Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-120743

libreswan does not interoperate with MacOS Sequoia

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-9.6
    • libreswan
    • None
    • None
    • None
    • rhel-security-crypto-spades
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • All
    • None

      What were you trying to do that didn't work?

      Configure an IKEv2 VPN from a MacOS client to a libreswan server.

      What is the impact of this issue to you?

      Cannot work for more than a few minutes at a time.

      Please provide the package NVR for which the bug is seen:

      libreswan-4.15-8.el9.x86_64

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1. Use a MacOS IKEv2 client to connect to a libreswan server using the legacy profile

      Expected results

      VPN remains connected as instructed.

      Actual results

      VPN disconnects after a few minutes without being asked to.

      Oct 12 18:41:29 aurora pluto[10631]: "access-vpn"[3] xx #14: initiating rekey to replace IKE SA #12
Oct 12 18:41:29 aurora pluto[10631]: "access-vpn"[3] xx #15: initiating rekey to replace Child SA #13
Oct 12 18:41:29 aurora pluto[10631]: "access-vpn"[3] xx #14: sent CREATE_CHILD_SA request to rekey IKE SA
Oct 12 18:41:29 aurora pluto[10631]: "access-vpn"[3] xx #14: initiator rekeyed IKE SA #12 {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
Oct 12 18:41:29 aurora pluto[10631]: "access-vpn"[3] xx #15: sent CREATE_CHILD_SA request to rekey IPsec SA
Oct 12 18:41:29 aurora pluto[10631]: "access-vpn"[3] xx #14: STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 0.5 seconds for response
Oct 12 18:41:30 aurora pluto[10631]: "access-vpn"[3] xx #12: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged 226.70329s and sending notification
Oct 12 18:41:30 aurora pluto[10631]: "access-vpn"[3] xx #14: STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 1 seconds for response
Oct 12 18:41:30 aurora pluto[10631]: packet from xx:4500: INFORMATIONAL response has no corresponding IKE SA; message dropped
Oct 12 18:41:30 aurora pluto[10631]: "access-vpn"[3] xx #15: CREATE_CHILD_SA failed with error notification NO_PROPOSAL_CHOSEN
Oct 12 18:41:30 aurora pluto[10631]: "access-vpn"[3] xx #15: state transition 'initiate rekey Child SA (CREATE_CHILD_SA)' failed
Oct 12 18:41:34 aurora pluto[10631]: "access-vpn"[3] xx #16: initiating rekey to replace IKE SA #14
Oct 12 18:41:34 aurora pluto[10631]: "access-vpn"[3] xx #16: sent CREATE_CHILD_SA request to rekey IKE SA
Oct 12 18:41:34 aurora pluto[10631]: "access-vpn"[3] xx #16: initiator rekeyed IKE SA #14 {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
Oct 12 18:41:35 aurora pluto[10631]: "access-vpn"[3] xx #14: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged 6.259005s and sending notification
Oct 12 18:41:35 aurora pluto[10631]: packet from xx:4500: INFORMATIONAL response has no corresponding IKE SA; message dropped

      It appears every time MacOS makes their algorithms more strict, all the VPN servers break, including RHEL9.

      https://www.reddit.com/r/MacOS/comments/skdl6l/macos_ikev2_vpn_is_disconnecting_in_every_8/

      The libreswan package needs to supply ike and esp parameters that are tested and work with other operating systems.

              dueno@redhat.com Daiki Ueno
              minfrin Graham Leggett
              Daiki Ueno Daiki Ueno
              Ondrej Moris Ondrej Moris
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: