Built-in MacOS IKEv2 VPN client still fails in 10.14?

Question

Created Oct ’18

Replies 2

Boosts 0

Views 3.5k

Participants 2

Folks,

I've been setting up Strongswan on my FreeBSD server and trying to connect MacOS/iOS IKEv2 built-in VPN clients to it.

So far, no luck. I have found a handful of useful info on the strongSwan wiki, yet I still get that well-known message:

default	14:51:27.762402 +0200	nesessionmanager	NESMIKEv2VPNSession[VPN (IKEv2):F19B5DBD-6A95-4C2D-BD68-E96DD1842307]: Received a start command from com.apple.preference.network.re[1846]
default	14:51:27.765362 +0200	nesessionmanager	NESMIKEv2VPNSession[VPN (IKEv2):F19B5DBD-6A95-4C2D-BD68-E96DD1842307]: status changed to connecting
default	14:51:27.766046 +0200	nesessionmanager	Failed to talk to secd after 4 attempts.
default	14:51:27.767337 +0200	nesessionmanager	keychain blob version does not support integrity
error	14:51:27.787936 +0200	nesessionmanager	Failed to find the VPN app for plugin type com.apple.neplugin.IKEv2
default	14:51:28.115372 +0200	nesessionmanager	NESMIKEv2VPNSession[VPN (IKEv2):F19B5DBD-6A95-4C2D-BD68-E96DD1842307]: status changed to disconnecting
default	14:51:28.115436 +0200	nesessionmanager	NESMIKEv2VPNSession[VPN (IKEv2):F19B5DBD-6A95-4C2D-BD68-E96DD1842307]: Updated network agent (inactive)
default	14:51:28.175636 +0200	nesessionmanager	NESMIKEv2VPNSession[VPN (IKEv2):F19B5DBD-6A95-4C2D-BD68-E96DD1842307]: status changed to disconnected, last stop reason Plugin failed

I think it's always the old bug many other people stumbled on. Still not corrected? Any workaround?

Same bahvior on iOS BTW.

Answered by DTS Engineer in 336021022

A bug in iOS? Or a bug in Strongswan? As far as I know the built-in IKEv2 VPN client is working just fine on our recently released systems. And based on what I’ve heard from other developers testing IKEv2, this is very likely to be a glitch in your Strongswan configuration. Alas, Strongswan is way outside of my area of expertise. My recommendation is that you follow up via whatever support channel it provides.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

Oct ’18

Accepted Answer

A bug in iOS? Or a bug in Strongswan? As far as I know the built-in IKEv2 VPN client is working just fine on our recently released systems. And based on what I’ve heard from other developers testing IKEv2, this is very likely to be a glitch in your Strongswan configuration. Alas, Strongswan is way outside of my area of expertise. My recommendation is that you follow up via whatever support channel it provides.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 2

Vingt-Cent OP

Oct ’18

Hey Quinn,

yeah, you're right. I had a pf routing problem on the FreeBSD side: no routing possible, so no CHILD SA phase. (TBH, I had put the debug level so high that particular error was buried into a lot of noise and had escaped my scrutiny).

Still, the error messages are a bit weird on the MacOS side.

But you were right, and I apologize for the noise. Thanks for being so watchful!

V.

0