Hi Darren, >>> Just noting that https://download.strongswan.org/osx/ shows no current >>> Mac native app builds. It's not mentioned at >>> https://wiki.strongswan.org/projects/strongswan/wiki/MacOSX so I'm >>> curious if these builds are no longer being done. >> >> See [1]. > > Thanks! Would a subsequent remark in that wiki page be appropriate? > (Is it something I can do if I register)?
Sure, go ahead. >>> I don't have faith in the current iteration of Apple's IKEv2 >>> implementation. I'm hoping to get around what appears to be a bug in the >>> (rekeying? re-auth?) that happens every 8 minutes that currently drops the >>> tunnel, and to be able to configure robust algorithms >> >> This might be due to bug that Apple knows about since at least over a >> year (I reported it in January 2017 and it was already marked as >> duplicate), which seems to occur when the server sends back an >> INVALID_KE_PAYLOAD during IKE_SA_INIT. During the IKE rekeying (which >> it does after eight minutes) the client will send an incorrect DH public >> value for the group it originally proposed, not the one the server >> requested and was used during IKE_SA_INIT. > > Is that the same as noted here? > > http://www.openradar.appspot.com/29821241 Doesn't look like it, the issue I described is regarding IKE_SA rekeying, not CHILD_SA rekeying. > I can't tell if the response from Apple is suggesting strongSwan is > acting incorrectly in the described case (and if so, if the behavior > is in fact incorrect). It sounds like a configuration mismatch (one side wants to use PFS, the other doesn't). So check your log to see if the issue you have is related to IKE_SA or CHILD_SA rekeying. Regards, Tobias
