macOS IKEv2 clients disconnecting
-
Hi all,
I've set up VPN access for mobile clients by (mostly) following the guide here:
https://grokdesigns.com/pfsense-ikev2-for-ios-macos-1/
It is working great, with one small exception - macOS clients seem to randomly drop the connection to the VPN. It seems to potentially be a problem with re-keying, and I've tried various things including disabling re-keying, enabling Dead-Peer-Detection, Make-before-break authentication and MTU clamping (1360). None of these seem to work.
In the log files under 'System Logs / IPSec' I see this for a successful connection:
Mar 31 13:59:45 charon 11[CFG] <con-mobile|148> received proposals: ESP:AES_GCM_16_256/NO_EXT_SEQ Mar 31 13:59:45 charon 11[CFG] <con-mobile|148> configured proposals: ESP:AES_GCM_16_256/ECP_384/NO_EXT_SEQ Mar 31 13:59:45 charon 11[CFG] <con-mobile|148> selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ
However when it re-keys, this happens:
Mar 31 14:18:43 charon 08[CFG] <con-mobile|146> configured proposals: ESP:AES_GCM_16_256/ECP_384/NO_EXT_SEQ Mar 31 14:18:43 charon 08[IKE] <con-mobile|146> establishing CHILD_SA con-mobile{257} reqid 140 Mar 31 14:18:43 charon 08[CHD] <con-mobile|146> CHILD_SA con-mobile{251} state change: INSTALLED => REKEYING Mar 31 14:18:43 charon 08[ENC] <con-mobile|146> generating CREATE_CHILD_SA request 0 [ N(REKEY_SA) N(ESP_TFC_PAD_N) SA No KE TSi TSr ] Mar 31 14:18:43 charon 08[NET] <con-mobile|146> sending packet: from PFSENSE-IP[4500] to CLIENT-IP[4500] (309 bytes) Mar 31 14:18:43 charon 08[NET] <con-mobile|146> received packet: from CLIENT-IP[4500] to PFSENSE-IP[4500] (176 bytes) Mar 31 14:18:43 charon 08[ENC] <con-mobile|146> parsed CREATE_CHILD_SA response 0 [ SA No TSi TSr ] Mar 31 14:18:43 charon 08[CFG] <con-mobile|146> selecting proposal: Mar 31 14:18:43 charon 08[CFG] <con-mobile|146> no acceptable DIFFIE_HELLMAN_GROUP found Mar 31 14:18:43 charon 08[CFG] <con-mobile|146> received proposals: ESP:AES_GCM_16_256/NO_EXT_SEQ Mar 31 14:18:43 charon 08[CFG] <con-mobile|146> configured proposals: ESP:AES_GCM_16_256/ECP_384/NO_EXT_SEQ Mar 31 14:18:43 charon 08[IKE] <con-mobile|146> no acceptable proposal found
It seems like pfSense is not offering the same proposals on the re-key as it is initially? Trying to work out what I've done wrong. Any help would be greatly appreciated! Happy to post any info required.
thanks
Tristan -
The problem seems to be the macOS and iOS clients. I found the answer in this thread here;
https://forum.netgate.com/topic/113422/ikev2-child-sa-beware-phase-2-dh-on-macos-ios
The answer seems to be to enable Perfect Forward Secrecy in the Apple Configurator profile.