IKEv2 VPN with macOS client disconnects every 8 minutes

Z0ltan · December 31, 2024, 2:38pm

Anyone having trouble with the built-in VPN client in macOS Sequoia 15.2? For some unknown reason, the VPN disconnects in 8 minutes, but it only happens with macOS client (it works perfectly with IOS client). The logs on Mikrotik do not contain any useful information why it gets disconnected. Here are the phase1-2 configs:

name="ike2-proposal" auth-algorithms=sha512,sha256
      enc-algorithms=chacha20poly1305,aes-256-cbc,aes-256-ctr,aes-256-gcm
      lifetime=30m pfs-group=modp2048

name="ike2" hash-algorithm=sha256 enc-algorithm=aes-256
     dh-group=x25519,ecp256,ecp384,ecp521,modp8192,modp6144,modp4096,modp3072,
         modp2048
     lifetime=1d proposal-check=obey nat-traversal=yes
     dpd-interval=disable-dpd

This is what I see in the logs:

15:13:08 ipsec,info killing ike2 SA: ipsec_peer1 remote_ipv6_address[4500]-laptop_ipv6_address[4500] spi:5749e2dbc237181a:fba7b0f7cfc9e797
15:13:08 ipsec,info releasing address 10.z.x.y

2 questions:

Anyone knows how to configure ipsec logging to have more meaningful information? Setting up ipsec,debug,!packet includes lots of hexadecimal sorcery but no useful information
Anyone has this working and would share their settings for proposal & profile?

sindy · December 31, 2024, 5:08pm

[quote=“, post:1, topic:180976”]
Anyone knows how to configure ipsec logging to have more meaningful information? Setting up ipsec,debug,!packet includes lots of hexadecimal sorcery but no useful information
[/quote]

Scattered among the “hexadecimal sorcery” is actually a lot of useful information, just ignore the rows with the hex and read the rest.
2. [quote=“, post:1, topic:180976”]
Anyone has this working and would share their settings for proposal & profile?
[/quote]

It used to be 24 minutes, maybe Apple has further shortened the time? http://forum.mikrotik.com/t/vpn-ikev2-macos-disconnect-after-24-minutes/174470/1
I had to create a dedicated proposal and configure the Apple clients to use responder ID (I don’t remember the field name in the iOS form though):
/ip ipsec proposal
add auth-algorithms=“” enc-algorithms=aes-256-gcm lifetime=23m19s name=apple pfs-group=ecp256
/ip ipsec policy group
add name=apple
/ip ipsec policy
add group=apple proposal=apple template=yes
/ip ipsec identity
add auth-method=eap-radius certificate=letsencrypt-autogen_2024-10-24T00:35:26Z,LetsEncryptR11 generate-policy=port-strict mode-config=apple my-id=fqdn:apple.inc peer=ike2-responder policy-template-group=apple

Z0ltan · January 1, 2025, 1:04pm

Thanks but you seem to be using EC certificates not RSA no? I can try reducing the lifetime length to see if that does the trick but for me it’s always exactly 8 minutes.
Do you know how to see in the logs which algorithm was chosen by the client?
I tried it with 7m lifetime but it still disconnected, however now I see this in the logs: ipsec,error IPsec-SA expired before finishing rekey:

sindy · January 1, 2025, 1:36pm

I’m not an iOS specialist so I have no clue whether the type of certificate (which is only used in Phase 1) affects the parameters for Phase 2, but Mikrotik only requests RSA certificates from Let’s Encrypt.

For me it was also exactly 24 minutes until I’ve implemented that workaround where Mikrotik initiates the rekeying before the iOS client.

In the logs you can see all the transforms the client proposes for both Phase 1 and Phase 2 - since iOS is the initiator (client), it proposes and the Mikrotik chooses. In the log, it looks as follows for Phase 1:
14:32:27 ipsec IKE Protocol: IKE
14:32:27 ipsec proposal #1
14:32:27 ipsec enc: 3des-cbc
14:32:27 ipsec prf: hmac-sha1
14:32:27 ipsec auth: sha1
14:32:27 ipsec dh: modp1024
14:32:27 ipsec proposal #2
14:32:27 ipsec enc: aes256-cbc
14:32:27 ipsec prf: hmac-sha1
14:32:27 ipsec auth: sha1
14:32:27 ipsec dh: modp1024
14:32:27 ipsec proposal #3
14:32:27 ipsec enc: 3des-cbc
14:32:27 ipsec prf: hmac-sha256
14:32:27 ipsec auth: sha256
14:32:27 ipsec dh: modp1024
…
and later, you can find similar rows for Phase 2:
14:32:28 ipsec processing payload: SA
14:32:28 ipsec IKE Protocol: ESP
14:32:28 ipsec proposal #1
14:32:28 ipsec enc: aes256-cbc
14:32:28 ipsec auth: sha1
14:32:28 ipsec proposal #2
14:32:28 ipsec enc: 3des-cbc
14:32:28 ipsec auth: sha1
…

Z0ltan · January 1, 2025, 9:29pm

Thanks, so what you have just shared is not what I see in the logs - can you please confirm your log settings? I have ipsec, debug, !packet but I see nothing like what you have shared in your post.
Also, the client here is macOS not IOS (IOS clients work without any problems, only macOS disconnects) and I’m using my own CA (outside Mikrotik) to generate certificates, but was under the impression that you can only use the ec DH groups with ec certificates and that’s what I wanted to confirm, but I don’t think the problem will be with the certificates but rather with the settings.

sindy · January 2, 2025, 11:58am

Sorrry for messing up iOS and MacOS, I’m even not sure which one of those had the 24-minute issue in my case.

As for the need to use EC-based DH-groups if you use an EC certificate, I know this to be an issue with Windows, but I have never encountered that anywhere else - as you can see from the above, even the Apple device exhibiting the 24-minute issue doesn’t have any trouble accepting a RSA certificate and then using an EC-based PFS algorithm.

I normally use topics=ipsec,!packet without the debug so maybe that’s the reason - in the rows I posted, the debug attribute is not shown.

Z0ltan · January 2, 2025, 2:04pm

Thanks, with those log settings I was able to learn more of the problem, it seems there is only 1 proposal for rekeying and for some reason, the macOS client does not choose that.

