Sonoma bug: IKEv2 VPN no longer rekeys so VPN connections drop every 20-25 minutes.

[akschu]

I have two different MacOS hosts that now refuse to keep IKEv2 running past a rekey. The logs show:

NEIKEv2Provider: Primary Tunnel (ifIndex 18)>: : Failed to set interface availability for ipsec0

childStateUpdateBlock callback: got Child Disconnected (Error Domain=NEIKEv2ErrorDomain Code=1 "Internal: Failed to delete old Child SA" UserInfo={NSLocalizedDescription=Internal: Failed to delete old Child SA})

stopping tunnel since Child disconnected 14

Anyone else using IKEv2 and can confirm? How do we report this bug? If I don't find a solution in the next day I'll need to restore Ventura from backup.

 

[zei7er]

I'm having the exact same problem. At min 24 exactly, VPN disconnects... I'm not sure what to do now, I need VPN to work urgently!

 

[bogdanw]

Have you tried a different Dead peer detection rate and "SA lifetime (rekey interval) in minutes"?
https://support.apple.com/guide/deployment/dep4ce9487d/web


"LifeTimeInMinutes
integer
The SA lifetime (rekey interval) in minutes.
Default: 1440
Minimum Value: 10
Maximum Value: 1440"
https://developer.apple.com/documen.../vpn/ikev2/childsecurityassociationparameters

 

[zei7er]

I have two different MacOS hosts that now refuse to keep IKEv2 running past a rekey. The logs show:

NEIKEv2Provider: Primary Tunnel (ifIndex 18)>: : Failed to set interface availability for ipsec0

childStateUpdateBlock callback: got Child Disconnected (Error Domain=NEIKEv2ErrorDomain Code=1 "Internal: Failed to delete old Child SA" UserInfo={NSLocalizedDescription=Internal: Failed to delete old Child SA})

stopping tunnel since Child disconnected 14

Anyone else using IKEv2 and can confirm? How do we report this bug? If I don't find a solution in the next day I'll need to restore Ventura from backup.

I'm having the exact same problem. At min 24 exactly, VPN disconnects... I'm not sure what to do now, I need VPN to work urgently!

Have you tried a different Dead peer detection rate and "SA lifetime (rekey interval) in minutes"?
https://support.apple.com/guide/deployment/dep4ce9487d/web
View attachment 2287348

"LifeTimeInMinutes
integer
The SA lifetime (rekey interval) in minutes.
Default: 1440
Minimum Value: 10
Maximum Value: 1440"
https://developer.apple.com/documen.../vpn/ikev2/childsecurityassociationparameters

Hi Bogdanw! Where do you change that? Where's that menu? Thanks in advance!

 

[akschu]

I found and fixed the problem. There are only a few settings in the UI, but many more IPSEC settings under the coverts. Sonoma defaults to enable perfect forward secrecy while previous versions do not. PFS tries to rekey which fails. So, you can either enable modp2048 PFS in your vpn gateway (and if you have windows hosts, change the registry setting that causes PFS to work on windows) or you must use the apple configurator from the mac app store to build a VPN profile without PFS checked, then install the profile. Something like this:

 

[bogdanw]

iMazing Profile Editor is free in the App Store and, I would say, easier to use than Apple Configurator https://apps.apple.com/app/id1487860882

 

[akschu]

Either way, the point is that the UI enables PFS without telling you while it was disabled in older versions. For whatever reason apple doesn't let you change this setting without a profile. So much for apple being easier, it's been a huge pain in the backside.

 

[zentavr]

I have the same issue with MacOS Sonoma 14.0

 

[zentavr]

I wonder if it is any method to adjust the current VPN IPSec connection without dealing with these profiles? We have plenty of users and frankly speaking it would be a pain to generate the profile to each of them.

 

[bogdanw]

We have plenty of users and frankly speaking it would be a pain to generate the profile to each of them.

Don’t include user details in the profile, users can enter username & password when connecting.

 

[zentavr]

Don’t include user details in the profile, users can enter username & password when connecting.

Ok, but should not the ClientID be unique as well? When I set up IKEv2 locally, that field is not mandatory and we do not populate that. When setting up the profile - the field becomes mandatory.

P.S.: Could you please tell me how to debug IKEv2 connection at the MacOS client? Where I can see the logs?

 

[bogdanw]

Ok, but should not the ClientID be unique as well?

