IKEv2 macOS 15.2 alatt 8 percenként leszakad [MEGOLDVA]

Hálózatok általános

Használ valaki IKEv2 VPN-t macOS nativ kliensekkel? Valamiért 8 percenként leszakad és a Mikrotik logok alapján nem világos hogy miért (elvileg valami rekey történne itt, de csak azt látom hogy leszakad). IOS kliensekkel nincs ilyen probléma, illetve wireguardnál sincs, csak macOS-nél jelentkezik. Alább a phase1-2 konfig:

name="ike2" hash-algorithm=sha256 enc-algorithm=aes-256
     dh-group=x25519,ecp256,ecp384,ecp521,modp8192,modp6144,modp4096,modp3072,
         modp2048
     lifetime=1d proposal-check=obey nat-traversal=yes
     dpd-interval=disable-dpd

name="ike2-proposal" auth-algorithms=sha512,sha256
      enc-algorithms=chacha20poly1305,aes-256-cbc,aes-256-ctr,aes-256-gcm
      lifetime=30m pfs-group=modp2048

Ha valakinek működik 8 percen túl akkor be tudná rakni ide légyszi a phase1-2 algoritmusokat?

  • 665 megtekintés

( n.balazs v | 2024. 12. 31., k – 21:53 )

Most nincs előttem macOS, ezért csak ötletelek: Mikor működött ez utoljára jól? Logokban (kliens + szerver) mi látszik?

( ggallo | 2025. 01. 01., sze – 01:40 )

Nincs Apple gépem, így ilyennel valós tapasztalatom sem, de ha 8 percig jó, akkor minden beállításod jó, kivéve a kulcsok élettartama, mert valaki hamarabb dobja el a másiknál, valószínű a Phase2 (child SA) szinten.

Sajna nem találtam gyors kereséssel olyan klasszikus adatot, hogy mi a default (Draytek router-nél volt, hogy egy csomó IPsec paraméter fix benne, így a túloldallal kellett ahhoz a default.-hoz igazodnunk), de pár hasznos oldal előkerül, szerintem nem árt, ha végig futod, hátha meg lesz a megoldásod:

Resolving issues with IKEv2 VPN in Apple devices

Sonoma bug: IKEv2 VPN no longer rekeys so VPN connections drop every 20-25 minutes.

Kicsit lentebb van konkrét javaslat gyors, egyszerű megoldásra

( arpi_esp v | 2025. 01. 01., sze – 07:55 )

Szerkesztve: 2025. 01. 01., sze – 07:59

en hasznalok macos+ikev2, nalam nem szakad, de a masik vege linux+strongswan, es nem mikrotikk.

igy ranezesre az gyanus hogy a phase 1 lifetimeja kisebb mint a phase 2, szerintem ennek forditva kene lennie...

a masik gyanus, hogy dpd-t kikapcsoltad, es ha nat mogul netezik a kliens akkor ha epp nincs forgalom a vpnben 1-2 percig (vagy 8?) akkor kimulik az udp conntrack alola.

Koszi, igazabol eddig igy mukodott 14-es macOS-szel (meg a telefonnal es az ipaddel gond nelkul megy), de varialok az idovel. Nagyreszt ipv6-tal megyek es emiatt a nat nem szokott gond lenni de bekapcsolom azt is.

Szerk: Mea culpa, forditva raktam be a fazisokat :) mindjart szerkesztem az OP-t

( Z0l v | 2025. 01. 02., cs – 15:07 )

Szerkesztve: 2025. 01. 02., cs – 15:07

Valamiert a rekey soran nem fogadja el azt a konfigot amivel amugy a kapcsolat letrejott (NO_PROPOSAL_CHOSEN):

 

