** THIS MESSAGE DOES NOT ANSWER YOUR QUESTION BUT STRENGTHENS YOUR OBSERVATION 
**


In the strongSwan logs, when the reauth time has expired, I get the following

May  3 05:29:14 ip-10-0-5-202 charon-systemd[3125]: initiator did not 
reauthenticate as requested
May  3 05:29:14 ip-10-0-5-202 charon-systemd[3125]: IKE_SA rsa[1] will timeout 
in 48 seconds

And then the connection dies.

It seems that OSX doesn’t respond to AUTH_LIFETIME notify defined by RFC 4478 
<https://tools.ietf.org/html/rfc4478>.  So setting reauth_time = 0s is the safe 
option

https://wiki.strongswan.org/projects/strongswan/wiki/expiryrekey 
<https://wiki.strongswan.org/projects/strongswan/wiki/expiryrekey>

———

My OSX 10.13.4 offers the following when connecting which do seem weak with 
todays availability.  I couldn’t see any way to enable GCM.

IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, 
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, 
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, 
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, 
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, 
ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, 
ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, 
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ

——

With regards to logging, have you seen the logging help page [1]?

I have my logging configured as

$ /etc/strongswan.d/charon-systemd.conf
charon-systemd {
  filelog {
    /var/log/strongswan.log {
        time_format = %b %e %T
        flush_line = yes
        default = -1
        cfg = 4
    }
  }
}

[1] https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration 
<https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration>



> On 3 May 2018, at 04:42, Darren S. <[email protected]> wrote:
> 
> The built-in VPN client has been a comedy of errors for my deployment... I 
> don't have faith in the current iteration of Apple's IKEv2 implementation. 
> I'm hoping to get around what appears to be a bug in the (rekeying? re-auth?) 
> that happens every 8 minutes that currently drops the tunnel, and to be able 
> to configure robust algorithms (I understand it also lacks support for things 
> like AES-GCM, defaults to weak DH groups, etc.). I can't figure out the magic 
> sauce required to get logging/debugging with IKEv2 (the common advice I see 
> to enable Racoon logging appears to apply to IKEv1 keying). It appears that 
> the only way of having granular control over settings is to use a 
> configuration profile and deal with a config utility or the plist format. 
> There are plenty of blog and forum posts and wiki pages in various places 
> that talk about how to make things work, but there's also an equivalent 
> amount of variance in what they recommend doing (including many that are 
> wrong or recommend insecure configurations).
> 
> I'm hoping the next version of the OS brings significant improvements to the 
> IPsec framework but at this point I was hoping to use a more robust and 
> configurable (and easier to diagnose) client. I can roll with the Homebrew 
> build but I was looking forward to trying out the graphical interface too.
> 
> - Darren
> 
> On Wed, May 2, 2018 at 12:30 PM, ccsalway <[email protected] 
> <mailto:[email protected]>> wrote:
> The built in VPN client is able to connect using Certificate and 
> Username/Password, so I’m curious what you hope to gain from a native app?
> 
> - C
> 
>> On 2 May 2018, at 19:28, Darren S. <[email protected] 
>> <mailto:[email protected]>> wrote:
>> 
>> Hi,
>> 
>> Just noting that https://download.strongswan.org/osx/ 
>> <https://download.strongswan.org/osx/> shows no current Mac native app 
>> builds. It's not mentioned at 
>> https://wiki.strongswan.org/projects/strongswan/wiki/MacOSX 
>> <https://wiki.strongswan.org/projects/strongswan/wiki/MacOSX> so I'm curious 
>> if these builds are no longer being done. Is the current guidance for macOS 
>> to use Homebrew or do a manual build? (And if the .app bundle build is no 
>> longer occurring, is there currently no supported macOS native app option)? 
>> 
>> -- 
>> Darren Spruell
>> [email protected] <mailto:[email protected]>
> 
> 
> 
> -- 
> Darren Spruell
> [email protected] <mailto:[email protected]>

Reply via email to