What ClientID? LocalIdentifier?
https://developer.apple.com/documentation/devicemanagement/vpn/ikev2
I don't use IKEv2 on macOS, some potentially useful resources
IKEv2 profile examples https://docs.strongswan.org/docs/5.9/interop/appleIkev2Profile.html
Troubleshooting IKEv2 on macOS https://docs.strongswan.org/docs/5.9/interop/ios.html#_troubleshooting_ikev2_on_macos
"To collect IKEv2 logs on macOS, use the process:NEIKEv2Provider search filter in Console.
Logs can also be viewed or followed in Terminal with the following commands:
log show --predicate 'process == "NEIKEv2Provider"'
log stream --predicate 'process == "NEIKEv2Provider"'"

 

[zentavr]

What ClientID? LocalIdentifier?
https://developer.apple.com/documentation/devicemanagement/vpn/ikev2
I don't use IKEv2 on macOS, some potentially useful resources
IKEv2 profile examples https://docs.strongswan.org/docs/5.9/interop/appleIkev2Profile.html
Troubleshooting IKEv2 on macOS https://docs.strongswan.org/docs/5.9/interop/ios.html#_troubleshooting_ikev2_on_macos
"To collect IKEv2 logs on macOS, use the process:NEIKEv2Provider search filter in Console.
Logs can also be viewed or followed in Terminal with the following commands:
log show --predicate 'process == "NEIKEv2Provider"'
log stream --predicate 'process == "NEIKEv2Provider"'"

Yes, local identified I mean. I have a test MikroTik RouterOS server and trying to understand what the set up can I use for iOS/Windows and MacOS in order not to set up/add anything 3rd party to the client OS in order to make the connection works.

 

[Attila_G]

Same 24-Minute-Bug here. Using a Mac mini M2 with Sonoma 14.2 Beta. Any help is appreciated!

 

[Peacock22]

I have found a fix (or workaround?) for this issue: if you set the lifetime of the phase 2 / SA / proposal on the VPN server side to a value less than 1440 seconds / 24 minutes (1200 seconds / 20 minutes for example), then the connection will rekey before the 24 minute mark, and it'll rekey correctly without dropping.

It seems that when the iOS/macOS devices hits the default lifetime limit of 24 minutes, it tries to rekey but maybe uses incorrect values, so the VPN tunnel drops since it couldn't rekey. But when the server-side lifetime expires, the rekey is successful (maybe since the server initiates the rekey using the correct values?), and the connection stays up and works perfectly fine, so the trick seems to be to make sure the server lifetime always expires before the Apple device client lifetime, so just set something shorter than 24 minutes on the server side (20 minutes, for example) and you should avoid the problem.

I use a MikroTik router running RouterOS 7.12 as my IKEv2 VPN server. Setting lifetime=20m (or something else less than 24m) under the VPN proposal fixed it for me. I last used the VPN for over an hour without any issues. I haven't used Apple Configurator to modify settings on my iOS/macOS devices (running iOS 17.1.1 and macOS 14.1.1 Sonoma), so the VPN settings on the clients are the defaults that Apple sets. My other settings include using SHA256, aes-256-cbc, and ecp256 as the PFS group.

I hope this helps.

 

[Attila_G]

I have currently switched to VPN Tracker 365. It costs money, but there's support and it works.

 

[Mcrumors David]

I have downgraded to Ventura -> no issues
The quality of Apple's Software and the disregard for bug (reports) pisses me off, wow

 

[Mcrumors David]

... My other settings include using SHA256, aes-256-cbc, and ecp256 as the PFS group.

I was only able to choose DH (Diffie-Hellman Groups) from DH2 to DH21, no "ECP256" ...

 

[Mcrumors David]

Have you tried a different Dead peer detection rate and "SA lifetime (rekey interval) in minutes"?
https://support.apple.com/guide/deployment/dep4ce9487d/web
View attachment 2287348

"LifeTimeInMinutes ..

Where are those values set in the Preferences? All I see are basic login values for IKEv2 settings ...

 

[bogdanw]

Where are those values set in the Preferences? All I see are basic login values for IKEv2 settings ...

They are not visible in the System Settings interface.

 

[Mcrumors David]

They are not visible in the System Settings interface.

So where are they visible? (Could've saved both of us some time if you had just stated😵‍💫🤣)

 

[bogdanw]

So where are they visible? (Could've saved both of us some time if you had just stated😵‍💫🤣)

In the IKEv2 configuration profile created with one of these apps
iMazing Profile Editor https://apps.apple.com/app/id1487860882
Apple Configurator https://apps.apple.com/app/id1037126344
ProfileCreator https://github.com/ProfileCreator/ProfileCreator

 

[Mcrumors David]

In the IKEv2 configuration profile created with one of these apps
iMazing Profile Editor https://apps.apple.com/app/id1487860882
Apple Configurator https://apps.apple.com/app/id1037126344
ProfileCreator https://github.com/ProfileCreator/ProfileCreator

Appreciated!


MacOS let's me choose a Username + Password as Authentication for IKEv2, the iMazing-Profile-Editor does not list that option. What am I doing wrong?

Second question ...when using a Certificate what is the UUID in Keychain Access (where my Certificate from the VPN Server is imported to)?

...parameters I see in Keychain Access for my VPN Server Cert, Zyxel USG fyi, (not UUID):

 

[Mcrumors David]

I have two different MacOS hosts that now refuse to keep IKEv2 running past a rekey. The logs show:

May I ask for the path of the log(s) on MacOS that I can tail?

 

[Peacock22]

I was only able to choose DH (Diffie-Hellman Groups) from DH2 to DH21, no "ECP256" ...

View attachment 2316567

ecp256 corresponds to DH Group 19.