11:13:28 ipsec ipsecdebug: processing payload: SA
11:13:28 ipsec ipsecdebug: IKE Protocol: IKE
11:13:28 ipsec ipsecdebug:  proposal #1
11:13:28 ipsec ipsecdebug:   enc: aes256-cbc
11:13:28 ipsec ipsecdebug:   prf: hmac-sha256
11:13:28 ipsec ipsecdebug:   auth: sha256
11:13:28 ipsec ipsecdebug:   dh: modp2048
11:13:28 ipsec ipsecdebug:  proposal #2
11:13:28 ipsec ipsecdebug:   enc: aes256-cbc
11:13:28 ipsec ipsecdebug:   prf: hmac-sha256
11:13:28 ipsec ipsecdebug:   auth: sha256
11:13:28 ipsec ipsecdebug:   dh: ecp256
11:13:28 ipsec ipsecdebug:  proposal #3
11:13:28 ipsec ipsecdebug:   enc: aes256-cbc
11:13:28 ipsec ipsecdebug:   prf: hmac-sha256
11:13:28 ipsec ipsecdebug:   auth: sha256
11:13:28 ipsec ipsecdebug:   dh: modp1536
11:13:28 ipsec ipsecdebug:  proposal #4
11:13:28 ipsec ipsecdebug:   enc: aes128-cbc
11:13:28 ipsec ipsecdebug:   prf: hmac-sha1
11:13:28 ipsec ipsecdebug:   auth: sha1
11:13:28 ipsec ipsecdebug:   dh: modp1024
11:13:28 ipsec ipsecdebug:  proposal #5
11:13:28 ipsec ipsecdebug:   enc: 3des-cbc
11:13:28 ipsec ipsecdebug:   prf: hmac-sha1
11:13:28 ipsec ipsecdebug:   auth: sha1
11:13:28 ipsec ipsecdebug:   dh: modp1024
11:13:28 ipsec ipsecdebug: matched proposal:
11:13:28 ipsec ipsecdebug:  proposal #1
11:13:28 ipsec ipsecdebug:   enc: aes256-cbc
11:13:28 ipsec ipsecdebug:   prf: hmac-sha256
11:13:28 ipsec ipsecdebug:   auth: sha256
11:13:28 ipsec ipsecdebug:   dh: modp2048
11:13:28 ipsec ipsecdebug: processing payload: KE
--snip---
11:13:28 ipsec ipsecdebug: IKE Protocol: ESP
11:13:28 ipsec ipsecdebug:  proposal #1
11:13:28 ipsec ipsecdebug:   enc: aes256-cbc
11:13:28 ipsec ipsecdebug:   auth: sha256
11:13:28 ipsec ipsecdebug:  proposal #2
11:13:28 ipsec ipsecdebug:   enc: aes128-cbc
11:13:28 ipsec ipsecdebug:   auth: sha1
11:13:28 ipsec ipsecdebug:  proposal #3
11:13:28 ipsec ipsecdebug:   enc: 3des-cbc
11:13:28 ipsec ipsecdebug:   auth: sha1
11:13:28 ipsec ipsecdebug: processing payload: TS_I
11:13:28 ipsec ipsecdebug: 0.0.0.0/0
11:13:28 ipsec ipsecdebug: [::/0]
11:13:28 ipsec ipsecdebug: processing payload: TS_R
11:13:28 ipsec ipsecdebug: 0.0.0.0/0
11:13:28 ipsec ipsecdebug: [::/0]
11:13:28 ipsec ipsecdebug: TSi in tunnel mode replaced with config address: 10.x.y.z
11:13:28 ipsec ipsecdebug: TSr in tunnel mode replaced with split subnet: 0.0.0.0/0
11:13:28 ipsec ipsecdebug: candidate selectors: 0.0.0.0/0 <=> 10.x.y.z
11:13:28 ipsec ipsecdebug: candidate selectors: [::/0] <=> [::/0]
11:13:28 ipsec ipsecdebug: searching for policy for selector: 0.0.0.0/0 <=> 10.x.y.z
11:13:28 ipsec ipsecdebug: generating policy
11:13:28 ipsec ipsecdebug: matched proposal:
11:13:28 ipsec ipsecdebug:  proposal #1
11:13:28 ipsec ipsecdebug:   enc: aes256-cbc
11:13:28 ipsec ipsecdebug:   auth: sha256
11:13:28 ipsec ipsecdebug: ike auth: finish

