Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Sonoma bug: IKEv2 VPN no longer rekeys so VPN connections drop every 20-25 minutes.

bogdanw

bogdanw

macrumors 603
Mar 10, 2009
5,710
2,748
Mcrumors David said:
MacOS let's me choose a Username + Password as Authentication for IKEv2, the iMazing-Profile-Editor does not list that option. What am I doing wrong?
Click to expand...
“Set to None when enabling EAP (ExtendedAuthEnabled)”
So, set to None, then check Enable EAP-only authentication, username and password fields will become available.
Mcrumors David said:
May I ask for the path of the log(s) on MacOS that I can tail?
Click to expand...
See post #12
 
M

Mcrumors David

macrumors regular
Oct 8, 2014
180
67
bogdanw said:
“Set to None when enabling EAP (ExtendedAuthEnabled)”
So, set to None, then check Enable EAP-only authentication, username and password fields will become available.

See post #12
Click to expand...

Appreciated. After trial and error I was able to inject a VPN profile created by Apple Configurator into my System Settings and successfully connect on Sonoma.

I tested it and it worked well passed the 24min mark (last time I checked it was active for 1h:20m).

...
Am I happy about it? No, on Ventura (basically every OS below Sonoma) I can simply use the System-Setting's VPN page and voilà ...
 
cwagz78

cwagz78

macrumors member
May 27, 2012
30
41
After upgrading to 14.2 my working VPN profile that had a username and password (shared key) embedded will no longer connect. If I create a profile with no preshared key, I can connect by entering the key when the pop up asks for it during connection. If I go into the macOS VPN settings and try to save the password, then the VPN profile will no longer connect no matter what I do. I have to remove the profile, reload it and enter the password each time I connect.

Anyone else experience this?

This is an IKEV2 EAP-MSCHAP VPN. Same profile I have been using for quite some time without issue until 14.2 came out.
 
M

Mcrumors David

macrumors regular
Oct 8, 2014
180
67
cwagz78 said:
After upgrading to 14.2 my working VPN profile that had a username and password (shared key) embedded will no longer connect. If I create a profile with no preshared key, I can connect by entering the key when the pop up asks for it during connection. If I go into the macOS VPN settings and try to save the password, then the VPN profile will no longer connect no matter what I do. I have to remove the profile, reload it and enter the password each time I connect.

Anyone else experience this?

This is an IKEV2 EAP-MSCHAP VPN. Same profile I have been using for quite some time without issue until 14.2 came out.
Click to expand...

What does the server side look like?

Any logs?

*Better post on the Apple-Forum or the respective product's forum (i.e. if the receiving side was a Zyxel modem, ask there)

One perhabs helpful article...

IKEv2 profile broken since Sonoma 14 - Apple Community

discussions.apple.com discussions.apple.com
 
cwagz78

cwagz78

macrumors member
May 27, 2012
30
41
Mcrumors David said:
What does the server side look like?

Any logs?

*Better post on the Apple-Forum or the respective product's forum (i.e. if the receiving side was a Zyxel modem, ask there)

One perhabs helpful article...

IKEv2 profile broken since Sonoma 14 - Apple Community

discussions.apple.com discussions.apple.com
Click to expand...
Thank you for the reply. I am running pfSense and have had zero issues up until 14.2.

I don't have the logs right now. It really seemed like it was just not saving the pre-shared key correctly. Thank you for the link to the apple discussion board. That looks like some promising information.

I have setup Tailscale and I am considering abandoning my IPsec VPN. So far it is working well and does not require a profile to be configured correctly. It can even do connect on demand with rules from the app now on the iphone.
 
M

mygu

macrumors newbie
Jan 17, 2024
1
0
Peacock22 said:
I have found a fix (or workaround?) for this issue: if you set the lifetime of the phase 2 / SA / proposal on the VPN server side to a value less than 1440 seconds / 24 minutes (1200 seconds / 20 minutes for example), then the connection will rekey before the 24 minute mark, and it'll rekey correctly without dropping.

It seems that when the iOS/macOS devices hits the default lifetime limit of 24 minutes, it tries to rekey but maybe uses incorrect values, so the VPN tunnel drops since it couldn't rekey. But when the server-side lifetime expires, the rekey is successful (maybe since the server initiates the rekey using the correct values?), and the connection stays up and works perfectly fine, so the trick seems to be to make sure the server lifetime always expires before the Apple device client lifetime, so just set something shorter than 24 minutes on the server side (20 minutes, for example) and you should avoid the problem.

I use a MikroTik router running RouterOS 7.12 as my IKEv2 VPN server. Setting lifetime=20m (or something else less than 24m) under the VPN proposal fixed it for me. I last used the VPN for over an hour without any issues. I haven't used Apple Configurator to modify settings on my iOS/macOS devices (running iOS 17.1.1 and macOS 14.1.1 Sonoma), so the VPN settings on the clients are the defaults that Apple sets. My other settings include using SHA256, aes-256-cbc, and ecp256 as the PFS group.

I hope this helps.
Click to expand...
It's a perfect workround. Just simply change on my MikroTik router in minute.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom