User profile for user: si8001
si8001 Author
User level: Level 1
14 points

IKEv2 profile broken since Sonoma 14

Hello,

Since macOS Sonoma 14.0, the following IKEv2 VPN profile doesn't work anymore. It was fine with Monterey and Ventura, as this VPN configuration was specifically created for Apple devices. The server is iked on OpenBSD 7.3, we have no problems with Ventura.


Here the profile :


https://paste.chapril.org/?3a0fbc0e776483dc#Dop7CqUjJ21e55kcPfEfyDHyAf78VBz5RQ7Znm1oJLf5


As you can see, working versions are written in the profile.


Here the server logs :


ikev2_resp_recv: failed to negotiate IKE SA
ikev2_log_proposal: IKE #1 ENCR=AES_GCM_16-256
ikev2_log_proposal: IKE #1 PRF=HMAC_SHA2_256
ikev2_log_proposal: IKE #1 DH=ECP_256
ikev2_log_proposal: IKE #2 ENCR=AES_GCM_16-256
ikev2_log_proposal: IKE #2 PRF=HMAC_SHA2_256
ikev2_log_proposal: IKE #2 DH=MODP_2048
ikev2_log_proposal: IKE #3 ENCR=AES_CBC-256
ikev2_log_proposal: IKE #3 PRF=HMAC_SHA2_256
ikev2_log_proposal: IKE #3 INTEGR=HMAC_SHA2_256_128
ikev2_log_proposal: IKE #3 DH=ECP_256
ikev2_log_proposal: IKE #4 ENCR=AES_CBC-256
ikev2_log_proposal: IKE #4 PRF=HMAC_SHA2_256
ikev2_log_proposal: IKE #4 INTEGR=HMAC_SHA2_256_128
ikev2_log_proposal: IKE #4 DH=MODP_2048
ikev2_add_error: NO_PROPOSAL_CHOSEN


It seems proposal settings are very limited and do not match what is specified in the profile. It's very urgent, as our clients can't update their systems.

Posted on Sep 27, 2023 12:25 AM

Reply
Question marked as Top-ranking reply
User profile for user: mvg009
mvg009
User level: Level 1
13 points

Posted on Oct 29, 2023 11:57 PM

It seems to be the case only with the new ikev2 vpn profiles created after Sonoma upgrade. The old profiles installed before continue to work fine.

For new profiles, Sonoma will not consider the SecurityAssociationParameters and force to use:


  Opportunistic PFS = YES

  DH = (

    RandomECP256,

  )

  Lifetime = 1800


After 24 minutes:

Client side:

CREATE_CHILD_SA MID=15 Initiator Request

CREATE_CHILD_SA MID=15 Responder Response


Server side:

received proposals: ESP:AES_GCM_16_256/ECP_256/NO_EXT_SEQ, ESP:AES_GCM_16_256/NO_EXT_SEQ


For me the solution was changing the Phase2 PFS Group to 19 (ECP_256) on server and also for Windows clients profile.

View in context
40 replies
User profile for user: czhangx
czhangx
User level: Level 1
8 points

Oct 31, 2023 1:25 AM in response to mvg009

I would like to point out that the problem you were facing may be different from the problem we are talking about here. I presume that you are referring to a rekeying problem which causes the VPN to disconnect after certain amount of time. But I believe many of us are facing an issue that IKEv2 VPN simply won't connect from the beginning.

Reply
User profile for user: Silvanp
Silvanp
User level: Level 1
9 points

Jan 27, 2024 2:32 AM in response to A_H001

A_H001 wrote:

Hi, I have same problem about VPN. Ventura work fine but when upgrade Sonoma can’t connect vpn.

any solution?

i am new here. Could you Pls advice how to create case to Apple.


What an lazy post. Wow😐 (I wish ppl had to take a test to check if their intelligence is higher than a carrot before posting here)


  • What exact error / problem do you get?
  • What have you tried? (There are many suggestions here)


Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

IKEv2 profile broken since Sonoma 14

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up