8 perc eltelik

11:21:28 ipsec ipsecdebug: IKE SA rekey
11:21:28 ipsec ipsecdebug: processing payload: SA
11:21:28 ipsec ipsecdebug: IKE Protocol: IKE
11:21:28 ipsec ipsecdebug:  proposal #1
11:21:28 ipsec ipsecdebug:   enc: aes256-cbc
11:21:28 ipsec ipsecdebug:   prf: hmac-sha256
11:21:28 ipsec ipsecdebug:   auth: sha256
11:21:28 ipsec ipsecdebug:   dh: modp2048
11:21:28 ipsec ipsecdebug: matched proposal:
11:21:28 ipsec ipsecdebug:  proposal #1
11:21:28 ipsec ipsecdebug:   enc: aes256-cbc
11:21:28 ipsec ipsecdebug:   prf: hmac-sha256
11:21:28 ipsec ipsecdebug:   auth: sha256
11:21:28 ipsec ipsecdebug:   dh: modp2048
11:21:28 ipsec ipsecdebug: processing payload: KE
11:21:28 ipsec ipsecdebug: processing payload: NONCE
11:21:28 ipsec ipsecdebug: adding payload: SA
11:21:28 ipsec ipsecdebug: adding payload: KE
11:21:28 ipsec ipsecdebug: adding payload: NONCE
11:21:28 ipsec ipsecdebug: <- ike2 reply, exchange: CREATE_CHILD_SA:2 client_ipv6_address[4500] 5075bb554b1b4b8f:5aae9a769e4febaa
11:21:28 ipsec ipsecdebug: -> ike2 request, exchange: INFORMATIONAL:3 client_ipv6_address[4500] 5075bb554b1b4b8f:5aae9a769e4febaa
11:21:28 ipsec ipsecdebug: payload seen: ENC
11:21:28 ipsec ipsecdebug: processing payload: ENC
11:21:28 ipsec ipsecdebug: payload seen: DELETE
11:21:28 ipsec ipsecdebug: respond: info
11:21:28 ipsec ipsecdebug: processing payloads: NOTIFY (none found)
11:21:28 ipsec ipsecdebug: <- ike2 reply, exchange: INFORMATIONAL:3 client_ipv6_address[4500] 5075bb554b1b4b8f:5aae9a769e4febaa
11:21:28 ipsec ipsecdebug: processing payloads: DELETE
11:21:28 ipsec ipsecdebug: delete IKE SA
11:21:28 ipsec ipsecdebug: rekey done
11:21:28 ipsec ipsecdebug: -> ike2 request, exchange: CREATE_CHILD_SA:0 client_ipv6_address[4500] cc797dcb76722b2f:8cdbef8c0100ebba
11:21:28 ipsec ipsecdebug: payload seen: ENC
11:21:28 ipsec ipsecdebug: processing payload: ENC
11:21:28 ipsec ipsecdebug: payload seen: NOTIFY
11:21:28 ipsec ipsecdebug: payload seen: SA
11:21:28 ipsec ipsecdebug: payload seen: NONCE
11:21:28 ipsec ipsecdebug: payload seen: TS_I
11:21:28 ipsec ipsecdebug: payload seen: TS_R
11:21:28 ipsec ipsecdebug: create child: respond
11:21:28 ipsec ipsecdebug: processing payloads: NOTIFY
11:21:28 ipsec ipsecdebug:   notify: REKEY_SA
11:21:28 ipsec ipsecdebug: rekeying child SA 0xafc1567
11:21:28 ipsec ipsecdebug: peer wants tunnel mode
11:21:28 ipsec ipsecdebug: processing payload: TS_R
11:21:28 ipsec ipsecdebug: 0.0.0.0/0
11:21:28 ipsec ipsecdebug: processing payload: TS_I
