IKEv2 VPN rekeying does not work correctly
| Originator: | neilalexanderr | ||
| Number: | rdar://29821241 | Date Originated: | 28/12/2016 |
| Status: | Open | Resolved: | |
| Product: | macOS, iOS | Product Version: | |
| Classification: | Serious | Reproducible: | Always |
Summary: When configured using the GUI (as opposed to mobileconfig), the IKEv2 rekey timeout is set to approximately 8 minutes. At this 8 minute interval, the VPN attempts to rekey the CHILD SA. Unless the DH group of the VPN is set to 14, this rekey fails every single time and the CHILD SA is deleted. Steps to Reproduce: 1. Create IKEv2 VPN responder using Strongswan or other software such as Racoon, configure using certificate authentication (but not XAuth) using aes256-aes256-modp4096. 2. Connect the VPN. 3. After 8 minutes, iOS/macOS attempts to rekey the CHILD SA. The proposal sent for the rekey does not match the initial SA proposal. 4. The VPN disconnects. Expected Results: The rekey proposal should match the initial proposal (i.e. DH group 2 or 14). The CHILD SA should not be deleted. Actual Results: The rekey proposal is not the same as the initial SA proposal, therefore the rekey fails and the CHILD SA is deleted. Version: macOS Sierra 10.12.2 (16C67) iOS 10.2 (14C92) Notes: Configuration: Always occurs. When using mobileconfig the rekey interval can be increased but then this problem still happens eventually.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!