11:13:28 ipsec ipsecdebug: processing payload: SA
11:13:28 ipsec ipsecdebug: IKE Protocol: IKE
11:13:28 ipsec ipsecdebug:  proposal #1
11:13:28 ipsec ipsecdebug:   enc: aes256-cbc
11:13:28 ipsec ipsecdebug:   prf: hmac-sha256
11:13:28 ipsec ipsecdebug:   auth: sha256
11:13:28 ipsec ipsecdebug:   dh: modp2048
11:13:28 ipsec ipsecdebug:  proposal #2
11:13:28 ipsec ipsecdebug:   enc: aes256-cbc
11:13:28 ipsec ipsecdebug:   prf: hmac-sha256
11:13:28 ipsec ipsecdebug:   auth: sha256
11:13:28 ipsec ipsecdebug:   dh: ecp256
11:13:28 ipsec ipsecdebug:  proposal #3
11:13:28 ipsec ipsecdebug:   enc: aes256-cbc
11:13:28 ipsec ipsecdebug:   prf: hmac-sha256
11:13:28 ipsec ipsecdebug:   auth: sha256
11:13:28 ipsec ipsecdebug:   dh: modp1536
11:13:28 ipsec ipsecdebug:  proposal #4
11:13:28 ipsec ipsecdebug:   enc: aes128-cbc
11:13:28 ipsec ipsecdebug:   prf: hmac-sha1
11:13:28 ipsec ipsecdebug:   auth: sha1
11:13:28 ipsec ipsecdebug:   dh: modp1024
11:13:28 ipsec ipsecdebug:  proposal #5
11:13:28 ipsec ipsecdebug:   enc: 3des-cbc
11:13:28 ipsec ipsecdebug:   prf: hmac-sha1
11:13:28 ipsec ipsecdebug:   auth: sha1
11:13:28 ipsec ipsecdebug:   dh: modp1024
11:13:28 ipsec ipsecdebug: matched proposal:
11:13:28 ipsec ipsecdebug:  proposal #1
11:13:28 ipsec ipsecdebug:   enc: aes256-cbc
11:13:28 ipsec ipsecdebug:   prf: hmac-sha256
11:13:28 ipsec ipsecdebug:   auth: sha256
11:13:28 ipsec ipsecdebug:   dh: modp2048
11:13:28 ipsec ipsecdebug: processing payload: KE
--snip---
11:13:28 ipsec ipsecdebug: IKE Protocol: ESP
11:13:28 ipsec ipsecdebug:  proposal #1
11:13:28 ipsec ipsecdebug:   enc: aes256-cbc
11:13:28 ipsec ipsecdebug:   auth: sha256
11:13:28 ipsec ipsecdebug:  proposal #2
11:13:28 ipsec ipsecdebug:   enc: aes128-cbc
11:13:28 ipsec ipsecdebug:   auth: sha1
11:13:28 ipsec ipsecdebug:  proposal #3
11:13:28 ipsec ipsecdebug:   enc: 3des-cbc
11:13:28 ipsec ipsecdebug:   auth: sha1
11:13:28 ipsec ipsecdebug: processing payload: TS_I
11:13:28 ipsec ipsecdebug: 0.0.0.0/0
11:13:28 ipsec ipsecdebug: [::/0]
11:13:28 ipsec ipsecdebug: processing payload: TS_R
11:13:28 ipsec ipsecdebug: 0.0.0.0/0
11:13:28 ipsec ipsecdebug: [::/0]
11:13:28 ipsec ipsecdebug: TSi in tunnel mode replaced with config address: 10.x.y.z
11:13:28 ipsec ipsecdebug: TSr in tunnel mode replaced with split subnet: 0.0.0.0/0
11:13:28 ipsec ipsecdebug: candidate selectors: 0.0.0.0/0 <=> 10.x.y.z
11:13:28 ipsec ipsecdebug: candidate selectors: [::/0] <=> [::/0]
11:13:28 ipsec ipsecdebug: searching for policy for selector: 0.0.0.0/0 <=> 10.x.y.z
11:13:28 ipsec ipsecdebug: generating policy
11:13:28 ipsec ipsecdebug: matched proposal:
11:13:28 ipsec ipsecdebug:  proposal #1
11:13:28 ipsec ipsecdebug:   enc: aes256-cbc
11:13:28 ipsec ipsecdebug:   auth: sha256
11:13:28 ipsec ipsecdebug: ike auth: finish

