OSX Sonoma VPN IKEv2 randomly disconnects
I've setup VPN IKEv2 on Mac OSx Sonoma and now I'm randomly being disconnected and reconnected every few minutes while I'm connected. I've performed Layer 1 Troubleshooting on my network and here at Corporate and I'm still suffering the same issue. Anyone have any tips on how I can check my setup on my Mac?
0
Sign In to comment.
Comments
Hi @kiffin
It might be helpful to have the firewall admin turn logs up for the IKE/IPSec services up to information so you can see logs for the VPN connections building/being torn down in the firebox's traffic monitor. If you search for the IP your Mac is coming from, it should reasonably filter down the logs.
If there is an option to log to a file or similar on the Mac itself, you may be able to discern why it's disconnecting
Some customers have complained that upgrading changed their VPN profile on their Mac to include PFS (perfect forward secrecy) and/or completely removed the rekey timer on their VPN. If either of those are the case, it may be helpful to reimport the VPN profile. The OS should really not change a pre-configured profile like this without notifying the user.
-James Carson
WatchGuard Customer Support
Ill give it a shot and update you. Cheers.
same here - annoying because reconnect needs auth point :-/
Any updates on this? We're experiencing the same issue in our team. All three of us who have M1 Macs running Sonoma have encountered this issue and our VPN disconnects exactly at 24 minutes.
https://forums.macrumors.com/threads/sonoma-bug-ikev2-vpn-no-longer-rekeys-so-vpn-connections-drop-every-20-25-minutes.2406029/
Seems like other people are having the same issue.
These are some of the logs I can see on my Mac, I've forwarded them to our IT team:
[CREATE_CHILD_SA R resp10 B31BAAD3612A1D66-06012828995D9C27] Rekey child received notify error Error Domain=NEIKEv2ProtocolErrorDomain Code=17 "InvalidKEPayload" UserInfo={NSDebugDescription=InvalidKEPayload} IKEv2Session[1, B31BAAD3612A1D66-06012828995D9C27] Received DH group preference 0 is not in Child rekey proposal (child rekey retry DH) ChildSA[1, 0C141F56-16745CA0] state Connected -> Disconnected error (null) -> Error Domain=NEIKEv2ErrorDomain Code=6 "PeerInvalidSyntax: Received DH group preference 0 is not in Child rekey proposal (child rekey retry DH)" UserInfo={NSLocalizedDescription=PeerInvalidSyntax: Received DH group preference 0 is not in Child rekey proposal (child rekey retry DH)}Were you able to get this resolved?
worked for me:
IKEv2 Shared Settings:
Phase1: AES-GCM-256bit / 24hours / DH Group 19
IKEv2 Configuration:
Security / Phase2
PFS DH Group 19
ESP/SHA2-256/AES 256bit
oh sweet thanks. Any chance there are instructions to verify those settings and update them?
@kiffin
The link here should drop you into the IKEv2 phase1/2 article:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ikev2/mvpn_ikev2_config_edit.html?tocpath=Fireware|Configure Network Settings|Mobile VPN Tunnels|Mobile VPN with IKEv2|_____6#Phases
-James Carson
WatchGuard Customer Support
[Duplicate comment]
@edgar.ciraconnect That would be MacOS changing the proposals without telling you. If you match the proposals that its asking for, the VPN should come up.
I would suggest sending feedback to Apple that they should never change the proposal on an existing VPN without notifying/confirming that is what is needed.
-James Carson
WatchGuard Customer Support
@james.carson
Sorry for the double comment, the one from yesterday kept failing to post so I submitted again today without realizing it actually succeeded.
Unfortunately I'm not knowledgeable about this enough to know what exactly to include in the feedback to Apple. But I'll definitely do it.
Hi @edgar.ciraconnect
Absolutely willing to help, however, pointing out that it was taken from a working config to a broken config.
In theory re-loading the VPN profile should generate the VPN using those proposals. The other option would be to change the proposal on the WatchGuard side -- see the post Veloso up the page a bit for those settings.
-James Carson
WatchGuard Customer Support
cool! Thanks! ill give it a whirl. Cheers!
IKEv2 Shared Settings and IKEv2 Configuration doesn't work for me that Veloso mentioned. Every 24 minutes, my IKev2 VPN disconnects by itself.
I think we may have fixed the 24-minute disconnection issue by going to Fireware Web UI > VPN > Mobile VPN > IKEv2 > Configure > Security > Phase 2 Settings > Enable Perfect Forward Secrecy > and changing it to Diffie-Hellman Group 19.
Our affected macOS Sonoma system's VPN has now been connected for 33 minutes and counting.
UPDATE: Now the Mac's VPN is disconnecting at the 48-minute mark instead of 24. So, exactly double the time. Unsure what that tells us...
Just thought I would let you know that this worked for me. At least so far - I've been connected for 53 minutes this most recent session. Thanks for posting.
Hi,
We've finaly found a solution with @Veloso.
But if you have different settings in the phase 1 you have to place the config Diffie-Hellman Groupe 19 at the top of the list.
Thank you.
Fireware 12.10.2
VPN
Hi, the new release did not fix the problem for me. Has it been fixed for anybody else ?
You might need to download and install a fresh copy of the IKEv2 profile.
Well, we just upgraded to 12.10.2 this morning. I downloaded a fresh copy of the IKEv2 profile and installed it on my MacBook, and I'm still getting disconnected at the 24 minute mark as well.
This worked for me.
IKEv2 Shared Settings:
Added - Phase1: AES-GCM-256bit / 24hours / DH Group 19 and moved to the top
Mobile VPN - IKEv2 Configuration:
Security / Phase2
Added ESP/SHA2-256/AES 256bit
Enable Perfect Forward Secrecy > and changing it to Diffie-Hellman Group 19
Exported IKE v2 profile from firebox and imported it into my macbook pro running Sonoma 14.3.1
The same solution changing ike settings is working for me too. With Sonoma 14.4.1. I have not needed to download the ike profile again
Not sure how I missed this fix, but THANK YOU! I just made these changes and it also worked for me. No need to download the IKE profile again.