHWIi ipsec0
17.57.144.20 link#17 UHWIi ipsec0
17.248.129.42 link#17 UHWIi ipsec0
17.248.129.106 link#17 UHWIi ipsec0
17.248.188.11 link#17 UHWIi ipsec0
18.204.158.139 link#17 UHWIi ipsec0
23.36.192.188 link#17 UHWIi ipsec0
23.36.193.63 link#17 UHWIi ipsec0
34.192.122.34 link#17 UHWIi ipsec0
34.202.13.87 link#17 UHWIi ipsec0
34.204.122.179 link#17 UHWIi ipsec0
34.214.40.205 link#17 UHWIi ipsec0
34.224.73.75 link#17 UHWIi ipsec0
34.228.110.91 link#17 UHWIi ipsec0
34.235.232.2 link#17 UHWIi ipsec0
50.19.197.254 link#17 UHWIi ipsec0
52.2.223.38 link#17 UHWIi ipsec0
52.2.231.4 link#17 UHWIi ipsec0
52.38.182.237 link#17 UHWIi ipsec0
52.96.36.82 link#17 UHW3I ipsec0 29
52.96.39.162 link#17 UHWIi ipsec0
52.113.194.132 link#17 UHWIi ipsec0
52.114.88.28 link#17 UHW3I ipsec0 35
52.114.132.22 link#17 UHWIi ipsec0
52.114.132.38 link#17 UHWIi ipsec0
52.114.133.12 link#17 UHWIi ipsec0
52.114.142.157 link#17 UHWIi ipsec0
52.204.83.172 link#17 UHWIi ipsec0
54.84.147.205 link#17 UHW3I ipsec0 33
127 127.0.0.1 UCS lo0
127.0.0.1 127.0.0.1 UH lo0
169.254 link#6 UCS en0 !
172.16.215/24 link#19 UC vmnet8 !
172.16.215.255 ff:ff:ff:ff:ff:ff UHLWbI vmnet8 !
172.83.43.134 192.168.16.1 UGHS en0
192.168.16/22 link#6 UCS en0 !
192.168.16.1/32 link#6 UCS en0 !
192.168.16.1 f0:9f:c2:1a:63:cf UHLWIir en0 1187
192.168.16.66 9c:30:5b:d3:77:2f UHLWI en0 1138
192.168.16.69 0:b3:62:34:7b:de UHLWI en0 877
192.168.16.124 c4:61:8b:4c:ec:5f UHLWI en0 1057
192.168.16.133 c8:3c:85:a0:2f:b7 UHLWI en0 814
192.168.16.155 2c:be:8:bb:5e:c3 UHLWI en0 825
192.168.16.201 80:82:23:66:84:4 UHLWI en0 877
192.168.16.219 0:15:99:d7:f6:5a UHLWI en0 1185
192.168.16.225 c:51:1:c7:a4:1e UHLWI en0 856
192.168.16.234/32 link#6 UCS en0 !
192.168.16.236 0:80:92:cb:ab:bf UHLWI en0 1180
192.168.17.8 6c:8d:c1:3f:b5:2d UHLWI en0 1079
192.168.17.16 d8:1c:79:ea:8e:2b UHLWI en0 911
192.168.17.65 90:e1:7b:d7:75:23 UHLWI en0 1007
192.168.17.67 34:2:86:87:d1:b UHLWI en0 1069
192.168.17.85 d8:1c:79:ca:6b:bd UHLWI en0 1176
192.168.17.173 14:20:5e:85:36:2 UHLWI en0 1031
192.168.17.221 38:b1:db:e3:40:3b UHLWIi en0 1165
192.168.17.222 30:d1:6b:10:93:c0 UHLWI en0 1079
192.168.18.6 c0:a6:0:7:ee:c9 UHLWI en0 857
192.168.18.69 8c:85:90:11:5c:90 UHLWI en0 1094
192.168.18.79 40:bc:60:1e:2:d5 UHLWI en0 967
192.168.18.124 7c:a1:ae:8:29:8f UHLWI en0 1066
192.168.18.161 34:42:62:7d:a7:d0 UHLWI en0 1124
192.168.18.189 14:10:9f:e9:31:a2 UHLWIi en0 1163
192.168.18.239 3c:2e:ff:1f:94:ca UHLWI en0 1138
192.168.19.2 58:6b:14:6:b5:9e UHLWI en0 931
192.168.19.22 54:33:cb:51:60:53 UHLWIi en0 813
192.168.19.76 80:c:67:3f:2c:e1 UHLWI en0 988
192.168.19.83 b0:ca:68:9c:83:3c UHLWI en0 924
192.168.19.143 b8:41:a4:54:c0:8a UHLWIi en0 874
192.168.19.255 ff:ff:ff:ff:ff:ff UHLWbI en0 !
