IPSec VPN not working

We can successfully open and use both a iPhone VPN IPSec connection and a Personal VPN IPSec connection within our app on iOS 12. When we try and establish the VPN on iOS 13 we wil get a connection ( either from a manual VPN connection or Personal VPN from within the app ) then we never get traffic then routed down the VPN tunnel. We are using IPSec with a shared secret for our VPN. Looking at the VPN server on Linux we can see that the connection was made but its always showing 0 bytes in and out for iOS 13. On iOS 12 everything works great. We've poured over the documentatin and cannot find anything where we can tell the networking to use the tunnel for all traffic. We also see the same problem now when we try anad establish a IPSec VPN connection on macOS Catalina. We can estalish IPSec VPN to our server on macOS Mojave, but it gives same effect of connecting under Catalina but no traffic is ruted then.

Accepted Reply

The issue we were having with Catalina and iOS 13 has been resolved by a configuration change on our IPSec server. We are running a Libreswan IPSec server. The following change to the ipsec.conf file is what resolved this for us. This was working fine with Mojave and iOS 12 but when we started trying to connect to VPN with the beta's for Catalina and iOS 13 then we would get a connection but after that nothing was being routed via the tunnel.


We did finally get contacted through the Feedback Assistant asking for our log files on the IPSec Server. i wish there was a way that open Feedback tickets could be marked so we would know if anyone is even investigating the issue. It's sort of like being in limbo.


Edit

/etc/ipsec.conf
on the VPN server. Find
sha2-truncbug=yes
and replace it with
sha2-truncbug=no
. Save the file and run
service ipsec restart
.

Replies

Just to clarify, do you still see this problem if you configure VPN via Settings? And via a configuration profile?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Yes the problem shows up if we configure via VPN settings and also if we configure within our app and connect. We connect just fine using iOS 12. With iOS 13 we get the connection using both methods but then it never routes data.

Yes the problem shows up if we configure via VPN settings …

Right. Alas, that puts it outside of my area of expertise (I can help with VPN APIs but my knowledge of VPN configuration in general is woefully limited). You might have better luck asking this question over in Apple Support Communities, run by Apple Support, and specifically the in Business and Education topic areas, where you’re more likely to find folks with relevant experience.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I've also asked this over in the Beta forum for iOS 13. I don't know how to get help with this. We have the API code in our app and it works fine when running on iOS 12. When we install the same app on iOS 13 it makes the connection but then the underlying network code never sends or receives anything. It's like you connect and then the network just sits there. We were ready to submit our app to the App Store but we cannot when we know that as soon as they release iOS 13 that our networking is broken. It's too close to GA for iOS 13. I would open up a code level support ticket and get attention on this problem, but we cannot open those up for beta software. So we feel like we are in a rock and hard space. Someone who works the network code needs to just go in and create an IPSec VPN with shared secret and connect to a VPN server. This is using IPSec and not IKEV2 protocol. I'm not sure the Apple Community is going to get someone's attention that can actually reproduce this problem and get someone to address the issue. Who would I contact for this when its a problem with a Beta OS? I've also seen the problem running it on Catalina as well. IPSec VPN with shared secret is not working.

Who would I contact for this when its a problem with a Beta OS?

There isn’t an official support channel for pre-release systems. The standard process here is to file a bug about any issues you see.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I actually tried to open this as a bug in Feedback Assistant. I could not find a way to mark it as bug, only as "feedback" and got this number: FB6989715


Somehow I doubt that Feedback gets the attention that a bug report would get... but I do not see any way in Feedback Assistant to say that an issue is a defect being reported... What am I missing here?

I actually tried to open this as a bug in Feedback Assistant … FB6989715

Thanks for that.

I could not find a way to mark it as bug, only as "feedback"

Yeah, I think that’s just the way that the new system works.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

So now we open up bugs via Feedback Assistant. So how do we ever get any feedback returned to us? I have no idea if anyone has looked at this issue, if they agree it is an issue, and is there going to be a fix anytime soon? It's like you wait and wait for the next beta to drop and hope your issue was addressed and fixed but we have no one telling us anything. I get that the developers are busy. I spent my career in software development. But somehow there needs to be some communication or at least acknowleddgement that the issue is being addressed. I have read severl other different posts on this forum that I recognize is probably related to the VPN issue I'm encountering on both iOS 13 and Catalina. One of the issues with this I believe is that DNS is not being routed on the tunnel after connection. Actually in my case I'm not sure anhthiing gets routed on the tunnel after connection. How can this work perfectly on ios 12 and then be so broken on ios 13 and Catalina? What will happen when they released both of these operating systems in a few weeks andsuddenly anhone using a VPN is broken? I can see that hitting the internet like a ton of bricks.... This will not look good on someone's resume.

The issue we were having with Catalina and iOS 13 has been resolved by a configuration change on our IPSec server. We are running a Libreswan IPSec server. The following change to the ipsec.conf file is what resolved this for us. This was working fine with Mojave and iOS 12 but when we started trying to connect to VPN with the beta's for Catalina and iOS 13 then we would get a connection but after that nothing was being routed via the tunnel.


We did finally get contacted through the Feedback Assistant asking for our log files on the IPSec Server. i wish there was a way that open Feedback tickets could be marked so we would know if anyone is even investigating the issue. It's sort of like being in limbo.


Edit

/etc/ipsec.conf
on the VPN server. Find
sha2-truncbug=yes
and replace it with
sha2-truncbug=no
. Save the file and run
service ipsec restart
.

Apple seems to have silently fixed their racoon code which is known to be buggy with SHA-256 authentication algorithm truncation.


The problem can be fixed also for racoon gateways by removing hmac_sha256 from the list of IKE phase 2 authentication algorithm proposals. Unfortunately, Apple IPhones with IOS13 then choose the weak SHA-1 algorithm.


A better solution would be if Apple informed about the fixes applied to their racoon fork in order to support open source community to port the changes back to the racoon implementations of other distributions.