Jump to content
TorGuard
  • 0
gilby

IKEv2 VPN disconnects after a few minutes

Rate this question

Question

gilby

I am running macOS 10.13.4 and attempting to use an IKEv2 connection.

The VPN connects just fine and works for about 5 to 10 minutes.  Then it disconnects.  I have to manually reconnect.

A web search finds that a few others have reported this problem with IKEv2 VPNs (not Torguard), but no solution.

Is this a known problem?  And is there a solution?

Share this post


Link to post
Share on other sites

10 answers to this question

Recommended Posts

  • 0
jtimmyf

I also have this same problem. No solution?

Share this post


Link to post
Share on other sites
  • 0
gilby

In short, no solution.

I had contact with Torguard support, they agreed there is an issue, but no timeframe for solution.

Reading about IKEv2, it does some renegotiating of keys (I may not have that precisely correct) after/every 8 minutes.  macOS does this slightly differently to Windows (and iOS) - not a bug, just differently.  To fix it requires some reconfiguration of the server to behave in the way macOS expects.  And doing this without messing up Windows and iOS.

I have not attempted to get deeper into the issue and gone back to using OpenVPN.

I use IKEv2 on my iPhone and it is much better at reconnection than other protocols.

Share this post


Link to post
Share on other sites
  • 0
gilby

In addition to the previous comment, the instructions on the page "How to setup IKEv2 VPN on Mac OS" https://torguard.net/knowledgebase.php?action=displayarticle&id=218 have changed since I used it in May last.

The current step 1 about adding a certificate to your login keychain did not exist when I last looked (I have a copy).  There is no explanation about how this will be used and it is not referred to again.

But, it makes no difference - the connection still drops after 8 minutes.  I also tried after adding the certificate to the system keychain - but that doesn't work.

Share this post


Link to post
Share on other sites
  • 0
Support
On 11/20/2018 at 10:36 AM, gilby said:

In addition to the previous comment, the instructions on the page "How to setup IKEv2 VPN on Mac OS" https://torguard.net/knowledgebase.php?action=displayarticle&id=218 have changed since I used it in May last.

The current step 1 about adding a certificate to your login keychain did not exist when I last looked (I have a copy).  There is no explanation about how this will be used and it is not referred to again.

But, it makes no difference - the connection still drops after 8 minutes.  I also tried after adding the certificate to the system keychain - but that doesn't work.

 

Hi Gilby

Does it happen when using OpenVPN or any other protocol? do you have a firewall enabled on your modem by chance? it might be worth disabling just for testing.

Regards

Share this post


Link to post
Share on other sites
  • 0
jtimmyf

Thanks for the input gilby. OpenVPN works fine, BUT the speed is MORE then twice as fast using Ikev2. 40Mbps vs 150Mbps download. I have a secondary vpn provider that ikev2 works with. I have to find another backup vpn if this issue remains. I hope they find a solution soon. Black Friday is when Usually renew my vpn’s.

Additional info:   No firewall on router or Mac. L2tp does work it occasionally disconnects.

Share this post


Link to post
Share on other sites
  • 0
Support
3 hours ago, jtimmyf said:

Thanks for the input gilby. OpenVPN works fine, BUT the speed is MORE then twice as fact using Ikev2. 40Mbps vs 150Mbps download. I have a secondary vpn provider that ikev2 works with. I have to find another backup vpn if this issue remains. I hope they find a solution soon. Black Friday is when Usually renew my vpn’s.

Additional info:   No firewall on router or Mac. L2tp does work it occasionally disconnects.

 

Hey,

We know MAC OS had a bug, a similar bug and this just appeared recently.

We are looking into it.

Regards

Share this post


Link to post
Share on other sites
  • 0
gilby

As with jtimmyf, no firewall and OpenVPN works fine.  I don't see the speed difference that jtimmyf is getting - but I only have a 50/20 internet connection.

My discussion with support was Ticket ID: 944287, with the final comment (from Support) being:

"We are looking into it, we are able to reproduce - we will see if there's something we can do server side to remedy it for now."

This was after me providing some Wireshark captures of the interaction when it drops out at the 8 minute.  The interaction showed (and this is my interpretation) the client (my Mac) starting a new key exchange (ISAKMP on port 4500) at 8 minutes and the server (Torguard) replying with an ICMP unreachable message.  I believe the new key exchange is part of IKEv2 and that the Mac is correct in initiating this.  My interpretation is that there is something in the content of the ISAKMP message which the Torguard server fails to interpret - quite possibly because the Mac does it slightly differently to iOS or Windows.  I don't know whether this should be considered a bug in macOS or a configuration issue with Torguard - my understanding of IKEv2 is way too shallow to say either way.