8 minutes pass

11:21:28 ipsec ipsecdebug: IKE SA rekey
11:21:28 ipsec ipsecdebug: processing payload: SA
11:21:28 ipsec ipsecdebug: IKE Protocol: IKE
11:21:28 ipsec ipsecdebug:  proposal #1
11:21:28 ipsec ipsecdebug:   enc: aes256-cbc
11:21:28 ipsec ipsecdebug:   prf: hmac-sha256
11:21:28 ipsec ipsecdebug:   auth: sha256
11:21:28 ipsec ipsecdebug:   dh: modp2048
11:21:28 ipsec ipsecdebug: matched proposal:
11:21:28 ipsec ipsecdebug:  proposal #1
11:21:28 ipsec ipsecdebug:   enc: aes256-cbc
11:21:28 ipsec ipsecdebug:   prf: hmac-sha256
11:21:28 ipsec ipsecdebug:   auth: sha256
11:21:28 ipsec ipsecdebug:   dh: modp2048
11:21:28 ipsec ipsecdebug: processing payload: KE
11:21:28 ipsec ipsecdebug: processing payload: NONCE
11:21:28 ipsec ipsecdebug: adding payload: SA
11:21:28 ipsec ipsecdebug: adding payload: KE
11:21:28 ipsec ipsecdebug: adding payload: NONCE
11:21:28 ipsec ipsecdebug: <- ike2 reply, exchange: CREATE_CHILD_SA:2 client_ipv6_address[4500] 5075bb554b1b4b8f:5aae9a769e4febaa
11:21:28 ipsec ipsecdebug: -> ike2 request, exchange: INFORMATIONAL:3 client_ipv6_address[4500] 5075bb554b1b4b8f:5aae9a769e4febaa
11:21:28 ipsec ipsecdebug: payload seen: ENC
11:21:28 ipsec ipsecdebug: processing payload: ENC
11:21:28 ipsec ipsecdebug: payload seen: DELETE
11:21:28 ipsec ipsecdebug: respond: info
11:21:28 ipsec ipsecdebug: processing payloads: NOTIFY (none found)
11:21:28 ipsec ipsecdebug: <- ike2 reply, exchange: INFORMATIONAL:3 client_ipv6_address[4500] 5075bb554b1b4b8f:5aae9a769e4febaa
11:21:28 ipsec ipsecdebug: processing payloads: DELETE
11:21:28 ipsec ipsecdebug: delete IKE SA
11:21:28 ipsec ipsecdebug: rekey done
11:21:28 ipsec ipsecdebug: -> ike2 request, exchange: CREATE_CHILD_SA:0 client_ipv6_address[4500] cc797dcb76722b2f:8cdbef8c0100ebba
11:21:28 ipsec ipsecdebug: payload seen: ENC
11:21:28 ipsec ipsecdebug: processing payload: ENC
11:21:28 ipsec ipsecdebug: payload seen: NOTIFY
11:21:28 ipsec ipsecdebug: payload seen: SA
11:21:28 ipsec ipsecdebug: payload seen: NONCE
11:21:28 ipsec ipsecdebug: payload seen: TS_I
11:21:28 ipsec ipsecdebug: payload seen: TS_R
11:21:28 ipsec ipsecdebug: create child: respond
11:21:28 ipsec ipsecdebug: processing payloads: NOTIFY
11:21:28 ipsec ipsecdebug:   notify: REKEY_SA
11:21:28 ipsec ipsecdebug: rekeying child SA 0xafc1567
11:21:28 ipsec ipsecdebug: peer wants tunnel mode
11:21:28 ipsec ipsecdebug: processing payload: TS_R
11:21:28 ipsec ipsecdebug: 0.0.0.0/0
11:21:28 ipsec ipsecdebug: processing payload: TS_I
11:21:28 ipsec ipsecdebug: 10.x.y.z
11:21:28 ipsec ipsecdebug: checking: 0.0.0.0/0 <=> 10.x.y.z
11:21:28 ipsec ipsecdebug: processing payload: SA
11:21:28 ipsec ipsecdebug: IKE Protocol: ESP
11:21:28 ipsec ipsecdebug:  proposal #1
11:21:28 ipsec ipsecdebug:   enc: aes256-cbc
11:21:28 ipsec ipsecdebug:   auth: sha256
11:21:28 ipsec ipsecdebug: reply notify: NO_PROPOSAL_CHOSEN
11:21:28 ipsec ipsecdebug: adding notify: NO_PROPOSAL_CHOSEN
11:21:28 ipsec ipsecdebug: <- ike2 reply, exchange: CREATE_CHILD_SA:0 client_ipv6_address[4500] cc797dcb76722b2f:8cdbef8c0100ebba
11:21:28 ipsec ipsecdebug: -> ike2 request, exchange: INFORMATIONAL:1 client_ipv6_address[4500] cc797dcb76722b2f:8cdbef8c0100ebba
11:21:28 ipsec ipsecdebug: payload seen: ENC
11:21:28 ipsec ipsecdebug: processing payload: ENC
11:21:28 ipsec ipsecdebug: payload seen: DELETE
11:21:28 ipsec ipsecdebug: respond: info
11:21:28 ipsec ipsecdebug: processing payloads: NOTIFY (none found)
11:21:28 ipsec ipsecdebug: <- ike2 reply, exchange: INFORMATIONAL:1 client_ipv6_address[4500] cc797dcb76722b2f:8cdbef8c0100ebba
11:21:28 ipsec ipsecdebug: processing payloads: DELETE
11:21:28 ipsec ipsecdebug: delete ESP SA
11:21:28 ipsec ipsecdebug: delete spi: 0xafc1567
11:21:28 ipsec ipsecdebug: IPsec-SA killing: client_ipv6_address[4500]->mikrotik_ipv6_address[4500] spi=0xd4cc08d
11:21:28 ipsec ipsecdebug: IPsec-SA killing: mikrotik_ipv6_address[4500]->client_ipv6_address[4500] spi=0xafc1567
11:21:28 ipsec ipsecdebug: removing generated policy
11:21:28 ipsec ipsecdebug: -> ike2 request, exchange: INFORMATIONAL:2 client_ipv6_address[4500] cc797dcb76722b2f:8cdbef8c0100ebba
11:21:28 ipsec ipsecdebug: payload seen: ENC
11:21:28 ipsec ipsecdebug: processing payload: ENC
11:21:28 ipsec ipsecdebug: payload seen: DELETE
11:21:28 ipsec ipsecdebug: respond: info
11:21:28 ipsec ipsecdebug: processing payloads: NOTIFY (none found)
11:21:28 ipsec ipsecdebug: <- ike2 reply, exchange: INFORMATIONAL:2 client_ipv6_address[4500] cc797dcb76722b2f:8cdbef8c0100ebba
11:21:28 ipsec ipsecdebug: processing payloads: DELETE
11:21:28 ipsec ipsecdebug: delete IKE SA
11:21:28 ipsec,info killing ike2 SA: ipsec_peer1 mikrotik_ipv6_address[4500]-client_ipv6_address[4500] spi:8cdbef8c0100ebba:cc797dcb76722b2f
11:21:28 ipsec,info ipsecdebug: killing ike2 SA: ipsec_peer1 mikrotik_ipv6_address[4500]-client_ipv6_address[4500] spi:8cdbef8c0100ebba:cc797dcb76722b2f
11:21:28 ipsec,info releasing address 10.x.y.z

sindy · January 2, 2025, 2:16pm

The rekey proposal comes from the MacOS, Mikrotik accepts it, and the MacOS sends DELETE nevertheless. It looks very similar to the 24-minute behavior, maybe the SA lifetime is 3 times shorter for IPv6? So try limiting the lifetime to 7m49s at Mikrotik side so that it would initiate the rekeying process before the Mac can and see whether that helps.

Z0ltan · January 2, 2025, 3:17pm

I read it differently, Mikrotik offers only 1 proposal and macOS does not choose that. I tried reducing the lifetime to 2 minutes and it got disconnected after 2 minutes, however, removing the DH group from the proposal seem to have fixed it and it’s been connected for some time now, however it again disconected after 8 minutes when I increased the lifetime back to 30 minutes.

sindy · January 2, 2025, 3:52pm

processing payload normally means that the packet carrying the payload came from the other peer, can you double-check that on the few rows just before the
11:21:28 ipsec ipsecdebug: IKE SA rekey
11:21:28 ipsec ipsecdebug: processing payload: SA
ones?
Other than that, can you show me the log from the case when the Tik initiates the rekey?

Z0ltan · January 2, 2025, 4:13pm

Here the entire log for an 8 minutes long session (I added === breaks for the 2 minute dead peer detection items). I no longer see the “NO_PROPOSAL_CHOSEN” error but it disconnects regardless. I can try reducing the lifetime but I feel something else is the problem here.

