Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    macOS IKEv2 clients disconnecting

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 589 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      A Former User
      last edited by

      Hi all,

      I've set up VPN access for mobile clients by (mostly) following the guide here:

      https://grokdesigns.com/pfsense-ikev2-for-ios-macos-1/

      It is working great, with one small exception - macOS clients seem to randomly drop the connection to the VPN. It seems to potentially be a problem with re-keying, and I've tried various things including disabling re-keying, enabling Dead-Peer-Detection, Make-before-break authentication and MTU clamping (1360). None of these seem to work.

      In the log files under 'System Logs / IPSec' I see this for a successful connection:

      Mar 31 13:59:45 	charon 		11[CFG] <con-mobile|148> received proposals: ESP:AES_GCM_16_256/NO_EXT_SEQ
Mar 31 13:59:45 	charon 		11[CFG] <con-mobile|148> configured proposals: ESP:AES_GCM_16_256/ECP_384/NO_EXT_SEQ
Mar 31 13:59:45 	charon 		11[CFG] <con-mobile|148> selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ

      However when it re-keys, this happens:

      Mar 31 14:18:43 	charon 		08[CFG] <con-mobile|146> configured proposals: ESP:AES_GCM_16_256/ECP_384/NO_EXT_SEQ
Mar 31 14:18:43 	charon 		08[IKE] <con-mobile|146> establishing CHILD_SA con-mobile{257} reqid 140
Mar 31 14:18:43 	charon 		08[CHD] <con-mobile|146> CHILD_SA con-mobile{251} state change: INSTALLED => REKEYING
Mar 31 14:18:43 	charon 		08[ENC] <con-mobile|146> generating CREATE_CHILD_SA request 0 [ N(REKEY_SA) N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
Mar 31 14:18:43 	charon 		08[NET] <con-mobile|146> sending packet: from PFSENSE-IP[4500] to CLIENT-IP[4500] (309 bytes)
Mar 31 14:18:43 	charon 		08[NET] <con-mobile|146> received packet: from CLIENT-IP[4500] to PFSENSE-IP[4500] (176 bytes)
Mar 31 14:18:43 	charon 		08[ENC] <con-mobile|146> parsed CREATE_CHILD_SA response 0 [ SA No TSi TSr ]
Mar 31 14:18:43 	charon 		08[CFG] <con-mobile|146> selecting proposal:
Mar 31 14:18:43 	charon 		08[CFG] <con-mobile|146> no acceptable DIFFIE_HELLMAN_GROUP found
Mar 31 14:18:43 	charon 		08[CFG] <con-mobile|146> received proposals: ESP:AES_GCM_16_256/NO_EXT_SEQ
Mar 31 14:18:43 	charon 		08[CFG] <con-mobile|146> configured proposals: ESP:AES_GCM_16_256/ECP_384/NO_EXT_SEQ
Mar 31 14:18:43 	charon 		08[IKE] <con-mobile|146> no acceptable proposal found

      It seems like pfSense is not offering the same proposals on the re-key as it is initially? Trying to work out what I've done wrong. Any help would be greatly appreciated! Happy to post any info required.

      thanks
      Tristan

      1 Reply Last reply Reply Quote 0
      • ?
        A Former User
        last edited by

        The problem seems to be the macOS and iOS clients. I found the answer in this thread here;

        https://forum.netgate.com/topic/113422/ikev2-child-sa-beware-phase-2-dh-on-macos-ios

        The answer seems to be to enable Perfect Forward Secrecy in the Apple Configurator profile.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.