I was able to get things working following a step by step guide provided by Nikita Tarikin. While my setup is not exactly as his setup, the IKEv2 part is very close.

At home I use a fairly new Apple PC (6 months old) and I am disconnecting every 24 minutes and I cannot figure out why. Maybe because Apple likes to hid things under gui simplified interfaces or it could be my lack of understanding of VPNs, specifically IKEv2.

Of my searches the only person I could find that had something similar was the below URL that has nothing to do with Mikrotik. Also they are referring to tools I am not that familiar with associated with manipulating Apple VPN settings.

https://medium.com/@kerberjg/resolving- ... 6d5795e587

I am looking on some guidance. From what I can see, it has to do with timeouts and rekeying failing?

Thank you for any help you can provide.

Mikrotik v7.13.4

Hi,

What version is it? Sonoma or Ventura?

If it is Sonoma, Apple decided at some point without "warning" to start establishing the PFS and when the rekey occurs it does not match its policy (DH2048) and drops the connection.

I installed a profile from appleconfigurator according to my configuration on the mikrotik server.

https://forums.macrumors.com/threads/so ... s.2406029/

Regards,

The workaround (coincidentally related to Mikrotik) on that thread:
https://forums.macrumors.com/threads/so ... t-32723225
seems to me easier to implement (and should work for *any other* new macintosh without needing to modifying the settings on the computer).

I have now changed the Lifetime on the IPSec Proposal to 20 minutes. I will know soon enough if it works. Thank you for the input.

From what I can tell from the two comments, the apple client does not rekey correctly with the mikrotik but the mikrotik can rekey with the apple. So I made the mikrotik timeout less than the 24 minute apple timeout.

I have now changed the Lifetime on the IPSec Proposal to 20 minutes. I will know soon enough if it works. Thank you for the input.

From what I can tell from the two comments, the apple client does not rekey correctly with the mikrotik but the mikrotik can rekey with the apple. So I made the mikrotik timeout less than the 24 minute apple timeout.

In theory one should use values that are unlike to conflict.
20 and 24 are "too even" (not coprimes) for my tastes, after 12x20 minutes renewals, the timing could overlap with 10x24, and probably something bad could happen.
Personally I would use, since on the mac side it is fixed at 24, 19 or 23 on the Mikrotik, though in practice I don't think it will be an issue, as there will probably be anyway some delay that will not make the two renewal times exactly the same.

In theory one should use values that are unlike to conflict.
20 and 24 are "too even" (not coprimes) for my tastes, after 12x20 minutes renewals, the timing could overlap with 10x24, and probably something bad could happen.
Personally I would use, since on the mac side it is fixed at 24, 19 or 23 on the Mikrotik, though in practice I don't think it will be an issue, as there will probably be anyway some delay that will not make the two renewal times exactly the same.

I will change to 23 minutes. 20 was arbitrary on my part. Anyways I am sending this message through the Mac (Sonoma 14.2.2) that was having the issue. It seems to be working as I passed the 24 minute mark and was able to maintain connection.

Thank you both that replied.