Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
24.7 Production Series
»
IPSec issues since 24.7.4_1
« previous
next »
Print
Pages: [
1
]
Author
Topic: IPSec issues since 24.7.4_1 (Read 260 times)
whatever
Newbie
Posts: 19
Karma: 1
IPSec issues since 24.7.4_1
«
on:
September 21, 2024, 05:05:52 am »
UPDATE: Saved and restored a config (i.e. the exact same settings the box was running prior to restoring) and now it works... Dunno what to say... Maybe something silently went wrong with the update and restoring the config fixed it? I guess there are some things Man is just not meant to know...
Hello,
I'm having issues with IPSec and macOS since the update to 24.7.4_1. Prior to the update, everything was working fine. Now, I can no longer connect from macOS. macOS is running the same version as before the 24.7.4_1 update.
I use a configuration profile (.mobileconfig) to setup my IKEv2 connection on macOS. And I'm aware there's a bug in macOS Sonoma, where it ignores the values you set in the profile for proposals and rekey time. Regardless what you configure in the profile, macOS will send the following proposals to the server:
2024-09-20T22:40:56-04:00 Informational charon 11[CFG] <5> received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
So I made sure the server supported at least one of those:
11[CFG] <5> configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/ECP_521, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256
Prior to 24.7.4_1, the profile and connection worked just fine. Since 24.7.4_1, I can no longer connect. I've attached a picture of the logs. Happy to provide more logs if needed.
I also have a pfSense box that runs the same services and has IPSec setup with the same values and it connects just fine. But I don't want to go back to pfSense - I'm an OPNsense guy now :-)
Anybody else running into issues like this? Anyone have any ideas? Was IPSec changed in 24.7.4_1?
Any help would be appreciated. Thanks.
«
Last Edit: September 21, 2024, 09:34:59 pm by whatever
»
Logged
whatever
Newbie
Posts: 19
Karma: 1
Re: IPSec issues since 24.7.4_1
«
Reply #1 on:
September 21, 2024, 05:22:13 am »
Update: If I create my connection on the mac (without a profile) it connects. It sends exactly the same proposals as with the profile, so I don't understand why it works. Something appears to have changed in OPNsense's IPSec implementation that doesn't play nice with profiles. Even creating a standard profile with the same values as the connection created in the macOS UI fails to connect.
I want to use the profile because I specify options that are not available in the UI.
Again, any help would be appreciated. And I'm not expecting a "just do this, bro" or "tick this box" response. I guess I'm asking if anything has changed with IPSec in OPNsense since 24.7.4_1. Nothing changed on my end apart from the update.
Cheers
«
Last Edit: September 21, 2024, 08:11:28 am by whatever
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
24.7 Production Series
»
IPSec issues since 24.7.4_1