192.168.74 link#18 UC vmnet1 !
192.168.74.255 ff:ff:ff:ff:ff:ff UHLWbI vmnet1 !
224.0.0/4 link#17 UmCS ipsec0
224.0.0/4 link#6 UmCSI en0 !
224.0.0.251 link#17 UHmW3I ipsec0 33
255.255.255.255/32 link#17 UCS ipsec0
255.255.255.255/32 link#6 UCSI en0 !
Internet6:
Destination Gateway Flags Netif Expire
default fe80::%utun0 UGcI utun0
default fe80::%utun1 UGcI utun1
default fe80::%utun2 UGcI utun2
default fe80::%utun3 UGcI utun3
::1 ::1 UHL lo0
fe80::%lo0/64 fe80::1%lo0 UcI lo0
fe80::1%lo0 link#1 UHLI lo0
fe80::%en10/64 link#4 UCI en10
fe80::aede:48ff:fe00:1122%en10 ac:de:48:0:11:22 UHLI lo0
fe80::aede:48ff:fe33:4455%en10 ac:de:48:33:44:55 UHLWIi en10
fe80::%en0/64 link#6 UCI en0
fe80::3:aea3:bd6f:3c20%en0 78:31:c1:c7:8a:ac UHLWI en0
fe80::45:ff77:829e:1285%en0 8c:85:90:98:cd:34 UHLWI en0
fe80::6d:c188:a11c:8f03%en0 9c:20:7b:de:7:a7 UHLWI en0
fe80::4cb:eb4c:daae:2b54%en0 b8:17:c2:c1:77:3a UHLWI en0
fe80::4d1:99e4:6833:564%en0 a4:83:e7:5e:75:e1 UHLWI en0
fe80::8e0:d15f:bde0:dc04%en0 98:1:a7:a4:a6:1b UHLWI en0
fe80::8f6:451f:1b75:721e%en0 f8:ff:c2:2e:ca:73 UHLWI en0
fe80::ca8:73fd:44fe:228a%en0 f8:ff:c2:44:e9:44 UHLI lo0
fe80::cf5:61:515f:c450%en0 10:94:bb:ed:2c:18 UHLWI en0
fe80::108b:8810:1b67:3c89%en0 8c:85:90:11:5c:90 UHLWI en0
fe80::10b4:36dc:d9c9:990f%en0 88:e9:fe:5c:21:19 UHLWI en0
fe80::1438:8686:40a6:4389%en0 b0:34:95:3d:7a:59 UHLWI en0
fe80::1493:6a8f:4a22:4454%en0 68:db:ca:9e:83:95 UHLWI en0
fe80::14a6:911:68f6:a4b8%en0 38:f9:d3:5a:8d:5b UHLWI en0
fe80::180f:3b62:489b:7928%en0 38:f9:d3:b6:32:59 UHLWI en0
fe80::18bc:cdbc:550:64e0%en0 6c:8d:c1:3f:b5:2d UHLWI en0
fe80::18ee:81f3:88fd:51d9%en0 a4:83:e7:83:f4:69 UHLWI en0
fe80::1cdb:e916:7bf8:8d4f%en0 38:f9:d3:cd:a0:28 UHLWI en0
fe80::%awdl0/64 link#8 UCI awdl0
fe80::6c52:f6ff:fe27:30de%awdl0 6e:52:f6:27:30:de UHLI lo0
fe80::%llw0/64 link#9 UCI llw0
fe80::6c52:f6ff:fe27:30de%llw0 6e:52:f6:27:30:de UHLI lo0
fe80::%utun0/64 fe80::ef8d:39b7:d0a7:bcff%utun0 UcI utun0
fe80::ef8d:39b7:d0a7:bcff%utun0 link#15 UHLI lo0
fe80::%utun1/64 fe80::f855:da2f:9165:598b%utun1 UcI utun1
