OSX Sonoma VPN IKEv2 randomly disconnects

I've setup VPN IKEv2 on Mac OSx Sonoma and now I'm randomly being disconnected and reconnected every few minutes while I'm connected. I've performed Layer 1 Troubleshooting on my network and here at Corporate and I'm still suffering the same issue. Anyone have any tips on how I can check my setup on my Mac?


  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @kiffin

    It might be helpful to have the firewall admin turn logs up for the IKE/IPSec services up to information so you can see logs for the VPN connections building/being torn down in the firebox's traffic monitor. If you search for the IP your Mac is coming from, it should reasonably filter down the logs.

    If there is an option to log to a file or similar on the Mac itself, you may be able to discern why it's disconnecting

    Some customers have complained that upgrading changed their VPN profile on their Mac to include PFS (perfect forward secrecy) and/or completely removed the rekey timer on their VPN. If either of those are the case, it may be helpful to reimport the VPN profile. The OS should really not change a pre-configured profile like this without notifying the user.

    -James Carson
    WatchGuard Customer Support

  • Ill give it a shot and update you. Cheers.

  • same here - annoying because reconnect needs auth point :-/

  • edited October 11

    Any updates on this? We're experiencing the same issue in our team. All three of us who have M1 Macs running Sonoma have encountered this issue and our VPN disconnects exactly at 24 minutes.


    Seems like other people are having the same issue.

    These are some of the logs I can see on my Mac, I've forwarded them to our IT team:

    [CREATE_CHILD_SA R resp10 B31BAAD3612A1D66-06012828995D9C27] 
    Rekey child received notify error 
    Error Domain=NEIKEv2ProtocolErrorDomain 
    IKEv2Session[1, B31BAAD3612A1D66-06012828995D9C27] 
    Received DH group preference 0 is not in Child rekey proposal (child rekey retry DH)
    ChildSA[1, 0C141F56-16745CA0] state Connected -> Disconnected error (null) -> Error Domain=NEIKEv2ErrorDomain Code=6 
    "PeerInvalidSyntax: Received DH group preference 0 is not in Child rekey proposal (child rekey retry DH)" 
    Received DH group preference 0 is not in Child rekey proposal (child rekey retry DH)} 
  • @kiffin said:
    Ill give it a shot and update you. Cheers.

    Were you able to get this resolved?

  • worked for me:
    IKEv2 Shared Settings:
    Phase1: AES-GCM-256bit / 24hours / DH Group 19

    IKEv2 Configuration:
    Security / Phase2
    PFS DH Group 19
    ESP/SHA2-256/AES 256bit

  • oh sweet thanks. Any chance there are instructions to verify those settings and update them?

  • edited October 13

    [Duplicate comment]

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @edgar.ciraconnect That would be MacOS changing the proposals without telling you. If you match the proposals that its asking for, the VPN should come up.

    I would suggest sending feedback to Apple that they should never change the proposal on an existing VPN without notifying/confirming that is what is needed.

    -James Carson
    WatchGuard Customer Support

  • edited October 13


    Sorry for the double comment, the one from yesterday kept failing to post so I submitted again today without realizing it actually succeeded.

    Unfortunately I'm not knowledgeable about this enough to know what exactly to include in the feedback to Apple. But I'll definitely do it.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @edgar.ciraconnect
    Absolutely willing to help, however, pointing out that it was taken from a working config to a broken config.

    In theory re-loading the VPN profile should generate the VPN using those proposals. The other option would be to change the proposal on the WatchGuard side -- see the post Veloso up the page a bit for those settings.

    -James Carson
    WatchGuard Customer Support

  • cool! Thanks! ill give it a whirl. Cheers!

  • IKEv2 Shared Settings and IKEv2 Configuration doesn't work for me that Veloso mentioned. Every 24 minutes, my IKev2 VPN disconnects by itself.

  • edited November 9

    I think we may have fixed the 24-minute disconnection issue by going to Fireware Web UI > VPN > Mobile VPN > IKEv2 > Configure > Security > Phase 2 Settings > Enable Perfect Forward Secrecy > and changing it to Diffie-Hellman Group 19.

    Our affected macOS Sonoma system's VPN has now been connected for 33 minutes and counting.

    UPDATE: Now the Mac's VPN is disconnecting at the 48-minute mark instead of 24. So, exactly double the time. Unsure what that tells us...

Sign In to comment.