VPN On Demand action parameters
Action parameters help define the types of networks associated with VPN On Demand. These action parameters help define what happens when matching rules are found to be true.
Specify one or more of the following matching rules for all SSL, IKEv2, and Cisco IPSec clients:
InterfaceTypeMatch: Optional. A string value of “cellular (for iOS and iPadOS) or Ethernet (for macOS)” or “Wi-Fi.” If specified, this rule matches when the primary interface hardware is of the type specified.
SSIDMatch: Optional. An array of SSIDs to match against the current network. If the network isn’t a Wi-Fi network or if its SSID doesn’t appear in the list, the match fails. Omit this key and its array to ignore SSID.
DNSDomainMatch: Optional. An array of search domains as strings. If the configured DNS search domain of the current primary network is included in the array, this property matches. The wildcard prefix (*) is supported; for example, *.example.com would match anything.example.com.
DNSServerAddressMatch: Optional. An array of DNS server addresses as strings. If all of the DNS server addresses currently configured for the primary interface are in the array, this property will match. The wildcard character (*) is supported; for example, 1.2.3.* would match any DNS servers with a 1.2.3. prefix.
URLStringProbe: Optional. A server to probe for reachability. Redirection isn’t supported. The URL should be to a trusted HTTPS server. The device sends a GET request to verify that the server is reachable.
This required key defines VPN behavior when all of the specified matching rules evaluate as true. Values for the Action key are:
Connect: Unconditionally initiate the VPN connection on the next network connection attempt.
Disconnect: Tear down the VPN connection and don’t trigger any new connections on demand.
Ignore: Leave any existing VPN connection up, but don’t trigger any new connections on demand.
EvaluateConnection: Evaluate the ActionParameters for each connection attempt. When this is used, the key ActionParameters, described below, is required to specify the evaluation rules.
This is an array of dictionaries with the keys described below, evaluated in the order in which they occur. They’re required when Action is EvaluateConnection.
Domains: Required. An array of strings that define the domains for which this evaluation applies. The wildcard prefix is supported, as in *.example.com.
DomainAction: Required. Defines VPN behavior for the domains. Values for the DomainAction key are:
ConnectIfNeeded: Brings up VPN if DNS resolution for the domains fails. Examples include when the DNS server indicates it can’t resolve the domain name, if the DNS response is redirected, or if the connection fails or times out.
NeverConnect: Don’t trigger VPN for the domains.
When DomainAction is ConnectIfNeeded, you can also specify the following keys in the connection evaluation dictionary:
RequiredDNSServers: Optional. An array of IP addresses for DNS servers to be used for resolving the domains. These servers don’t need to be part of the device’s current network configuration. If these DNS servers aren’t reachable, VPN is triggered. For consistent connections, configure an internal DNS server or a trusted external DNS server.
RequiredURLStringProbe: Optional. An HTTP or HTTPS (preferred) URL to probe, using a GET request. If DNS resolution for this server succeeds, the probe must also succeed. If the probe fails, it triggers VPN.