I also trimmed the configs, so this is the profile:

name="ike2" hash-algorithm=sha256 prf-algorithm=sha256 enc-algorithm=aes-256 dh-group=modp2048 lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=2m dpd-maximum-failures=3

And this is the proposal:

name="ike2-proposal" auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=30m pfs-group=none

And here is the full log:

16:54:36 ipsec ipsecdebug: -> ike2 request, exchange: SA_INIT:0 laptop_ipv6_address[500] 19daf5dfb3e01030:0000000000000000
16:54:36 ipsec ipsecdebug: ike2 respond
16:54:36 ipsec ipsecdebug: payload seen: SA
16:54:36 ipsec ipsecdebug: payload seen: KE
16:54:36 ipsec ipsecdebug: payload seen: NONCE
16:54:36 ipsec ipsecdebug: payload seen: NOTIFY
16:54:36 ipsec ipsecdebug: payload seen: NOTIFY
16:54:36 ipsec ipsecdebug: payload seen: NOTIFY
16:54:36 ipsec ipsecdebug: payload seen: NOTIFY
16:54:36 ipsec ipsecdebug: payload seen: NOTIFY
16:54:36 ipsec ipsecdebug: processing payload: SA
16:54:36 ipsec ipsecdebug: IKE Protocol: IKE
16:54:36 ipsec ipsecdebug:  proposal #1
16:54:36 ipsec ipsecdebug:   enc: aes256-cbc
16:54:36 ipsec ipsecdebug:   prf: hmac-sha256
16:54:36 ipsec ipsecdebug:   auth: sha256
16:54:36 ipsec ipsecdebug:   dh: modp2048
16:54:36 ipsec ipsecdebug:  proposal #2
16:54:36 ipsec ipsecdebug:   enc: aes256-cbc
16:54:36 ipsec ipsecdebug:   prf: hmac-sha256
16:54:36 ipsec ipsecdebug:   auth: sha256
16:54:36 ipsec ipsecdebug:   dh: ecp256
16:54:36 ipsec ipsecdebug:  proposal #3
16:54:36 ipsec ipsecdebug:   enc: aes256-cbc
16:54:36 ipsec ipsecdebug:   prf: hmac-sha256
16:54:36 ipsec ipsecdebug:   auth: sha256
16:54:36 ipsec ipsecdebug:   dh: modp1536
16:54:36 ipsec ipsecdebug:  proposal #4
16:54:36 ipsec ipsecdebug:   enc: aes128-cbc
16:54:36 ipsec ipsecdebug:   prf: hmac-sha1
16:54:36 ipsec ipsecdebug:   auth: sha1
16:54:36 ipsec ipsecdebug:   dh: modp1024
16:54:36 ipsec ipsecdebug:  proposal #5
16:54:36 ipsec ipsecdebug:   enc: 3des-cbc
16:54:36 ipsec ipsecdebug:   prf: hmac-sha1
16:54:36 ipsec ipsecdebug:   auth: sha1
16:54:36 ipsec ipsecdebug:   dh: modp1024
16:54:36 ipsec ipsecdebug: matched proposal:
16:54:36 ipsec ipsecdebug:  proposal #1
16:54:36 ipsec ipsecdebug:   enc: aes256-cbc
16:54:36 ipsec ipsecdebug:   prf: hmac-sha256
16:54:36 ipsec ipsecdebug:   auth: sha256
16:54:36 ipsec ipsecdebug:   dh: modp2048
16:54:36 ipsec ipsecdebug: processing payload: KE
16:54:36 ipsec ipsecdebug: ike2 respond finish: request, exchange: SA_INIT:0 laptop_ipv6_address[500] 19daf5dfb3e01030:0000000000000000
16:54:36 ipsec ipsecdebug: processing payload: NONCE
16:54:36 ipsec ipsecdebug: adding payload: SA
16:54:36 ipsec ipsecdebug: adding payload: KE
16:54:36 ipsec ipsecdebug: adding payload: NONCE
16:54:36 ipsec ipsecdebug: adding notify: NAT_DETECTION_SOURCE_IP
16:54:36 ipsec ipsecdebug: adding notify: NAT_DETECTION_DESTINATION_IP
16:54:36 ipsec ipsecdebug: adding notify: IKEV2_FRAGMENTATION_SUPPORTED
16:54:36 ipsec ipsecdebug: adding payload: CERTREQ
16:54:36 ipsec ipsecdebug: <- ike2 reply, exchange: SA_INIT:0 laptop_ipv6_address[500] 19daf5dfb3e01030:7103e19a622b8746
16:54:36 ipsec,info new ike2 SA (R): ipsec_peer1 mikrotik_ipv6_address[500]-laptop_ipv6_address[500] spi:7103e19a622b8746:19daf5dfb3e01030
16:54:36 ipsec,info ipsecdebug: new ike2 SA (R): ipsec_peer1 mikrotik_ipv6_address[500]-laptop_ipv6_address[500] spi:7103e19a622b8746:19daf5dfb3e01030
16:54:36 ipsec ipsecdebug: processing payloads: VID (none found)
16:54:36 ipsec ipsecdebug: processing payloads: NOTIFY
16:54:36 ipsec ipsecdebug:   notify: REDIRECT_SUPPORTED
16:54:36 ipsec ipsecdebug:   notify: NAT_DETECTION_SOURCE_IP
16:54:36 ipsec ipsecdebug:   notify: NAT_DETECTION_DESTINATION_IP
16:54:36 ipsec ipsecdebug:   notify: IKEV2_FRAGMENTATION_SUPPORTED
16:54:36 ipsec ipsecdebug:   notify: SIGNATURE_HASH_ALGORITHMS
16:54:36 ipsec ipsecdebug: fragmentation negotiated
16:54:36 ipsec ipsecdebug: -> ike2 request, exchange: AUTH:1 laptop_ipv6_address[4500] 19daf5dfb3e01030:7103e19a622b8746
16:54:36 ipsec ipsecdebug: peer ports changed: 500 -> 4500
16:54:36 ipsec ipsecdebug: payload seen: SKF
16:54:36 ipsec ipsecdebug: processing payload: ENC (not found)
16:54:36 ipsec ipsecdebug: processing payload: SKF
16:54:36 ipsec ipsecdebug: -> ike2 request, exchange: AUTH:1 laptop_ipv6_address[4500] 19daf5dfb3e01030:7103e19a622b8746
16:54:36 ipsec ipsecdebug: payload seen: SKF
16:54:36 ipsec ipsecdebug: processing payload: ENC (not found)
16:54:36 ipsec ipsecdebug: processing payload: SKF
16:54:36 ipsec ipsecdebug: payload seen: ID_I
16:54:36 ipsec ipsecdebug: payload seen: CERT
16:54:36 ipsec ipsecdebug: payload seen: NOTIFY
16:54:36 ipsec ipsecdebug: payload seen: ID_R
16:54:36 ipsec ipsecdebug: payload seen: AUTH
16:54:36 ipsec ipsecdebug: payload seen: CONFIG
16:54:36 ipsec ipsecdebug: payload seen: NOTIFY
16:54:36 ipsec ipsecdebug: payload seen: NOTIFY
16:54:36 ipsec ipsecdebug: payload seen: SA
16:54:36 ipsec ipsecdebug: payload seen: TS_I
16:54:36 ipsec ipsecdebug: payload seen: TS_R
16:54:36 ipsec ipsecdebug: payload seen: NOTIFY
16:54:36 ipsec ipsecdebug: processing payloads: NOTIFY
16:54:36 ipsec ipsecdebug:   notify: INITIAL_CONTACT
16:54:36 ipsec ipsecdebug:   notify: ESP_TFC_PADDING_NOT_SUPPORTED
16:54:36 ipsec ipsecdebug:   notify: NON_FIRST_FRAGMENTS_ALSO
16:54:36 ipsec ipsecdebug:   notify: MOBIKE_SUPPORTED
16:54:36 ipsec ipsecdebug: ike auth: respond
16:54:36 ipsec ipsecdebug: processing payload: ID_I
16:54:36 ipsec ipsecdebug: ID_I (FQDN): hermes
16:54:36 ipsec ipsecdebug: processing payload: ID_R
16:54:36 ipsec ipsecdebug: ID_R (FQDN): styx
16:54:36 ipsec ipsecdebug: processing payload: AUTH
16:54:36 ipsec ipsecdebug: processing payload: CERT
16:54:36 ipsec ipsecdebug: Certificate:
16:54:36 ipsec ipsecdebug:   serialNr:  07:d1:14:05:58:46:4d:5d:f5:8d:3d:a9:95:1c:dd:c3
16:54:36 ipsec ipsecdebug:   issuer:    <removed>
16:54:36 ipsec ipsecdebug:   subject:   <CN=hermes>
16:54:36 ipsec ipsecdebug:   notBefore: Fri Oct  7 21:23:12 2022
16:54:36 ipsec ipsecdebug:   notAfter:  Mon Oct  4 21:23:12 2032
16:54:36 ipsec ipsecdebug:   selfSigned:0
16:54:36 ipsec ipsecdebug:   extensions:
16:54:36 ipsec ipsecdebug:     key usage: digital-signature
16:54:36 ipsec ipsecdebug:     extended key usage: tls-client
16:54:36 ipsec ipsecdebug:     basic constraints: isCa: FALSE
16:54:36 ipsec ipsecdebug:     subject key id:  9f:e6:a2:7a:c6:bc:94:bf:01:e5:6f:d6:56:35:31:70:18:ba:b9:b9
