I encountered a problem when trying to connect to a VPN server configured in IKEv2 from MacOS (Ventura 13.4.1) on a fresh install.
The VPN server is a RRAS hosted in a Windows server 2019, its certificate is signed by my CA which presents the extensions required by Apple (KeyLength = 2048, KeyUsage = 0xA0, [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5. 7.3.1; Server Authentication, etc.). It has the subject name (common name) as well as the alternative name (DNS name) with its public address, the root certificate has been imported and set to always trusted in the container.
I can connect without difficulties Windows clients, Linux (network manager/libstronswan), IpadOS (16.3.1), androids with stongswan app, and on old MacOS I can connect BigSur and Monterey, it also works after upgrading from Monterey.
I tried many thing in particular on the certificate template, or tried to import in other ways the root CA certificate.
I sniffed the network traffic a little and I can clearly see the flow reaching the RRAS but the latter only sends back a response and then nothing.
I note a detail in passing, when I launch the connection from my Mac it cuts off almost instantly making me think that there is a problem with the system of this Mac, I of course tried to reinstall it completely and also tested it from others Mac than this one also on Ventura, here is the log stack that I obtain during the phase where I try to initiate the connection :
neagent Looking for an extension with identifier com.apple.NetworkExtension.IKEv2Provider and extension point com.apple.networkextension.packet-tunnel
neagent [d <private>] <PKHost:0x7fc32a205b60> Beginning discovery for flags: 0, point: com.apple.networkextension.packet-tunnel
neagent [d <private>] <PKHost:0x7fc32a205b60> Completed discovery. Final # of matches: 1
neagent Found 1 extension(s) with identifier com.apple.NetworkExtension.IKEv2Provider and extension point com.apple.networkextension.packet-tunnel
neagent Beginning extension request with extension com.apple.NetworkExtension.IKEv2Provider
neagent Error acquiring assertion: <Error Domain=RBSAssertionErrorDomain Code=2 "Specified target process does not exist" UserInfo={NSLocalizedFailureReason=Specified target process does not exist}>
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] Ready plugins sent as euid = 501, uid = 501, personaid = -1, type = NOPERSONA, name = <unknown>
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] got pid from ready request: 1824
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] acquired startup assertion
neagent Hit the server for a process handle bd7cb2500000720 that resolved to: [xpcservice<com.apple.NetworkExtension.IKEv2Provider([osservice<com.apple.neagent(501)>:525:525])(501)>:1824]
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] Prepare using sent as euid = 501, uid = 501, personaid = -1, type = NOPERSONA, name = <unknown>
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E] [<private>(<private>)] Sending prepareUsing to managed extension; this should launch it if not already running.
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] Begin using sent as euid = 501, uid = 501, personaid = -1, type = NOPERSONA, name = <unknown>
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] plugin loaded and ready for host
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] invalidating startup assertion
neagent +[NSExtensionContext _allowedItemPayloadClasses] not implemented. Setting the allowed payload classes to <private>
neagent Extension request with extension com.apple.NetworkExtension.IKEv2Provider started with identifier 6DFB0610-487E-459D-8197-4DE783566C84
neagent Signature check failed: the code does not conform to the specified code requirements
neagent Signature check failed: the code does not conform to the specified code requirements
neagent Provider is not signed with a Developer ID certificate
neagent [Host com.apple.NetworkExtension.IKEv2Provider]: Starting with options 0x7fc32a10ab90
neagent Scheduing timer for extension failure/exit for (null)
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] Connection to plugin interrupted while in use.
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] all extension sessions ended
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] Connection to plugin invalidated while in use.
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] Emptying requests set
Some other logs sample:
erreur 11:10:22.316241+0200 NEIKEv2Provider [IKE_SA_INIT R resp0 49B947259F346F1E-DB039B3DC80268EC] Initiator init received notify error Error Domain=NEIKEv2ProtocolErrorDomain Code=14 "NoProposalChosen" UserInfo={NSDebugDescription=NoProposalChosen}\
par défaut 11:10:22.316293+0200 NEIKEv2Provider IKEv2IKESA[1.1, 49B947259F346F1E-0000000000000000] state Connecting -> Disconnected error (null) -> Error Domain=NEIKEv2ProtocolErrorDomain Code=14 "NoProposalChosen" UserInfo={NSDebugDescription=NoProposalChosen}\
erreur 11:10:22.316333+0200 NEIKEv2Provider IKEv2Session[1, 49B947259F346F1E-0000000000000000] Failed to process IKE SA Init packet (connect)\
par défaut 11:10:22.316401+0200 NEIKEv2Provider IKEv2IKESA[1.1, 49B947259F346F1E-0000000000000000] not changing state Disconnected nor error Error Domain=NEIKEv2ProtocolErrorDomain Code=14 "NoProposalChosen" UserInfo={NSDebugDescription=NoProposalChosen} -> Error Domain=NEIKEv2ErrorDomain Code=6 "PeerInvalidSyntax: Failed to process IKE SA Init packet (connect)" UserInfo={NSLocalizedDescription=PeerInvalidSyntax: Failed to process IKE SA Init packet (connect)}
selected proposal: IKE:...
).