macOS IKEv2 clients disconnecting

creamelectricart

Hi all,

I've set up VPN access for mobile clients by (mostly) following the guide here:

https://grokdesigns.com/pfsense-ikev2-for-ios-macos-1/

It is working great, with one small exception - macOS clients seem to randomly drop the connection to the VPN. It seems to potentially be a problem with re-keying, and I've tried various things including disabling re-keying, enabling Dead-Peer-Detection, Make-before-break authentication and MTU clamping (1360). None of these seem to work.

In the log files under 'System Logs / IPSec' I see this for a successful connection:

Mar 31 13:59:45 	charon 		11[CFG] <con-mobile|148> received proposals: ESP:AES_GCM_16_256/NO_EXT_SEQ
Mar 31 13:59:45 	charon 		11[CFG] <con-mobile|148> configured proposals: ESP:AES_GCM_16_256/ECP_384/NO_EXT_SEQ
Mar 31 13:59:45 	charon 		11[CFG] <con-mobile|148> selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ

However when it re-keys, this happens:

Mar 31 14:18:43 	charon 		08[CFG] <con-mobile|146> configured proposals: ESP:AES_GCM_16_256/ECP_384/NO_EXT_SEQ
Mar 31 14:18:43 	charon 		08[IKE] <con-mobile|146> establishing CHILD_SA con-mobile{257} reqid 140
Mar 31 14:18:43 	charon 		08[CHD] <con-mobile|146> CHILD_SA con-mobile{251} state change: INSTALLED => REKEYING
Mar 31 14:18:43 	charon 		08[ENC] <con-mobile|146> generating CREATE_CHILD_SA request 0 [ N(REKEY_SA) N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
Mar 31 14:18:43 	charon 		08[NET] <con-mobile|146> sending packet: from PFSENSE-IP[4500] to CLIENT-IP[4500] (309 bytes)
Mar 31 14:18:43 	charon 		08[NET] <con-mobile|146> received packet: from CLIENT-IP[4500] to PFSENSE-IP[4500] (176 bytes)
Mar 31 14:18:43 	charon 		08[ENC] <con-mobile|146> parsed CREATE_CHILD_SA response 0 [ SA No TSi TSr ]
Mar 31 14:18:43 	charon 		08[CFG] <con-mobile|146> selecting proposal:
Mar 31 14:18:43 	charon 		08[CFG] <con-mobile|146> no acceptable DIFFIE_HELLMAN_GROUP found
Mar 31 14:18:43 	charon 		08[CFG] <con-mobile|146> received proposals: ESP:AES_GCM_16_256/NO_EXT_SEQ
Mar 31 14:18:43 	charon 		08[CFG] <con-mobile|146> configured proposals: ESP:AES_GCM_16_256/ECP_384/NO_EXT_SEQ
Mar 31 14:18:43 	charon 		08[IKE] <con-mobile|146> no acceptable proposal found

It seems like pfSense is not offering the same proposals on the re-key as it is initially? Trying to work out what I've done wrong. Any help would be greatly appreciated! Happy to post any info required.

thanks
Tristan

creamelectricart

The problem seems to be the macOS and iOS clients. I found the answer in this thread here;

https://forum.netgate.com/topic/113422/ikev2-child-sa-beware-phase-2-dh-on-macos-ios

The answer seems to be to enable Perfect Forward Secrecy in the Apple Configurator profile.