16:54:36 ipsec ipsecdebug:     authority key id:18:ba:6e:15:d0:4a:17:7a:16:5f:9d:86:22:53:74:34:ea:f1:48:58
16:54:36 ipsec ipsecdebug:     subject alternative name:
16:54:36 ipsec ipsecdebug:       DNS: hermes
16:54:36 ipsec ipsecdebug:   signed with: SHA256+RSA
16:54:36 ipsec ipsecdebug: [RSA-PUBLIC]
16:54:36 ipsec ipsecdebug: modulus:  <removed>
16:54:36 ipsec ipsecdebug: publicExponent: 10001
16:54:36 ipsec ipsecdebug: requested server id: styx
16:54:36 ipsec ipsecdebug: processing payloads: NOTIFY
16:54:36 ipsec ipsecdebug:   notify: INITIAL_CONTACT
16:54:36 ipsec ipsecdebug:   notify: ESP_TFC_PADDING_NOT_SUPPORTED
16:54:36 ipsec ipsecdebug:   notify: NON_FIRST_FRAGMENTS_ALSO
16:54:36 ipsec ipsecdebug:   notify: MOBIKE_SUPPORTED
16:54:36 ipsec ipsecdebug: processing payload: AUTH
16:54:36 ipsec ipsecdebug: requested auth method: RSA
16:54:36 ipsec ipsecdebug: trust chain:
16:54:36 ipsec ipsecdebug: 0: SKID: 9f:e6:a2:7a:c6:bc:94:bf:01:e5:6f:d6:56:35:31:70:18:ba:b9:b9
16:54:36 ipsec ipsecdebug:    AKID: 18:ba:6e:15:d0:4a:17:7a:16:5f:9d:86:22:53:74:34:ea:f1:48:58
16:54:36 ipsec ipsecdebug: 1: SKID: 18:ba:6e:15:d0:4a:17:7a:16:5f:9d:86:22:53:74:34:ea:f1:48:58
16:54:36 ipsec ipsecdebug:    AKID: 18:ba:6e:15:d0:4a:17:7a:16:5f:9d:86:22:53:74:34:ea:f1:48:58
16:54:36 ipsec,info,account peer authorized: ipsec_peer1 mikrotik_ipv6_address[4500]-laptop_ipv6_address[4500] spi:7103e19a622b8746:19daf5dfb3e01030
16:54:36 ipsec,info,account ipsecdebug: peer authorized: ipsec_peer1 mikrotik_ipv6_address[4500]-laptop_ipv6_address[4500] spi:7103e19a622b8746:19daf5dfb3e01030
16:54:36 ipsec ipsecdebug: initial contact
16:54:36 ipsec ipsecdebug: processing payloads: NOTIFY
16:54:36 ipsec ipsecdebug:   notify: INITIAL_CONTACT
16:54:36 ipsec ipsecdebug:   notify: ESP_TFC_PADDING_NOT_SUPPORTED
16:54:36 ipsec ipsecdebug:   notify: NON_FIRST_FRAGMENTS_ALSO
16:54:36 ipsec ipsecdebug:   notify: MOBIKE_SUPPORTED
16:54:36 ipsec ipsecdebug: peer wants tunnel mode
16:54:36 ipsec ipsecdebug: processing payload: CONFIG
16:54:36 ipsec ipsecdebug:   attribute: internal IPv4 address
16:54:36 ipsec ipsecdebug:   attribute: internal IPv4 netmask
16:54:36 ipsec ipsecdebug:   attribute: internal IPv4 DHCP
16:54:36 ipsec ipsecdebug:   attribute: internal IPv4 DNS
16:54:36 ipsec ipsecdebug:   attribute: internal IPv6 address
16:54:36 ipsec ipsecdebug:   attribute: internal IPv6 DHCP
16:54:36 ipsec ipsecdebug:   attribute: internal IPv6 DNS
16:54:36 ipsec ipsecdebug:   attribute: internal DNS domain
16:54:36 ipsec,info acquired 10.x.y.z address for laptop_ipv6_address, hermes
16:54:36 ipsec,info ipsecdebug: acquired 10.x.y.z address for laptop_ipv6_address, hermes
16:54:36 ipsec ipsecdebug: processing payload: SA
16:54:36 ipsec ipsecdebug: IKE Protocol: ESP
16:54:36 ipsec ipsecdebug:  proposal #1
16:54:36 ipsec ipsecdebug:   enc: aes256-cbc
16:54:36 ipsec ipsecdebug:   auth: sha256
16:54:36 ipsec ipsecdebug:  proposal #2
16:54:36 ipsec ipsecdebug:   enc: aes128-cbc
16:54:36 ipsec ipsecdebug:   auth: sha1
16:54:36 ipsec ipsecdebug:  proposal #3
16:54:36 ipsec ipsecdebug:   enc: 3des-cbc
16:54:36 ipsec ipsecdebug:   auth: sha1
16:54:36 ipsec ipsecdebug: processing payload: TS_I
16:54:36 ipsec ipsecdebug: 0.0.0.0/0
16:54:36 ipsec ipsecdebug: [::/0]
16:54:36 ipsec ipsecdebug: processing payload: TS_R
16:54:36 ipsec ipsecdebug: 0.0.0.0/0
16:54:36 ipsec ipsecdebug: [::/0]
16:54:36 ipsec ipsecdebug: TSi in tunnel mode replaced with config address: 10.x.y.z
16:54:36 ipsec ipsecdebug: TSr in tunnel mode replaced with split subnet: 0.0.0.0/0
16:54:36 ipsec ipsecdebug: candidate selectors: 0.0.0.0/0 <=> 10.x.y.z
16:54:36 ipsec ipsecdebug: candidate selectors: [::/0] <=> [::/0]
16:54:36 ipsec ipsecdebug: searching for policy for selector: 0.0.0.0/0 <=> 10.x.y.z
16:54:36 ipsec ipsecdebug: generating policy
16:54:36 ipsec ipsecdebug: matched proposal:
16:54:36 ipsec ipsecdebug:  proposal #1
16:54:36 ipsec ipsecdebug:   enc: aes256-cbc
16:54:36 ipsec ipsecdebug:   auth: sha256
16:54:36 ipsec ipsecdebug: ike auth: finish
16:54:36 ipsec ipsecdebug: ID_R (DER DN): CN=styx
16:54:36 ipsec ipsecdebug: adding payload: ID_R
16:54:36 ipsec ipsecdebug: adding payload: AUTH
16:54:36 ipsec ipsecdebug: Certificate:
16:54:36 ipsec ipsecdebug:   serialNr:  00:b0:10:82:54:3f:d3:96:36:9a:43:c3:d6:76:78:24:e7
16:54:36 ipsec ipsecdebug:   issuer:    <removed>
16:54:36 ipsec ipsecdebug:   subject:   <CN=styx>
16:54:36 ipsec ipsecdebug:   notBefore: Sun Dec 23 12:04:05 2018
16:54:36 ipsec ipsecdebug:   notAfter:  Wed Dec 20 12:04:05 2028
16:54:36 ipsec ipsecdebug:   selfSigned:0
16:54:36 ipsec ipsecdebug:   extensions:
16:54:36 ipsec ipsecdebug:     key usage: digital-signature, key-encipherment
16:54:36 ipsec ipsecdebug:     extended key usage: tls-server
16:54:36 ipsec ipsecdebug:     basic constraints: isCa: FALSE
16:54:36 ipsec ipsecdebug:     subject key id:  b6:de:da:f2:e0:72:67:2b:95:38:b6:ad:c4:c2:6b:cd:7a:21:28:53
16:54:36 ipsec ipsecdebug:     authority key id:18:ba:6e:15:d0:4a:17:7a:16:5f:9d:86:22:53:74:34:ea:f1:48:58
16:54:36 ipsec ipsecdebug:     subject alternative name:
16:54:36 ipsec ipsecdebug:       DNS: styx
16:54:36 ipsec ipsecdebug:   signed with: SHA256+RSA
16:54:36 ipsec ipsecdebug: [RSA-PUBLIC]
16:54:36 ipsec ipsecdebug: modulus: <removed>
16:54:36 ipsec ipsecdebug: publicExponent: 10001
16:54:36 ipsec ipsecdebug: adding payload: CERT
16:54:36 ipsec ipsecdebug: preparing internal IPv4 address
16:54:36 ipsec ipsecdebug: preparing internal IPv4 netmask
16:54:36 ipsec ipsecdebug: preparing internal IPv6 subnet
16:54:36 ipsec ipsecdebug: preparing internal IPv4 DNS
16:54:36 ipsec ipsecdebug: adding payload: CONFIG
16:54:36 ipsec ipsecdebug: initiator selector: 10.x.y.z
16:54:36 ipsec ipsecdebug: adding payload: TS_I
16:54:36 ipsec ipsecdebug: responder selector: 0.0.0.0/0
16:54:36 ipsec ipsecdebug: adding payload: TS_R
16:54:36 ipsec ipsecdebug: adding payload: SA
16:54:36 ipsec ipsecdebug: <- ike2 reply, exchange: AUTH:1 laptop_ipv6_address[4500] 19daf5dfb3e01030:7103e19a622b8746
16:54:36 ipsec ipsecdebug: fragmenting into 2 chunks
16:54:36 ipsec ipsecdebug: adding payload: SKF
16:54:36 ipsec ipsecdebug: adding payload: SKF
16:54:36 ipsec ipsecdebug: IPsec-SA established: laptop_ipv6_address[4500]->mikrotik_ipv6_address[4500] spi=0x39c0e3
16:54:36 ipsec ipsecdebug: IPsec-SA established: mikrotik_ipv6_address[4500]->laptop_ipv6_address[4500] spi=0x111be35

