macOS 14 Sonoma ikev2 vpn rekey sends invalid proposals, causing a disconnect every 24/48 minutes, error NoProposalChosen

Originator:joshhibschman
Number:rdar://FB13453582 Date Originated:2023-12-07
Status:Open Resolved:
Product:macOS Product Version:14.1.2
Classification:Incorrect/Unexpected Behavior Reproducible:Yes
 
There seems to be a bug in macOS 14 (14-14.1.2) that causes VPN connections to regularly disconnect after 24 or 48 minutes, causing a short network interrupt for 1-2 seconds. Prior macOS versions up to 13 do not have the issue. Release notes do not mention any breaking changes for 14, or 14.1. We have found that macOS sends an invalid proposal list on rekey, particularly for connections with OnDemand enabled.

With the help of the Libreswan community, we've discussed it at libreswan/libreswan#1450. It is manifesting across developer products, e.g. IPSecVPN hwdsl2/setup-ipsec-vpn#1486, Docker docker/for-mac#7022, and VPN Providers https://discussions.apple.com/thread/255158874.

The bug seems to be somewhere in the rekey/cert/proposal process. With a test server running libreswan 4.12 set to match the default security params from apple dev docs ikesecurityassociationparameters and childsecurityassociationparameters. To reproduce: - Start a vpn server with no rekey or rekey interval longer than 48 minutes, allowing macos to initiate the rekey - Load a vpn profile on macos with on-demand enabled - Connect, watch the server for incorrect proposal chosen, or wait 24-48 minute for a rekey, watch for disconnect/reconnect Feel free to contact me for help resolving the issue.

Comments

same problem. disconnects every 24 min for me so i can't use it for work anymore after updating to sonoma.

By jcmcnamee at Feb. 9, 2024, 6:52 p.m. (reply...)

I have a similar issue with one of my VPNs. After upgrading to Sonoma it started to disconnect automatically after 8 minutes of connection. I was able to use it whole day with Ventura.

By epozdnyakov at Jan. 4, 2024, 11:35 a.m. (reply...)

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!