Newsroom Updates

Introducing Apple Intelligence for iPhone, iPad, and Mac

macOS Sequoia takes productivity and intelligence on Mac to new heights

User profile for user: si8001
si8001 Author
User level: Level 1
13 points

IKEv2 profile broken since Sonoma 14

Hello,

Since macOS Sonoma 14.0, the following IKEv2 VPN profile doesn't work anymore. It was fine with Monterey and Ventura, as this VPN configuration was specifically created for Apple devices. The server is iked on OpenBSD 7.3, we have no problems with Ventura.


Here the profile :


https://paste.chapril.org/?3a0fbc0e776483dc#Dop7CqUjJ21e55kcPfEfyDHyAf78VBz5RQ7Znm1oJLf5


As you can see, working versions are written in the profile.


Here the server logs :


ikev2_resp_recv: failed to negotiate IKE SA
ikev2_log_proposal: IKE #1 ENCR=AES_GCM_16-256
ikev2_log_proposal: IKE #1 PRF=HMAC_SHA2_256
ikev2_log_proposal: IKE #1 DH=ECP_256
ikev2_log_proposal: IKE #2 ENCR=AES_GCM_16-256
ikev2_log_proposal: IKE #2 PRF=HMAC_SHA2_256
ikev2_log_proposal: IKE #2 DH=MODP_2048
ikev2_log_proposal: IKE #3 ENCR=AES_CBC-256
ikev2_log_proposal: IKE #3 PRF=HMAC_SHA2_256
ikev2_log_proposal: IKE #3 INTEGR=HMAC_SHA2_256_128
ikev2_log_proposal: IKE #3 DH=ECP_256
ikev2_log_proposal: IKE #4 ENCR=AES_CBC-256
ikev2_log_proposal: IKE #4 PRF=HMAC_SHA2_256
ikev2_log_proposal: IKE #4 INTEGR=HMAC_SHA2_256_128
ikev2_log_proposal: IKE #4 DH=MODP_2048
ikev2_add_error: NO_PROPOSAL_CHOSEN


It seems proposal settings are very limited and do not match what is specified in the profile. It's very urgent, as our clients can't update their systems.

Posted on Sep 27, 2023 12:25 AM

Reply
39 replies

IKEv2 profile broken since Sonoma 14

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up