 = = =   = = =   = = =      = = =   = = =   = = =      = = =   = = =   = = =

16:56:36 ipsec ipsecdebug: sending dpd packet
16:56:36 ipsec ipsecdebug: <- ike2 request, exchange: INFORMATIONAL:0 laptop_ipv6_address[4500] 19daf5dfb3e01030:7103e19a622b8746
16:56:36 ipsec ipsecdebug: -> ike2 reply, exchange: INFORMATIONAL:0 laptop_ipv6_address[4500] 19daf5dfb3e01030:7103e19a622b8746
16:56:36 ipsec ipsecdebug: payload seen: ENC
16:56:36 ipsec ipsecdebug: processing payload: ENC
16:56:36 ipsec ipsecdebug: respond: info
16:56:36 ipsec ipsecdebug: reply ignored

 = = =   = = =   = = =      = = =   = = =   = = =      = = =   = = =   = = =

16:58:36 ipsec ipsecdebug: sending dpd packet
16:58:36 ipsec ipsecdebug: <- ike2 request, exchange: INFORMATIONAL:1 laptop_ipv6_address[4500] 19daf5dfb3e01030:7103e19a622b8746
16:58:36 ipsec ipsecdebug: -> ike2 reply, exchange: INFORMATIONAL:1 laptop_ipv6_address[4500] 19daf5dfb3e01030:7103e19a622b8746
16:58:36 ipsec ipsecdebug: payload seen: ENC
16:58:36 ipsec ipsecdebug: processing payload: ENC
16:58:36 ipsec ipsecdebug: respond: info
16:58:36 ipsec ipsecdebug: reply ignored

 = = =   = = =   = = =      = = =   = = =   = = =      = = =   = = =   = = =

17:00:36 ipsec ipsecdebug: sending dpd packet
17:00:36 ipsec ipsecdebug: <- ike2 request, exchange: INFORMATIONAL:2 laptop_ipv6_address[4500] 19daf5dfb3e01030:7103e19a622b8746
17:00:36 ipsec ipsecdebug: -> ike2 reply, exchange: INFORMATIONAL:2 laptop_ipv6_address[4500] 19daf5dfb3e01030:7103e19a622b8746
17:00:36 ipsec ipsecdebug: payload seen: ENC
17:00:36 ipsec ipsecdebug: processing payload: ENC
17:00:36 ipsec ipsecdebug: respond: info
17:00:36 ipsec ipsecdebug: reply ignored

