[Swan-dev] Mac OS Sonoma IKEv2 issue

Rolando Bermúdez Peña roly.frank at gmail.com
Fri Mar 1 23:09:11 EET 2024 

Hello,

I have libresawn version "ibreswan-3.25-4.8.amzn2.0.2.x86_64" for a vpn in
a server.
I am trying to connect using IKEv2 from Mac clients.

>From a Mac with Ventura it connects fine, from a Mac with Sonoma it does
not connect.
These are the logs for both connections.

Just trying to figure out what I have wrong in the server configuration or
the client.

Sonoma 14.3 (NOT WORKING)

Mar 01 18:15:26 ip-10-176-2-148.ec2.internal pluto[3074]: packet from
76.221.187.153:500: proposal
1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_256;DH=ECP_256 chosen from remote
proposals
1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_256;DH=ECP_256[first-match]
2:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_256;DH=MODP2048
3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=ECP_256
4:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048
Mar 01 18:15:26 ip-10-176-2-148.ec2.internal pluto[3074]:
"client-to-site"[12] 76.221.187.153 #16: STATE_PARENT_R1: received v2I1,
sent v2R1 {auth=IKEv2 cipher=aes_gcm_16_256 integ=n/a prf=sha2_256
group=DH19}
Mar 01 18:15:26 ip-10-176-2-148.ec2.internal pluto[3074]:
"client-to-site"[12] 76.221.187.153 #16: certificate verified OK: O=VPN
Client,CN=user.test.com
Mar 01 18:15:26 ip-10-176-2-148.ec2.internal pluto[3074]:
"client-to-site"[12] 76.221.187.153 #16: IKEv2 mode peer ID is ID_FQDN: '@
user.test.com'
Mar 01 18:15:26 ip-10-176-2-148.ec2.internal pluto[3074]:
"client-to-site"[12] 76.221.187.153 #16: Authenticated using RSA
Mar 01 18:15:26 ip-10-176-2-148.ec2.internal pluto[3074]:
"client-to-site"[12] 76.221.187.153 #16: DigSig: no compatible DigSig hash
algo
Mar 01 18:15:26 ip-10-176-2-148.ec2.internal pluto[3074]:
"client-to-site"[12] 76.221.187.153 #16: responding to AUTH message (ID 1)
from 76.221.187.153:13536 with encrypted notification NO_PROPOSAL_CHOSEN

Ventura 13.5.2 (WORKING)

Mar 01 18:17:47 ip-10-176-2-148.ec2.internal pluto[3074]: packet from
76.221.187.153:500: proposal
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048
chosen from remote proposals
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048[first-match]
Mar 01 18:17:47 ip-10-176-2-148.ec2.internal pluto[3074]:
"client-to-site"[12] 76.221.187.153 #17: STATE_PARENT_R1: received v2I1,
sent v2R1 {auth=IKEv2 cipher=aes_256 integ=sha256_128 prf=sha2_256
group=MODP2048}
Mar 01 18:17:47 ip-10-176-2-148.ec2.internal pluto[3074]:
"client-to-site"[12] 76.221.187.153 #17: certificate verified OK: O=VPN
Client,CN=user2.test.com
Mar 01 18:17:47 ip-10-176-2-148.ec2.internal pluto[3074]:
"client-to-site"[12] 76.221.187.153 #17: No matching subjectAltName found
Mar 01 18:17:47 ip-10-176-2-148.ec2.internal pluto[3074]:
"client-to-site"[12] 76.221.187.153 #17: certificate does not contain
subjectAltName=user.test.com
Mar 01 18:17:47 ip-10-176-2-148.ec2.internal pluto[3074]:
"client-to-site"[12] 76.221.187.153 #17: Peer public key SubjectAltName
does not match peer ID for this connection
Mar 01 18:17:47 ip-10-176-2-148.ec2.internal pluto[3074]:
"client-to-site"[12] 76.221.187.153 #17: switched from "client-to-site"[12]
76.221.187.153 to "client-to-site"
Mar 01 18:17:47 ip-10-176-2-148.ec2.internal pluto[3074]:
"client-to-site"[13] 76.221.187.153 #17: certificate verified OK: O=VPN
Client,CN=user2.test.com
Mar 01 18:17:47 ip-10-176-2-148.ec2.internal pluto[3074]:
"client-to-site"[13] 76.221.187.153 #17: IKEv2 mode peer ID is ID_FQDN: '@
user2.test.com'
Mar 01 18:17:47 ip-10-176-2-148.ec2.internal pluto[3074]:
"client-to-site"[13] 76.221.187.153 #17: Authenticated using RSA
Mar 01 18:17:47 ip-10-176-2-148.ec2.internal pluto[3074]:
"client-to-site"[13] 76.221.187.153 #17: local ESP/AH proposals for
client-to-site (IKE SA responder matching remote ESP/AH proposals):
1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;ESN=DISABLED
2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;ESN=DISABLED
3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED
4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED
5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED (default)
Mar 01 18:17:47 ip-10-176-2-148.ec2.internal pluto[3074]:
"client-to-site"[13] 76.221.187.153 #17: proposal
1:ESP:SPI=02b11f0b;ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED
chosen from remote proposals
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED[first-match]
Mar 01 18:17:47 ip-10-176-2-148.ec2.internal pluto[3074]:
"client-to-site"[13] 76.221.187.153 #17: received unsupported NOTIFY
v2N_NON_FIRST_FRAGMENTS_ALSO
Mar 01 18:17:47 ip-10-176-2-148.ec2.internal pluto[3074]:
"client-to-site"[13] 76.221.187.153 #18: negotiated connection
[10.176.0.0-10.176.255.255:0-65535 0] ->
[172.16.100.10-172.16.100.10:0-65535 0]
Mar 01 18:17:47 ip-10-176-2-148.ec2.internal pluto[3074]:
"client-to-site"[13] 76.221.187.153 #18: STATE_V2_IPSEC_R: IPsec SA
established tunnel mode {ESP/NAT=>0x02b11f0b <0xd5d6cd87
xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=76.221.187.153:19818
DPD=active}

Thank you
Rolando
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20240301/c2b35ce2/attachment.htm>

More information about the Swan-dev mailing list