IKEv2 VPN not working on macOS Ventura

fredsted · March 11, 2025, 10:32am

Hi, trying to get a simple VPN working. As always with VPNs, it seems to be extremely difficult. I just followed the guide: IPsec Remote Access VPN Example Using IKEv2 with EAP-MSCHAPv2 | pfSense Documentation

When I connect to the VPN, it immediately disconnects.

Getting some errors on macOS client-side:

[IKE_AUTH R resp1 597E6EA2DA2B6874-8B3CC337F6071B5D] Initiator packet authentication method 
    Payload Type = Auth
    Authentication Protocol = RSASignature
    Authentication Data = {length = 256, bytes = 0x8cce2e97 acad9162 e87cec30 ff7b2a9c ... a71ab995 0b738a0e } does not match proposal SharedKey

IKEv2Session[1, 597E6EA2DA2B6874-8B3CC337F6071B5D] Failed to process IKE Auth packet (connect)

Failed to find suitable address, path supports IPv4 yes IPv6 no

AdriftAtlas · March 11, 2025, 10:32am

macOS and iOS is a royal pain to get working but it is possible.

This is worth a read:

https://forum.netgate.com/topic/150670/safe-ikev2-configuration-for-pfsense-and-windows-10-and-macos

You should also use a publicly issued certificate instead of self-signed one. Install the ACME package in pfSense to issue a free Let’s Encrypt certificate.

Western-Honeydew-966 · March 11, 2025, 10:32am

Hello,

For mac OS ventura, if you see log in pfsense ipsec,
you see :
received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jun 1 18:22:34 charon 83915 09[CFG] <61665>
configured proposals:
IKE:AES_GCM_16_256/PRF_HMAC_SHA1/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

So, i add some parameters in Phase 1 and Phase 2 IPsec in PFSENSE
On Phase 1
I add algorithm
Algo => KeyLenght=>Hash=>DH Group
---------------------------------------------------------
AES => 256 bits => SHA256 => 14(2048bit)

On Phase 2 Proposal
I add
Encryption Algorithms => AES256-GCM
Hash Algorithms => SHA256
PFS key group => 14(2048bit)

And normaly, it’s OK to connect you MacOS Ventura to VPN IKEv2

I hope it will be useful.

fredsted · March 11, 2025, 10:32am

Thanks. Weirdly enough it all worked fine when I upgraded to pfSense Plus, downloaded installed the IPSec Export plugin (which is for some reason only available with Plus, but this is not documented anywhere), and installed the generated profile.