fe80::f855:da2f:9165:598b%utun1 link#16 UHLI lo0
fe80::%utun2/64 fe80::c8b3:a4f3:ff43:d729%utun2 UcI utun2
fe80::c8b3:a4f3:ff43:d729%utun2 link#20 UHLI lo0
fe80::%utun3/64 fe80::8a6d:ce1a:3267:fdcb%utun3 UcI utun3
fe80::8a6d:ce1a:3267:fdcb%utun3 link#21 UHLI lo0
ff01::%lo0/32 ::1 UmCI lo0
ff01::%en10/32 link#4 UmCI en10
ff01::%en0/32 link#6 UmCI en0
ff01::%awdl0/32 link#8 UmCI awdl0
ff01::%llw0/32 link#9 UmCI llw0
ff01::%utun0/32 fe80::ef8d:39b7:d0a7:bcff%utun0 UmCI utun0
ff01::%utun1/32 fe80::f855:da2f:9165:598b%utun1 UmCI utun1
ff01::%utun2/32 fe80::c8b3:a4f3:ff43:d729%utun2 UmCI utun2
ff01::%utun3/32 fe80::8a6d:ce1a:3267:fdcb%utun3 UmCI utun3
ff02::%lo0/32 ::1 UmCI lo0
ff02::%en10/32 link#4 UmCI en10
ff02::%en0/32 link#6 UmCI en0
ff02::%awdl0/32 link#8 UmCI awdl0
ff02::%llw0/32 link#9 UmCI llw0
ff02::%utun0/32 fe80::ef8d:39b7:d0a7:bcff%utun0 UmCI utun0
ff02::%utun1/32 fe80::f855:da2f:9165:598b%utun1 UmCI utun1
ff02::%utun2/32 fe80::c8b3:a4f3:ff43:d729%utun2 UmCI utun2
ff02::%utun3/32 fe80::8a6d:ce1a:3267:fdcb%utun3 UmCI
Soluzione
The direct answer to my question:
Track down the process by gathering more information
scutil --nwi
Network information
IPv4 network interface information
ipsec0 : flags : 0x5 (IPv4,DNS)
address : 10.6.4.48
VPN server : X.X.X.X
reach : 0x00000003 (Reachable,Transient Connection)
Check PIDs of network connections to VPN server and find parent PID
lsof -i | grep -E "X.X.X.X"
NEIKEv2Pr **942** todd 7u IPv4 0x6816df6181c68875 0t0 UDP 192.168.0.32:ipsec-msft->X.X.X.X:ipsec-msft
ps -l 942 | grep -v grep
UID PID PPID F CPU PRI NI SZ RSS WCHAN S ADDR TTY TIME CMD
502 942 **1** 4004 0 31 0 5007340 8496 - Ss 0 ?? 0:00.46 /System/Library/Frameworks/NetworkExtension.framework/PlugIns/NEIKEv2Provider.appex/Contents/MacOS/NEIKEv2Provider
PID 1 belongs to launchd in this case...now on to my next problem of finding the service responsible for launching this NEIKEv2 process..any help is welcome although I'll most likely have to start a new thread.
Autorizzato sotto: CC-BY-SA insieme a attribuzione
Non affiliato a apple.stackexchange