 = = =   = = =   = = =      = = =   = = =   = = =      = = =   = = =   = = =

17:02:36 ipsec ipsecdebug: sending dpd packet
17:02:36 ipsec ipsecdebug: <- ike2 request, exchange: INFORMATIONAL:3 laptop_ipv6_address[4500] 19daf5dfb3e01030:7103e19a622b8746
17:02:36 ipsec ipsecdebug: -> ike2 reply, exchange: INFORMATIONAL:3 laptop_ipv6_address[4500] 19daf5dfb3e01030:7103e19a622b8746
17:02:36 ipsec ipsecdebug: payload seen: ENC
17:02:36 ipsec ipsecdebug: processing payload: ENC
17:02:36 ipsec ipsecdebug: respond: info
17:02:36 ipsec ipsecdebug: reply ignored
17:02:36 ipsec ipsecdebug: -> ike2 request, exchange: CREATE_CHILD_SA:2 laptop_ipv6_address[4500] 19daf5dfb3e01030:7103e19a622b8746
17:02:36 ipsec ipsecdebug: payload seen: ENC
17:02:36 ipsec ipsecdebug: processing payload: ENC
17:02:36 ipsec ipsecdebug: payload seen: SA
17:02:36 ipsec ipsecdebug: payload seen: NONCE
17:02:36 ipsec ipsecdebug: payload seen: KE
17:02:36 ipsec ipsecdebug: create child: respond
17:02:36 ipsec ipsecdebug: processing payloads: NOTIFY (none found)
17:02:36 ipsec ipsecdebug: IKE SA rekey
17:02:36 ipsec ipsecdebug: processing payload: SA
17:02:36 ipsec ipsecdebug: IKE Protocol: IKE
17:02:36 ipsec ipsecdebug:  proposal #1
17:02:36 ipsec ipsecdebug:   enc: aes256-cbc
17:02:36 ipsec ipsecdebug:   prf: hmac-sha256
17:02:36 ipsec ipsecdebug:   auth: sha256
17:02:36 ipsec ipsecdebug:   dh: modp2048
17:02:36 ipsec ipsecdebug: matched proposal:
17:02:36 ipsec ipsecdebug:  proposal #1
17:02:36 ipsec ipsecdebug:   enc: aes256-cbc
17:02:36 ipsec ipsecdebug:   prf: hmac-sha256
17:02:36 ipsec ipsecdebug:   auth: sha256
17:02:36 ipsec ipsecdebug:   dh: modp2048
17:02:36 ipsec ipsecdebug: processing payload: KE
17:02:36 ipsec ipsecdebug: processing payload: NONCE
17:02:36 ipsec ipsecdebug: adding payload: SA
17:02:36 ipsec ipsecdebug: adding payload: KE
17:02:36 ipsec ipsecdebug: adding payload: NONCE
17:02:36 ipsec ipsecdebug: <- ike2 reply, exchange: CREATE_CHILD_SA:2 laptop_ipv6_address[4500] 19daf5dfb3e01030:7103e19a622b8746
17:02:36 ipsec ipsecdebug: -> ike2 request, exchange: INFORMATIONAL:3 laptop_ipv6_address[4500] 19daf5dfb3e01030:7103e19a622b8746
17:02:36 ipsec ipsecdebug: payload seen: ENC
17:02:36 ipsec ipsecdebug: processing payload: ENC
17:02:36 ipsec ipsecdebug: payload seen: DELETE
17:02:36 ipsec ipsecdebug: respond: info
17:02:36 ipsec ipsecdebug: processing payloads: NOTIFY (none found)
17:02:36 ipsec ipsecdebug: <- ike2 reply, exchange: INFORMATIONAL:3 laptop_ipv6_address[4500] 19daf5dfb3e01030:7103e19a622b8746
17:02:36 ipsec ipsecdebug: processing payloads: DELETE
17:02:36 ipsec ipsecdebug: delete IKE SA
17:02:36 ipsec ipsecdebug: rekey done
17:02:37 ipsec ipsecdebug: -> ike2 request, exchange: CREATE_CHILD_SA:0 laptop_ipv6_address[4500] b1f8195c4235d665:6f8d23efdfbda24e
17:02:37 ipsec ipsecdebug: payload seen: ENC
17:02:37 ipsec ipsecdebug: processing payload: ENC
17:02:37 ipsec ipsecdebug: payload seen: NOTIFY
17:02:37 ipsec ipsecdebug: payload seen: SA
17:02:37 ipsec ipsecdebug: payload seen: NONCE
17:02:37 ipsec ipsecdebug: payload seen: TS_I
17:02:37 ipsec ipsecdebug: payload seen: TS_R
17:02:37 ipsec ipsecdebug: create child: respond
17:02:37 ipsec ipsecdebug: processing payloads: NOTIFY
17:02:37 ipsec ipsecdebug:   notify: REKEY_SA
17:02:37 ipsec ipsecdebug: rekeying child SA 0x111be35
17:02:37 ipsec ipsecdebug: peer wants tunnel mode
17:02:37 ipsec ipsecdebug: processing payload: TS_R
17:02:37 ipsec ipsecdebug: 0.0.0.0/0
17:02:37 ipsec ipsecdebug: processing payload: TS_I
17:02:37 ipsec ipsecdebug: 10.x.y.z
17:02:37 ipsec ipsecdebug: checking: 0.0.0.0/0 <=> 10.x.y.z
17:02:37 ipsec ipsecdebug: processing payload: SA
17:02:37 ipsec ipsecdebug: IKE Protocol: ESP
17:02:37 ipsec ipsecdebug:  proposal #1
17:02:37 ipsec ipsecdebug:   enc: aes256-cbc
17:02:37 ipsec ipsecdebug:   auth: sha256
17:02:37 ipsec ipsecdebug: matched proposal:
17:02:37 ipsec ipsecdebug:  proposal #1
17:02:37 ipsec ipsecdebug:   enc: aes256-cbc
17:02:37 ipsec ipsecdebug:   auth: sha256
17:02:37 ipsec ipsecdebug: processing payload: NONCE
17:02:37 ipsec ipsecdebug: create child: finish
17:02:37 ipsec ipsecdebug: adding payload: NONCE
17:02:37 ipsec ipsecdebug: initiator selector: 10.x.y.z
17:02:37 ipsec ipsecdebug: adding payload: TS_I
17:02:37 ipsec ipsecdebug: responder selector: 0.0.0.0/0
17:02:37 ipsec ipsecdebug: adding payload: TS_R
17:02:37 ipsec ipsecdebug: adding payload: SA
17:02:37 ipsec ipsecdebug: <- ike2 reply, exchange: CREATE_CHILD_SA:0 laptop_ipv6_address[4500] b1f8195c4235d665:6f8d23efdfbda24e
17:02:37 ipsec ipsecdebug: IPsec-SA established: laptop_ipv6_address[4500]->mikrotik_ipv6_address[4500] spi=0x2bad8f1
17:02:37 ipsec ipsecdebug: -> ike2 request, exchange: INFORMATIONAL:1 laptop_ipv6_address[4500] b1f8195c4235d665:6f8d23efdfbda24e
17:02:37 ipsec ipsecdebug: payload seen: ENC
17:02:37 ipsec ipsecdebug: processing payload: ENC
17:02:37 ipsec ipsecdebug: payload seen: DELETE
17:02:37 ipsec ipsecdebug: respond: info
17:02:37 ipsec ipsecdebug: processing payloads: NOTIFY (none found)
17:02:37 ipsec ipsecdebug: <- ike2 reply, exchange: INFORMATIONAL:1 laptop_ipv6_address[4500] b1f8195c4235d665:6f8d23efdfbda24e
17:02:37 ipsec ipsecdebug: processing payloads: DELETE
17:02:37 ipsec ipsecdebug: delete ESP SA
17:02:37 ipsec ipsecdebug: delete spi: 0x111be35
17:02:37 ipsec ipsecdebug: IPsec-SA established: mikrotik_ipv6_address[4500]->laptop_ipv6_address[4500] spi=0xed542dd
17:02:37 ipsec ipsecdebug: IPsec-SA killing: laptop_ipv6_address[4500]->mikrotik_ipv6_address[4500] spi=0x39c0e3
17:02:37 ipsec ipsecdebug: IPsec-SA killing: mikrotik_ipv6_address[4500]->laptop_ipv6_address[4500] spi=0x111be35
17:02:37 ipsec ipsecdebug: -> ike2 request, exchange: INFORMATIONAL:2 laptop_ipv6_address[4500] b1f8195c4235d665:6f8d23efdfbda24e
17:02:37 ipsec ipsecdebug: payload seen: ENC
17:02:37 ipsec ipsecdebug: processing payload: ENC
17:02:37 ipsec ipsecdebug: payload seen: DELETE
17:02:37 ipsec ipsecdebug: respond: info
17:02:37 ipsec ipsecdebug: processing payloads: NOTIFY (none found)
17:02:37 ipsec ipsecdebug: <- ike2 reply, exchange: INFORMATIONAL:2 laptop_ipv6_address[4500] b1f8195c4235d665:6f8d23efdfbda24e
17:02:37 ipsec ipsecdebug: processing payloads: DELETE
17:02:37 ipsec ipsecdebug: delete IKE SA
17:02:37 ipsec,info killing ike2 SA: ipsec_peer1 mikrotik_ipv6_address[4500]-laptop_ipv6_address[4500] spi:6f8d23efdfbda24e:b1f8195c4235d665
17:02:37 ipsec,info ipsecdebug: killing ike2 SA: ipsec_peer1 mikrotik_ipv6_address[4500]-laptop_ipv6_address[4500] spi:6f8d23efdfbda24e:b1f8195c4235d665
17:02:37 ipsec ipsecdebug: IPsec-SA killing: laptop_ipv6_address[4500]->mikrotik_ipv6_address[4500] spi=0x2bad8f1
17:02:37 ipsec ipsecdebug: IPsec-SA killing: mikrotik_ipv6_address[4500]->laptop_ipv6_address[4500] spi=0xed542dd
17:02:37 ipsec ipsecdebug: removing generated policy
17:02:37 ipsec,info releasing address 10.x.y.z
17:02:37 ipsec,info ipsecdebug: releasing address 10.x.y.z

