Giters

feedback-assistant / reports

Open collection of Apple Feedback Assistant reports

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

FB13453582: macOS 14 Sonoma ikev2 vpn rekey sends invalid proposals, causing a disconnect every 24/48 minutes, error NoProposalChosen

0x-2a opened this issue · comments

commented
  • Date: 2023-12-07
  • Resolution: Open
  • Area: Network
  • OS: macOS 14.1.2
  • Type: Incorrect/Unexpected Behavior
  • Keywords: sonoma ikev2 ipsec vpn

Description

There seems to be a bug in macOS 14 (14-14.1.2) that causes VPN connections to regularly disconnect after 24 or 48 minutes, causing a short network interrupt for 1-2 seconds. Prior macOS versions up to 13 do not have the issue. Release notes do not mention any breaking changes for 14, or 14.1. We have found that macOS sends an invalid proposal list on rekey, particularly for connections with OnDemand enabled.

With the help of the Libreswan community, we've discussed it at libreswan/libreswan#1450. It is manifesting across developer products, e.g. IPSecVPN hwdsl2/setup-ipsec-vpn#1486, Docker docker/for-mac#7022, and VPN Providers https://discussions.apple.com/thread/255158874.

The bug seems to be somewhere in the rekey/cert/proposal process. With a test server running libreswan 4.12 set to match the default security params from apple dev docs ikesecurityassociationparameters and childsecurityassociationparameters. To reproduce: - Start a vpn server with no rekey or rekey interval longer than 48 minutes, allowing macos to initiate the rekey - Load a vpn profile on macos with on-demand enabled - Connect, watch the server for incorrect proposal chosen, or wait 24-48 minute for a rekey, watch for disconnect/reconnect Feel free to contact me for help resolving the issue.

commented

I have the exact same issue, I am running a Windows Server on AZURE, I have set up an AZURE VPN Gateway and my Mac users connect to the server by initiating the MacOS built in VPN client which starts an IKEv2 VPN to my AZURE VPN Gateway and then the users start an RDS session to my server. Life was good until macOS Sonoma came around.
With MacOS 14 the VPN disconnects every 24 minutes, I have several other Macs in the company with MacOS 13 and the issue does not happen there. It is definitely something with macOS 14, I have created cases with Apple but nothing if someone figures a solution please let me know