I was using 10.13.5 (High Sierra) in May.  Now using 10.14.1 (Mojave).

Share this post


Link to post
Share on other sites
  • 0
Support
On 11/21/2018 at 8:52 PM, gilby said:

As with jtimmyf, no firewall and OpenVPN works fine.  I don't see the speed difference that jtimmyf is getting - but I only have a 50/20 internet connection.

My discussion with support was Ticket ID: 944287, with the final comment (from Support) being:

"We are looking into it, we are able to reproduce - we will see if there's something we can do server side to remedy it for now."

This was after me providing some Wireshark captures of the interaction when it drops out at the 8 minute.  The interaction showed (and this is my interpretation) the client (my Mac) starting a new key exchange (ISAKMP on port 4500) at 8 minutes and the server (Torguard) replying with an ICMP unreachable message.  I believe the new key exchange is part of IKEv2 and that the Mac is correct in initiating this.  My interpretation is that there is something in the content of the ISAKMP message which the Torguard server fails to interpret - quite possibly because the Mac does it slightly differently to iOS or Windows.  I don't know whether this should be considered a bug in macOS or a configuration issue with Torguard - my understanding of IKEv2 is way too shallow to say either way.

I was using 10.13.5 (High Sierra) in May.  Now using 10.14.1 (Mojave).

 

This appears to be a bug in Mac OS itself and specific to IKev2 - the client is sending the disconnect to the server - Windows, iOS, Android etc are all OK.

Regards

Share this post


Link to post
Share on other sites
  • 0
gilby
20 hours ago, Support said:

 

This appears to be a bug in Mac OS itself and specific to IKev2 - the client is sending the disconnect to the server - Windows, iOS, Android etc are all OK.

Regards

 

A bit of googling tells you that others have the 8 minutes problem.  In particular there is discussion of the issue regarding both pfsense and StrongSwan.   The best I can find is that macOS is very picky about what ciphers are used  - so Apple would consider it a configuration issue (on the server end) and not a bug.  Two related links, where people have looked for solutions, rather than blaming:

https://forum.netgate.com/topic/105807/macos-10-12-ikev2-disconnects-after-8-minutes/8

https://forum.netgate.com/topic/98965/ikev2-ios-9-and-macosx-10-11-disconnect-after-480-sec

Configs that work with macOS client are these

AES256 + SHA256 + DH group 14 (2048 bit)

AES256 + SHA256 + DH group 5 (1536 bit)
AES256 + SHA256 + DH group 19 (NIST ECP 256)

or, put another way:

AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536

But, I am not sure that these cipher combinations  work with other implementations of the IKEv2 client.

So I do believe that there is some experimentation that TorGuard can do to resolve the issue.

Failing that you can raise a bug with Apple (better from you as developer than from me).

Share this post


Link to post
Share on other sites
  • 0
Support
1 hour ago, gilby said:

 

A bit of googling tells you that others have the 8 minutes problem.  In particular there is discussion of the issue regarding both pfsense and StrongSwan.   The best I can find is that macOS is very picky about what ciphers are used  - so Apple would consider it a configuration issue (on the server end) and not a bug.  Two related links, where people have looked for solutions, rather than blaming:

https://forum.netgate.com/topic/105807/macos-10-12-ikev2-disconnects-after-8-minutes/8

https://forum.netgate.com/topic/98965/ikev2-ios-9-and-macosx-10-11-disconnect-after-480-sec

Configs that work with macOS client are these

AES256 + SHA256 + DH group 14 (2048 bit)

AES256 + SHA256 + DH group 5 (1536 bit)
AES256 + SHA256 + DH group 19 (NIST ECP 256)

or, put another way:

AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536

But, I am not sure that these cipher combinations  work with other implementations of the IKEv2 client.

So I do believe that there is some experimentation that TorGuard can do to resolve the issue.

Failing that you can raise a bug with Apple (better from you as developer than from me).

 

Hello,

We are not blaming, we have looked into the matter briefly and this is what we have found, we haven't finished investigating the matter and still looking at solutions.

Regards

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×