11:21:28 ipsec ipsecdebug: 10.x.y.z
11:21:28 ipsec ipsecdebug: checking: 0.0.0.0/0 <=> 10.x.y.z
11:21:28 ipsec ipsecdebug: processing payload: SA
11:21:28 ipsec ipsecdebug: IKE Protocol: ESP
11:21:28 ipsec ipsecdebug:  proposal #1
11:21:28 ipsec ipsecdebug:   enc: aes256-cbc
11:21:28 ipsec ipsecdebug:   auth: sha256
11:21:28 ipsec ipsecdebug: reply notify: NO_PROPOSAL_CHOSEN
11:21:28 ipsec ipsecdebug: adding notify: NO_PROPOSAL_CHOSEN
11:21:28 ipsec ipsecdebug: <- ike2 reply, exchange: CREATE_CHILD_SA:0 client_ipv6_address[4500] cc797dcb76722b2f:8cdbef8c0100ebba
11:21:28 ipsec ipsecdebug: -> ike2 request, exchange: INFORMATIONAL:1 client_ipv6_address[4500] cc797dcb76722b2f:8cdbef8c0100ebba
11:21:28 ipsec ipsecdebug: payload seen: ENC
11:21:28 ipsec ipsecdebug: processing payload: ENC
11:21:28 ipsec ipsecdebug: payload seen: DELETE
11:21:28 ipsec ipsecdebug: respond: info
11:21:28 ipsec ipsecdebug: processing payloads: NOTIFY (none found)
11:21:28 ipsec ipsecdebug: <- ike2 reply, exchange: INFORMATIONAL:1 client_ipv6_address[4500] cc797dcb76722b2f:8cdbef8c0100ebba
11:21:28 ipsec ipsecdebug: processing payloads: DELETE
11:21:28 ipsec ipsecdebug: delete ESP SA
11:21:28 ipsec ipsecdebug: delete spi: 0xafc1567
11:21:28 ipsec ipsecdebug: IPsec-SA killing: client_ipv6_address[4500]->mikrotik_ipv6_address[4500] spi=0xd4cc08d
11:21:28 ipsec ipsecdebug: IPsec-SA killing: mikrotik_ipv6_address[4500]->client_ipv6_address[4500] spi=0xafc1567
11:21:28 ipsec ipsecdebug: removing generated policy
11:21:28 ipsec ipsecdebug: -> ike2 request, exchange: INFORMATIONAL:2 client_ipv6_address[4500] cc797dcb76722b2f:8cdbef8c0100ebba
11:21:28 ipsec ipsecdebug: payload seen: ENC
11:21:28 ipsec ipsecdebug: processing payload: ENC
11:21:28 ipsec ipsecdebug: payload seen: DELETE
11:21:28 ipsec ipsecdebug: respond: info
11:21:28 ipsec ipsecdebug: processing payloads: NOTIFY (none found)
11:21:28 ipsec ipsecdebug: <- ike2 reply, exchange: INFORMATIONAL:2 client_ipv6_address[4500] cc797dcb76722b2f:8cdbef8c0100ebba
11:21:28 ipsec ipsecdebug: processing payloads: DELETE
11:21:28 ipsec ipsecdebug: delete IKE SA
11:21:28 ipsec,info killing ike2 SA: ipsec_peer1 mikrotik_ipv6_address[4500]-client_ipv6_address[4500] spi:8cdbef8c0100ebba:cc797dcb76722b2f
11:21:28 ipsec,info ipsecdebug: killing ike2 SA: ipsec_peer1 mikrotik_ipv6_address[4500]-client_ipv6_address[4500] spi:8cdbef8c0100ebba:cc797dcb76722b2f
11:21:28 ipsec,info releasing address 10.x.y.z

