0

I encountered a problem when trying to connect to a VPN server configured in IKEv2 from MacOS (Ventura 13.4.1) on a fresh install.

The VPN server is a RRAS hosted in a Windows server 2019, its certificate is signed by my CA which presents the extensions required by Apple (KeyLength = 2048, KeyUsage = 0xA0, [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5. 7.3.1; Server Authentication, etc.). It has the subject name (common name) as well as the alternative name (DNS name) with its public address, the root certificate has been imported and set to always trusted in the container.

I can connect without difficulties Windows clients, Linux (network manager/libstronswan), IpadOS (16.3.1), androids with stongswan app, and on old MacOS I can connect BigSur and Monterey, it also works after upgrading from Monterey.

I tried many thing in particular on the certificate template, or tried to import in other ways the root CA certificate.

I sniffed the network traffic a little and I can clearly see the flow reaching the RRAS but the latter only sends back a response and then nothing.

I note a detail in passing, when I launch the connection from my Mac it cuts off almost instantly making me think that there is a problem with the system of this Mac, I of course tried to reinstall it completely and also tested it from others Mac than this one also on Ventura, here is the log stack that I obtain during the phase where I try to initiate the connection :

neagent Looking for an extension with identifier com.apple.NetworkExtension.IKEv2Provider and extension point com.apple.networkextension.packet-tunnel
neagent [d <private>] <PKHost:0x7fc32a205b60> Beginning discovery for flags: 0, point: com.apple.networkextension.packet-tunnel
neagent [d <private>] <PKHost:0x7fc32a205b60> Completed discovery. Final # of matches: 1
neagent Found 1 extension(s) with identifier com.apple.NetworkExtension.IKEv2Provider and extension point com.apple.networkextension.packet-tunnel
neagent Beginning extension request with extension com.apple.NetworkExtension.IKEv2Provider
neagent Error acquiring assertion: <Error Domain=RBSAssertionErrorDomain Code=2 "Specified target process does not exist" UserInfo={NSLocalizedFailureReason=Specified target process does not exist}>
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] Ready plugins sent as euid = 501, uid = 501, personaid = -1, type = NOPERSONA, name = <unknown>
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] got pid from ready request: 1824
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] acquired startup assertion
neagent Hit the server for a process handle bd7cb2500000720 that resolved to: [xpcservice<com.apple.NetworkExtension.IKEv2Provider([osservice<com.apple.neagent(501)>:525:525])(501)>:1824]
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] Prepare using sent as euid = 501, uid = 501, personaid = -1, type = NOPERSONA, name = <unknown>
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E] [<private>(<private>)] Sending prepareUsing to managed extension; this should launch it if not already running.
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] Begin using sent as euid = 501, uid = 501, personaid = -1, type = NOPERSONA, name = <unknown>
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] plugin loaded and ready for host
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] invalidating startup assertion
neagent +[NSExtensionContext _allowedItemPayloadClasses] not implemented. Setting the allowed payload classes to <private>
neagent Extension request with extension com.apple.NetworkExtension.IKEv2Provider started with identifier 6DFB0610-487E-459D-8197-4DE783566C84
neagent Signature check failed: the code does not conform to the specified code requirements
neagent Signature check failed: the code does not conform to the specified code requirements
neagent Provider is not signed with a Developer ID certificate
neagent [Host com.apple.NetworkExtension.IKEv2Provider]: Starting with options 0x7fc32a10ab90
neagent Scheduing timer for extension failure/exit for (null)
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] Connection to plugin interrupted while in use.
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] all extension sessions ended
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] Connection to plugin invalidated while in use.
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] Emptying requests set

Some other logs sample:

erreur  11:10:22.316241+0200    NEIKEv2Provider [IKE_SA_INIT R resp0 49B947259F346F1E-DB039B3DC80268EC] Initiator init received notify error Error Domain=NEIKEv2ProtocolErrorDomain Code=14 "NoProposalChosen" UserInfo={NSDebugDescription=NoProposalChosen}\
par défaut  11:10:22.316293+0200    NEIKEv2Provider IKEv2IKESA[1.1, 49B947259F346F1E-0000000000000000] state Connecting -> Disconnected error (null) -> Error Domain=NEIKEv2ProtocolErrorDomain Code=14 "NoProposalChosen" UserInfo={NSDebugDescription=NoProposalChosen}\
erreur  11:10:22.316333+0200    NEIKEv2Provider IKEv2Session[1, 49B947259F346F1E-0000000000000000] Failed to process IKE SA Init packet (connect)\
par défaut  11:10:22.316401+0200    NEIKEv2Provider IKEv2IKESA[1.1, 49B947259F346F1E-0000000000000000] not changing state Disconnected nor error Error Domain=NEIKEv2ProtocolErrorDomain Code=14 "NoProposalChosen" UserInfo={NSDebugDescription=NoProposalChosen} -> Error Domain=NEIKEv2ErrorDomain Code=6 "PeerInvalidSyntax: Failed to process IKE SA Init packet (connect)" UserInfo={NSLocalizedDescription=PeerInvalidSyntax: Failed to process IKE SA Init packet (connect)}
5
  • A NO_PROPOSAL_CHOSEN notify is returned by the server if it isn't able to find suitable algorithms in the request sent by the client. If you have a capture of the IKE_SA_INIT request message you can see what the client proposes in the SA payload, which might be helpful. Note that Windows has usually relatively weak algorithms enabled, in particular for the key exchange, so that might be an issue. Depending on the algorithms it might be possible to configure the client with a configuration profile that sets specific algorithms.
    – ecdsa
    Commented Sep 18, 2023 at 11:46
  • Indeed I am testing with Apple Configurator to test to specify the connection information, so on the other hand it is impossible to validate the import of the profile, it seems that it comes from the IKE parameters, I have tested several combinations of config without success, it works without problem if I import a profile configured in L2TP with placeholder parameters. An idea would be welcome! Commented Sep 18, 2023 at 15:47
  • Yes, you need to tweak the IKE algorithms. You can check what algorithms are selected on a client where it works (e.g. check the logs on Linux or in the Android app, it should say something like: selected proposal: IKE:...).
    – ecdsa
    Commented Sep 19, 2023 at 7:14
  • Ok, so I am still on Apple Configurator and I cannot import the profile when IKEv2 is selected, I fills all mandatory informations and then go some logs: Error Domain=ConfigProfilePluginDomain Code=-319 "Les données utiles « Service VPN » n’ont pas pu être installées. Le serveur VPN n’a pas pu être créé." UserInfo={NSLocalizedDescription=Les données utiles « Service VPN » n’ont pas pu être installées. Le serveur VPN n’a pas pu être créé.} I can add for exemple an IPSEC profile with completely stupid information and this works. Commented Sep 19, 2023 at 12:52
  • Ok, finally it works ! I had to specify my internal DNS server in the Apple configurator. Commented Sep 19, 2023 at 14:10

0

You must log in to answer this question.

Browse other questions tagged .