With some help from libreswan, it seems a temporary workaround is constrain the vpn server to only one proposal for ike and esp. The issue happens when macOS rekeys, sending an incorrect order of proposals.
For example, if using libreswan, edit properties in /etc/ipsec.d/ikev2.conf
rekey=no
pfs=no
ike=AES_GCM_C_256-HMAC_SHA2_256-ECP_256
phase2alg=AES_GCM_C_256
Then in the VPN Profile, set
<key>EnablePFS</key>
<integer>0</integer>
<key>ChildSecurityAssociationParameters</key>
<dict>
<key>DiffieHellmanGroup</key>
<integer>19</integer>
<key>EncryptionAlgorithm</key>
<string>AES-256</string>
<key>IntegrityAlgorithm</key>
<string>SHA2-256</string>
<key>LifeTimeInMinutes</key>
<integer>1440</integer>
</dict>
<key>IKESecurityAssociationParameters</key>
<dict>
<key>DiffieHellmanGroup</key>
<integer>19</integer>
<key>EncryptionAlgorithm</key>
<string>AES-256</string>
<key>IntegrityAlgorithm</key>
<string>SHA2-256</string>
<key>LifeTimeInMinutes</key>
<integer>1440</integer>
</dict>
y3sh
Users receive reputation points by contributing quality content to the forums.
Posts include post and replies published on the forums.
Post authors can mark replies as Accepted to indicate successful solutions.
Apple Developer Forums admins can mark replies as Apple Recommended to indicate an approved solution
Last seen
User for
Post
Replies
Boosts
Views
Activity
see https://github.com/libreswan/libreswan/issues/1450
@eskimo thank you -- filed it, public copy at http://www.openradar.me/radar?id=5552164072062976
btw that's a neat idea for sharing an address, (let myEmail ...)