sindy · January 2, 2025, 5:12pm

I don’t say the rekey initiated by MacOS should not work, but the experience I’ve referred to shows it does not, so there is an issue on MacOS side.

So far the only difference between your case and the one already spotted is the time until the first rekey attempt and the use of IPv6. So until it becomes clear that the same remedy (i.e. triggering the rekey before the MacOS does) does not help in your scenario, there is no point in looking for anything else - unless you can get the logs also from the MacOS side and find the explanation why it decides to disregard the Tik’s response to the rekey request.

Z0ltan · January 2, 2025, 6:49pm

Well, I was wrong. I have reduced the lifetime to 1 minutes for the sake of testing and it was working for 10 minutes; reducing lifetime to 5 minutes keeps the connection working beyond 12 minutes. I guess it was both disabling PFS group and reducing the lifetime to make it work.

sindy · January 2, 2025, 6:56pm

BTW what is the dh-group used in Phase 1 proposal (in Mikrotik structure, /ip ipsec profile)?

Z0ltan · January 2, 2025, 7:05pm

It’s modp2048 (I think that corresponds to DH group #14) but I included both profile and proposal in the post I included the entire log.

sindy · January 3, 2025, 8:54am

I was just checking - if I get it right the pfs algorithm in Phase 2 proposal must either be the same like the one used for D-H exchange in Phase 1 proposal or none (which kind of raises a question why it is not just a boolean value). But this apparently was the case in your settings initially and it did not help; what makes it more interesting is that my setup above does work despite the fact that a pfs algorithm is specified.

Or maybe I’ll get a support call from the user as soon as he upgrades his Macbook.

Kentzo · January 3, 2025, 4:40pm

Try to collect logs on macOS , it will tell you what its IKEv2 initiator does not like.

Also see the note about re-authentication issues.

Z0ltan · January 3, 2025, 6:19pm

Thanks, I was able to fix this by removing the PFS group and setting the lifetime of phase2 to 5 minutes from 30 (even though I have no idea what exactly triggered the reauthentication at 8 minutes). Do you know how reauthentication can be turned off on Mikrotik?

sindy · January 3, 2025, 6:35pm

Reauthentication and rekeying is not the same thing. The term reauthentication is related to Phase 1 (the “control connection”) that transports relatively small data volumes, the term rekeying is related to Phase 2 that transports the actual encrypted payload. Since breaking a ciphering key becomes easier as you collect more encrypted data, it is a standard approach that Phase 2 SAs get rekeyed every N seconds and/or every M bytes transported. And there is no way to disable rekeying completely.

Reauthentication has basically the same purpose because it also replaces keys used to encrypt Phase 1 traffic, but it happens much less frequently as much less data are transported over the same period of time as compared to Phase 2.

Kentzo · January 4, 2025, 4:02am

I vaguely remember this problem when I tried to get IKEv2 responder on RouterOS to work with all of my devices.

I think to troubleshoot this definitively you need all three of the following:

Logs from RouterOS
Logs from macOS
A capture Phase 1 and Phase 2 packets, decrypted