most Mac users can't connect with IKEv2

We have several Mac users that can't connect with IKEv2 mobile VPN. Others have no issues. I can't find a pattern with either group. All are running the newest version of Mac and our firewall is a cluster of m670's running 12.6.2

They get a "VPN connection: a configuration error has occurred" popup. In the /var/log/wifi.log they see this:

<airportd[266]> _processIPv4Changes: ARP/NDP offloads disabled, not programming the offload

I've tested their credentials from a windows machine and don't have any issues.

Comments

  • I have come across this in the past.. I seem to remember that it had something to do with expired certificates or changing a setting on the mac related to certificates..

    Adrian from Australia

  • James_CarsonJames_Carson Moderator, WatchGuard Representative

    Everything I can find on that log line points at certs, like Bruce mentioned. Double check that your IKEv2 cert is current, and that the script to add it was run as an admin on the mac (so that the cert was copied over correctly.)

    -James Carson
    WatchGuard Customer Support

  • Thank you both, I will try to get them to test this week and update the post.

  • Like Adrian mentioned...

  • Hi James,

    Sorted out an initial IKEv2 configuration and got it working on Windows 10 okay. Turning to OS X (Big Sur), importing the Mac-version of the profile seemed to work (prompted to add the profile, VPN configuration is completed with the same remote server address/remote ID (FQDN), but no Local ID (guess it's not needed?).

    However, in making a connection, the handshake is made but the connection is promptly dumped within 5 seconds.

    Wondering if anyone else is having issues with IKEv2 on OS X?

  • Beside Authentication diagnostic logging, you can do VPN -> IKE diagnostic logging, either of which may show something to help in Traffic Monitor

  • Bruce,

    Thanks; exploring the IPSec client app (which so far seems to work pretty well).

    May revisit the IKEv2 issue at a later date.

Sign In to comment.