Built-in MacOS IKEv2 VPN client still fails in 10.14?

Folks,


I've been setting up Strongswan on my FreeBSD server and trying to connect MacOS/iOS IKEv2 built-in VPN clients to it.


So far, no luck. I have found a handful of useful info on the strongSwan wiki, yet I still get that well-known message:


default14:51:27.762402 +0200nesessionmanagerNESMIKEv2VPNSession[VPN (IKEv2):F19B5DBD-6A95-4C2D-BD68-E96DD1842307]: Received a start command from com.apple.preference.network.re[1846]
default14:51:27.765362 +0200nesessionmanagerNESMIKEv2VPNSession[VPN (IKEv2):F19B5DBD-6A95-4C2D-BD68-E96DD1842307]: status changed to connecting
default14:51:27.766046 +0200nesessionmanagerFailed to talk to secd after 4 attempts.
default14:51:27.767337 +0200nesessionmanagerkeychain blob version does not support integrity
error14:51:27.787936 +0200nesessionmanagerFailed to find the VPN app for plugin type com.apple.neplugin.IKEv2
default14:51:28.115372 +0200nesessionmanagerNESMIKEv2VPNSession[VPN (IKEv2):F19B5DBD-6A95-4C2D-BD68-E96DD1842307]: status changed to disconnecting
default14:51:28.115436 +0200nesessionmanagerNESMIKEv2VPNSession[VPN (IKEv2):F19B5DBD-6A95-4C2D-BD68-E96DD1842307]: Updated network agent (inactive)
default14:51:28.175636 +0200nesessionmanagerNESMIKEv2VPNSession[VPN (IKEv2):F19B5DBD-6A95-4C2D-BD68-E96DD1842307]: status changed to disconnected, last stop reason Plugin failed


I think it's always the old bug many other people stumbled on. Still not corrected? Any workaround?


Same bahvior on iOS BTW.

Accepted Reply

A bug in iOS? Or a bug in Strongswan? As far as I know the built-in IKEv2 VPN client is working just fine on our recently released systems. And based on what I’ve heard from other developers testing IKEv2, this is very likely to be a glitch in your Strongswan configuration. Alas, Strongswan is way outside of my area of expertise. My recommendation is that you follow up via whatever support channel it provides.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Replies

A bug in iOS? Or a bug in Strongswan? As far as I know the built-in IKEv2 VPN client is working just fine on our recently released systems. And based on what I’ve heard from other developers testing IKEv2, this is very likely to be a glitch in your Strongswan configuration. Alas, Strongswan is way outside of my area of expertise. My recommendation is that you follow up via whatever support channel it provides.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hey Quinn,


yeah, you're right. I had a pf routing problem on the FreeBSD side: no routing possible, so no CHILD SA phase. (TBH, I had put the debug level so high that particular error was buried into a lot of noise and had escaped my scrutiny).


Still, the error messages are a bit weird on the MacOS side.


But you were right, and I apologize for the noise. Thanks for being so watchful!


V.