** THIS MESSAGE DOES NOT ANSWER YOUR QUESTION BUT STRENGTHENS YOUR OBSERVATION **
In the strongSwan logs, when the reauth time has expired, I get the following May 3 05:29:14 ip-10-0-5-202 charon-systemd[3125]: initiator did not reauthenticate as requested May 3 05:29:14 ip-10-0-5-202 charon-systemd[3125]: IKE_SA rsa[1] will timeout in 48 seconds And then the connection dies. It seems that OSX doesn’t respond to AUTH_LIFETIME notify defined by RFC 4478 <https://tools.ietf.org/html/rfc4478>. So setting reauth_time = 0s is the safe option https://wiki.strongswan.org/projects/strongswan/wiki/expiryrekey <https://wiki.strongswan.org/projects/strongswan/wiki/expiryrekey> ——— My OSX 10.13.4 offers the following when connecting which do seem weak with todays availability. I couldn’t see any way to enable GCM. IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ —— With regards to logging, have you seen the logging help page [1]? I have my logging configured as $ /etc/strongswan.d/charon-systemd.conf charon-systemd { filelog { /var/log/strongswan.log { time_format = %b %e %T flush_line = yes default = -1 cfg = 4 } } } [1] https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration <https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration> > On 3 May 2018, at 04:42, Darren S. <[email protected]> wrote: > > The built-in VPN client has been a comedy of errors for my deployment... I > don't have faith in the current iteration of Apple's IKEv2 implementation. > I'm hoping to get around what appears to be a bug in the (rekeying? re-auth?) > that happens every 8 minutes that currently drops the tunnel, and to be able > to configure robust algorithms (I understand it also lacks support for things > like AES-GCM, defaults to weak DH groups, etc.). I can't figure out the magic > sauce required to get logging/debugging with IKEv2 (the common advice I see > to enable Racoon logging appears to apply to IKEv1 keying). It appears that > the only way of having granular control over settings is to use a > configuration profile and deal with a config utility or the plist format. > There are plenty of blog and forum posts and wiki pages in various places > that talk about how to make things work, but there's also an equivalent > amount of variance in what they recommend doing (including many that are > wrong or recommend insecure configurations). > > I'm hoping the next version of the OS brings significant improvements to the > IPsec framework but at this point I was hoping to use a more robust and > configurable (and easier to diagnose) client. I can roll with the Homebrew > build but I was looking forward to trying out the graphical interface too. > > - Darren > > On Wed, May 2, 2018 at 12:30 PM, ccsalway <[email protected] > <mailto:[email protected]>> wrote: > The built in VPN client is able to connect using Certificate and > Username/Password, so I’m curious what you hope to gain from a native app? > > - C > >> On 2 May 2018, at 19:28, Darren S. <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hi, >> >> Just noting that https://download.strongswan.org/osx/ >> <https://download.strongswan.org/osx/> shows no current Mac native app >> builds. It's not mentioned at >> https://wiki.strongswan.org/projects/strongswan/wiki/MacOSX >> <https://wiki.strongswan.org/projects/strongswan/wiki/MacOSX> so I'm curious >> if these builds are no longer being done. Is the current guidance for macOS >> to use Homebrew or do a manual build? (And if the .app bundle build is no >> longer occurring, is there currently no supported macOS native app option)? >> >> -- >> Darren Spruell >> [email protected] <mailto:[email protected]> > > > > -- > Darren Spruell > [email protected] <mailto:[email protected]>
