Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    macOS IKEv2 clients disconnecting

    IPsec
    1
    2
    69
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      creamelectricart last edited by

      Hi all,

      I've set up VPN access for mobile clients by (mostly) following the guide here:

      https://grokdesigns.com/pfsense-ikev2-for-ios-macos-1/

      It is working great, with one small exception - macOS clients seem to randomly drop the connection to the VPN. It seems to potentially be a problem with re-keying, and I've tried various things including disabling re-keying, enabling Dead-Peer-Detection, Make-before-break authentication and MTU clamping (1360). None of these seem to work.

      In the log files under 'System Logs / IPSec' I see this for a successful connection:

      Mar 31 13:59:45 	charon 		11[CFG] <con-mobile|148> received proposals: ESP:AES_GCM_16_256/NO_EXT_SEQ
      Mar 31 13:59:45 	charon 		11[CFG] <con-mobile|148> configured proposals: ESP:AES_GCM_16_256/ECP_384/NO_EXT_SEQ
      Mar 31 13:59:45 	charon 		11[CFG] <con-mobile|148> selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ
      

      However when it re-keys, this happens:

      Mar 31 14:18:43 	charon 		08[CFG] <con-mobile|146> configured proposals: ESP:AES_GCM_16_256/ECP_384/NO_EXT_SEQ
      Mar 31 14:18:43 	charon 		08[IKE] <con-mobile|146> establishing CHILD_SA con-mobile{257} reqid 140
      Mar 31 14:18:43 	charon 		08[CHD] <con-mobile|146> CHILD_SA con-mobile{251} state change: INSTALLED => REKEYING
      Mar 31 14:18:43 	charon 		08[ENC] <con-mobile|146> generating CREATE_CHILD_SA request 0 [ N(REKEY_SA) N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
      Mar 31 14:18:43 	charon 		08[NET] <con-mobile|146> sending packet: from PFSENSE-IP[4500] to CLIENT-IP[4500] (309 bytes)
      Mar 31 14:18:43 	charon 		08[NET] <con-mobile|146> received packet: from CLIENT-IP[4500] to PFSENSE-IP[4500] (176 bytes)
      Mar 31 14:18:43 	charon 		08[ENC] <con-mobile|146> parsed CREATE_CHILD_SA response 0 [ SA No TSi TSr ]
      Mar 31 14:18:43 	charon 		08[CFG] <con-mobile|146> selecting proposal:
      Mar 31 14:18:43 	charon 		08[CFG] <con-mobile|146> no acceptable DIFFIE_HELLMAN_GROUP found
      Mar 31 14:18:43 	charon 		08[CFG] <con-mobile|146> received proposals: ESP:AES_GCM_16_256/NO_EXT_SEQ
      Mar 31 14:18:43 	charon 		08[CFG] <con-mobile|146> configured proposals: ESP:AES_GCM_16_256/ECP_384/NO_EXT_SEQ
      Mar 31 14:18:43 	charon 		08[IKE] <con-mobile|146> no acceptable proposal found
      

      It seems like pfSense is not offering the same proposals on the re-key as it is initially? Trying to work out what I've done wrong. Any help would be greatly appreciated! Happy to post any info required.

      thanks
      Tristan

      1 Reply Last reply Reply Quote 0
      • C
        creamelectricart last edited by

        The problem seems to be the macOS and iOS clients. I found the answer in this thread here;

        https://forum.netgate.com/topic/113422/ikev2-child-sa-beware-phase-2-dh-on-macos-ios

        The answer seems to be to enable Perfect Forward Secrecy in the Apple Configurator profile.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post

        Products

        • Platform Overview
        • TNSR
        • pfSense
        • Appliances

        Services

        • Training
        • Professional Services

        Support

        • Subscription Plans
        • Contact Support
        • Product Lifecycle
        • Documentation

        News

        • Media Coverage
        • Press
        • Events

        Resources

        • Blog
        • FAQ
        • Find a Partner
        • Resource Library
        • Security Information

        Company

        • About Us
        • Careers
        • Partners
        • Contact Us
        • Legal
        Our Mission

        We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

        Subscribe to our Newsletter

        Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

        © 2021 Rubicon Communications, LLC | Privacy Policy