User profile for user: simonhong
simonhong Author
User level: Level 1
4 points

IKEv2 VPN entry asks password suddenly

Hello,


That entry has been working well but it suddenly asked password.

When this happens, VPN entry doesn't have password.

So maybe macOS asks password.

Its username/password were stored and I saw it from VPN entry.

However, it seems cleared by macOS at some point.


I assume that macOS cleared it during the vpn connection is in-progress.

May I know under what circumstances macOS deletes the password?

This situation is gone if I delete that VPN entry and recreate.

but this happens again and again. Want to know which condition makes macOS clear its password.

Mostly, it happens when it's connected onDemand after wakeup.


Thanks!

MacBook Air 15″, macOS 15.4

Posted on Apr 24, 2025 8:05 PM

Reply
Question marked as Top-ranking reply
User profile for user: Jkivers
Jkivers
User level: Level 1
14 points

Posted on Apr 24, 2025 8:21 PM

Hello,




Yes, this behavior can occur under certain conditions in macOS. Based on what you described, it’s likely that macOS is clearing the stored password from the IKEv2 VPN entry due to a security policy or keychain access issue during OnDemand reconnection, especially after sleep/wake cycles.




macOS can delete or unreference saved VPN passwords in the following cases:


1. Keychain Permission Issues


If the VPN configuration loses access to the Keychain (due to corruption, user permission change, or keychain timeout), macOS may fail to retrieve the saved password and prompt for it instead.


2. Sleep/Wake Interruption


OnDemand connections triggered immediately after waking can sometimes initiate before the Keychain is fully accessible, causing the password retrieval to fail. This is especially true for IKEv2 profiles using certificate or hybrid auth.


3. System Integrity Protection (SIP) or TCC Restrictions


macOS might restrict background services from accessing stored credentials under certain TCC or SIP security contexts after wake, treating it as an untrusted access attempt.


4. Keychain Item Modified or Removed


If the keychain item was manually altered or another system process updated/invalidated it (like a security agent, sync issue, or user profile tool), the reference might be broken, even though the entry still appears intact in the VPN configuration.


5. VPN Profile Corruption


Sometimes, VPN entries behave inconsistently due to hidden corruption in the configuration profile or plist. This would explain why deleting and recreating the entry resolves it temporarily.



Why it keeps happening:


Since it mostly occurs after waking and during OnDemand connections, the most probable cause is the timing of Keychain access vs VPN initialization. macOS attempts to start the VPN before the Keychain is fully responsive, resulting in a missing credential. When it fails, it doesn’t retry fetching the stored password.







Workarounds:


• Delay VPN OnDemand connection slightly after wake (via a helper script or launchd job).


• Store credentials explicitly in the Keychain with Always Allow access for system processes.


• Consider using a configuration profile (.mobileconfig) with embedded credentials or certificate auth if possible.


• Use a script to monitor Keychain and reset the VPN if password access fails.

View in context
4 replies
Question marked as Top-ranking reply
User profile for user: Jkivers
Jkivers
User level: Level 1
14 points

Apr 24, 2025 8:21 PM in response to simonhong

Hello,




Yes, this behavior can occur under certain conditions in macOS. Based on what you described, it’s likely that macOS is clearing the stored password from the IKEv2 VPN entry due to a security policy or keychain access issue during OnDemand reconnection, especially after sleep/wake cycles.




macOS can delete or unreference saved VPN passwords in the following cases:


1. Keychain Permission Issues


If the VPN configuration loses access to the Keychain (due to corruption, user permission change, or keychain timeout), macOS may fail to retrieve the saved password and prompt for it instead.


2. Sleep/Wake Interruption


OnDemand connections triggered immediately after waking can sometimes initiate before the Keychain is fully accessible, causing the password retrieval to fail. This is especially true for IKEv2 profiles using certificate or hybrid auth.


3. System Integrity Protection (SIP) or TCC Restrictions


macOS might restrict background services from accessing stored credentials under certain TCC or SIP security contexts after wake, treating it as an untrusted access attempt.


4. Keychain Item Modified or Removed


If the keychain item was manually altered or another system process updated/invalidated it (like a security agent, sync issue, or user profile tool), the reference might be broken, even though the entry still appears intact in the VPN configuration.


5. VPN Profile Corruption


Sometimes, VPN entries behave inconsistently due to hidden corruption in the configuration profile or plist. This would explain why deleting and recreating the entry resolves it temporarily.



Why it keeps happening:


Since it mostly occurs after waking and during OnDemand connections, the most probable cause is the timing of Keychain access vs VPN initialization. macOS attempts to start the VPN before the Keychain is fully responsive, resulting in a missing credential. When it fails, it doesn’t retry fetching the stored password.







Workarounds:


• Delay VPN OnDemand connection slightly after wake (via a helper script or launchd job).


• Store credentials explicitly in the Keychain with Always Allow access for system processes.


• Consider using a configuration profile (.mobileconfig) with embedded credentials or certificate auth if possible.


• Use a script to monitor Keychain and reset the VPN if password access fails.

Reply
User profile for user: TheLittles
TheLittles
User level: Level 10
203,989 points

Apr 24, 2025 8:20 PM in response to simonhong

"IKEv2 VPN entry asks password suddenly: [...]I assume that macOS cleared it during the vpn connection is in-progress? May I know under what circumstances macOS deletes the password? I assume that macOS cleared it during the vpn connection is in-progress. May I know under what circumstances macOS deletes the password?"

-------


Thank you for the screenshot.


Add this VPN Connection to your Keychain:

Go Here:



Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

IKEv2 VPN entry asks password suddenly

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up