macOS IKEv2 clients disconnecting


  • Hi all,

    I've set up VPN access for mobile clients by (mostly) following the guide here:

    https://grokdesigns.com/pfsense-ikev2-for-ios-macos-1/

    It is working great, with one small exception - macOS clients seem to randomly drop the connection to the VPN. It seems to potentially be a problem with re-keying, and I've tried various things including disabling re-keying, enabling Dead-Peer-Detection, Make-before-break authentication and MTU clamping (1360). None of these seem to work.

    In the log files under 'System Logs / IPSec' I see this for a successful connection:

    Mar 31 13:59:45 	charon 		11[CFG] <con-mobile|148> received proposals: ESP:AES_GCM_16_256/NO_EXT_SEQ
    Mar 31 13:59:45 	charon 		11[CFG] <con-mobile|148> configured proposals: ESP:AES_GCM_16_256/ECP_384/NO_EXT_SEQ
    Mar 31 13:59:45 	charon 		11[CFG] <con-mobile|148> selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ
    

    However when it re-keys, this happens:

    Mar 31 14:18:43 	charon 		08[CFG] <con-mobile|146> configured proposals: ESP:AES_GCM_16_256/ECP_384/NO_EXT_SEQ
    Mar 31 14:18:43 	charon 		08[IKE] <con-mobile|146> establishing CHILD_SA con-mobile{257} reqid 140
    Mar 31 14:18:43 	charon 		08[CHD] <con-mobile|146> CHILD_SA con-mobile{251} state change: INSTALLED => REKEYING
    Mar 31 14:18:43 	charon 		08[ENC] <con-mobile|146> generating CREATE_CHILD_SA request 0 [ N(REKEY_SA) N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
    Mar 31 14:18:43 	charon 		08[NET] <con-mobile|146> sending packet: from PFSENSE-IP[4500] to CLIENT-IP[4500] (309 bytes)
    Mar 31 14:18:43 	charon 		08[NET] <con-mobile|146> received packet: from CLIENT-IP[4500] to PFSENSE-IP[4500] (176 bytes)
    Mar 31 14:18:43 	charon 		08[ENC] <con-mobile|146> parsed CREATE_CHILD_SA response 0 [ SA No TSi TSr ]
    Mar 31 14:18:43 	charon 		08[CFG] <con-mobile|146> selecting proposal:
    Mar 31 14:18:43 	charon 		08[CFG] <con-mobile|146> no acceptable DIFFIE_HELLMAN_GROUP found
    Mar 31 14:18:43 	charon 		08[CFG] <con-mobile|146> received proposals: ESP:AES_GCM_16_256/NO_EXT_SEQ
    Mar 31 14:18:43 	charon 		08[CFG] <con-mobile|146> configured proposals: ESP:AES_GCM_16_256/ECP_384/NO_EXT_SEQ
    Mar 31 14:18:43 	charon 		08[IKE] <con-mobile|146> no acceptable proposal found
    

    It seems like pfSense is not offering the same proposals on the re-key as it is initially? Trying to work out what I've done wrong. Any help would be greatly appreciated! Happy to post any info required.

    thanks
    Tristan


  • The problem seems to be the macOS and iOS clients. I found the answer in this thread here;

    https://forum.netgate.com/topic/113422/ikev2-child-sa-beware-phase-2-dh-on-macos-ios

    The answer seems to be to enable Perfect Forward Secrecy in the Apple Configurator profile.