 

( Z0l v | 2025. 01. 02., cs – 16:18 )

Szerkesztve: 2025. 01. 02., cs – 16:59

Na mostmar elfogadja a proposalt de megis lebont:

 

16:48:48 ipsec ipsecdebug: IKE Protocol: ESP
16:48:48 ipsec ipsecdebug:  proposal #1
16:48:48 ipsec ipsecdebug:   enc: aes256-cbc
16:48:48 ipsec ipsecdebug:   auth: sha256
16:48:48 ipsec ipsecdebug: matched proposal:
16:48:48 ipsec ipsecdebug:  proposal #1
16:48:48 ipsec ipsecdebug:   enc: aes256-cbc
16:48:48 ipsec ipsecdebug:   auth: sha256
16:48:48 ipsec ipsecdebug: processing payload: NONCE
16:48:48 ipsec ipsecdebug: create child: finish
16:48:48 ipsec ipsecdebug: adding payload: NONCE
16:48:48 ipsec ipsecdebug: initiator selector: 10.x.y.z
16:48:48 ipsec ipsecdebug: adding payload: TS_I
16:48:48 ipsec ipsecdebug: responder selector: 0.0.0.0/0
16:48:48 ipsec ipsecdebug: adding payload: TS_R
16:48:48 ipsec ipsecdebug: adding payload: SA
16:48:48 ipsec ipsecdebug: <- ike2 reply, exchange: CREATE_CHILD_SA:0 laptop_ipv6_address[4500] 64f6172b8afde374:2473bd858656f29f
16:48:48 ipsec ipsecdebug: IPsec-SA established: laptop_ipv6_address[4500]->mikrotik_ipv6_address[4500] spi=0xa16ae7d
16:48:48 ipsec ipsecdebug: -> ike2 request, exchange: INFORMATIONAL:1 laptop_ipv6_address[4500] 64f6172b8afde374:2473bd858656f29f
16:48:48 ipsec ipsecdebug: payload seen: ENC
16:48:48 ipsec ipsecdebug: processing payload: ENC
16:48:48 ipsec ipsecdebug: payload seen: DELETE
16:48:48 ipsec ipsecdebug: respond: info
16:48:48 ipsec ipsecdebug: processing payloads: NOTIFY (none found)
16:48:48 ipsec ipsecdebug: <- ike2 reply, exchange: INFORMATIONAL:1 laptop_ipv6_address[4500] 64f6172b8afde374:2473bd858656f29f
16:48:48 ipsec ipsecdebug: processing payloads: DELETE
16:48:48 ipsec ipsecdebug: delete ESP SA
16:48:48 ipsec ipsecdebug: delete spi: 0xb09bac0
16:48:48 ipsec ipsecdebug: IPsec-SA established: mikrotik_ipv6_address[4500]->laptop_ipv6_address[4500] spi=0x6736133
16:48:48 ipsec ipsecdebug: IPsec-SA killing: laptop_ipv6_address[4500]->mikrotik_ipv6_address[4500] spi=0xf90ba35
16:48:48 ipsec ipsecdebug: IPsec-SA killing: mikrotik_ipv6_address[4500]->laptop_ipv6_address[4500] spi=0xb09bac0
16:48:48 ipsec ipsecdebug: -> ike2 request, exchange: INFORMATIONAL:2 laptop_ipv6_address[4500] 64f6172b8afde374:2473bd858656f29f
16:48:48 ipsec ipsecdebug: payload seen: ENC
16:48:48 ipsec ipsecdebug: processing payload: ENC
16:48:48 ipsec ipsecdebug: payload seen: DELETE
16:48:48 ipsec ipsecdebug: respond: info
16:48:48 ipsec ipsecdebug: processing payloads: NOTIFY (none found)
16:48:48 ipsec ipsecdebug: <- ike2 reply, exchange: INFORMATIONAL:2 laptop_ipv6_address[4500] 64f6172b8afde374:2473bd858656f29f
16:48:48 ipsec ipsecdebug: processing payloads: DELETE
16:48:48 ipsec ipsecdebug: delete IKE SA
16:48:48 ipsec,info killing ike2 SA: ipsec_peer1 mikrotik_ipv6_address[4500]-laptop_ipv6_address[4500] spi:2473bd858656f29f:64f6172b8afde374
16:48:48 ipsec,info ipsecdebug: killing ike2 SA: ipsec_peer1 mikrotik_ipv6_address[4500]-laptop_ipv6_address[4500] spi:2473bd858656f29f:64f6172b8afde374
16:48:48 ipsec ipsecdebug: IPsec-SA killing: laptop_ipv6_address[4500]->mikrotik_ipv6_address[4500] spi=0xa16ae7d
16:48:48 ipsec ipsecdebug: IPsec-SA killing: mikrotik_ipv6_address[4500]->laptop_ipv6_address[4500] spi=0x6736133
16:48:48 ipsec ipsecdebug: removing generated policy
16:48:48 ipsec,info releasing address 10.x.y.z
16:48:48 ipsec,info ipsecdebug: releasing address 10.x.y.z

( Z0l v | 2025. 01. 02., cs – 19:51 )

Megoldottam, ki kellett venni a PFS groupot + levenni a lifetime-ot 5 percre es igy mukodik.