iOS IKEv2 VPN Connects Then Immediately Disconnects

Identical4 · December 7, 2025, 8:53pm

Hardware/Software:

MikroTik RouterOS version: Router OS 7.19.4
iOS version: iOS 18 - Connecting but disconnecting after ~15 seconds
macOS version: MacOS 15.6.1 - Working perfectly
Authentication: Digital signatures with certificates

I'm experiencing a problem configuring IKEv2 VPN server with iOS clients.

The iOS clients successfully establish IKEv2 VPN connections but disconnect after approximately 15 seconds. The clients are configured with Apple Profile and manually (with the certificate imported with a profile).

The concerning part is that iOS is creating two separate IKE SAs simultaneously to the same server, which appears to be causing the instability.

At the same time, macOS clients work flawlessly with the same configuration.

Could someone please help me to figure what the issue is and how to fix it?

Config

> /ip ipsec profile print
Flags: * - default
 0 * name="default" hash-algorithm=sha1 enc-algorithm=aes-128,3des dh-group=modp2048,modp1024 lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5

 1   name="ike2" hash-algorithm=sha256 enc-algorithm=aes-256 dh-group=ecp256,modp2048,modp1536 lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=8s dpd-maximum-failures=4


>   /ip ipsec peer print
Flags: X - disabled; D - dynamic; R - responder
 0   R name="ike2" local-address=<server IP> passive=yes profile=ike2 exchange-mode=ike2 send-initial-contact=no

>   /ip ipsec proposal print
Flags: X - disabled; * - default
 0  * name="default" auth-algorithms=sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m pfs-group=modp1024

 1    name="ike2" auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-gcm lifetime=8h30m pfs-group=none


>   /ip ipsec identity print
Flags: D - dynamic; X - disabled
 0    peer=ike2 auth-method=digital-signature mode-config=ike2-conf certificate=MT generate-policy=port-strict policy-template-group=ike2-policies

>   /ip ipsec policy print
Flags: T - TEMPLATE; * - DEFAULT
Columns: SRC-ADDRESS, DST-ADDRESS, PROTOCOL
#     SRC-ADDRESS  DST-ADDRESS      PROTOCOL
0 T*  ::/0         ::/0             all
1 T   0.0.0.0/0    192.168.77.0/24  all

iOS Profile

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>DNS</key>
			<dict>
				<key>SearchDomains</key>
				<array>
					<string>xxx</string>
				</array>
				<key>ServerAddresses</key>
				<array>
					<string>xxx</string>
				</array>
				<key>SupplementalMatchDomainsNoSearch</key>
				<integer>0</integer>
			</dict>
			<key>IKEv2</key>
			<dict>
				<key>AuthenticationMethod</key>
				<string>Certificate</string>
				<key>ChildSecurityAssociationParameters</key>
				<dict>
					<key>DiffieHellmanGroup</key>
					<integer>14</integer>
					<key>EncryptionAlgorithm</key>
					<string>AES-256</string>
					<key>IntegrityAlgorithm</key>
					<string>SHA2-256</string>
					<key>LifeTimeInMinutes</key>
					<integer>1440</integer>
				</dict>
				<key>DeadPeerDetectionRate</key>
				<string>Low</string>
				<key>DisableMOBIKE</key>
				<true/>
				<key>DisableRedirect</key>
				<integer>0</integer>
				<key>EnableCertificateRevocationCheck</key>
				<integer>0</integer>
				<key>EnableFallback</key>
				<integer>0</integer>
				<key>EnablePFS</key>
				<false/>
				<key>IKESecurityAssociationParameters</key>
				<dict>
					<key>DiffieHellmanGroup</key>
					<integer>14</integer>
					<key>EncryptionAlgorithm</key>
					<string>AES-256</string>
					<key>IntegrityAlgorithm</key>
					<string>SHA2-256</string>
					<key>LifeTimeInMinutes</key>
					<integer>1440</integer>
				</dict>
				<key>LocalIdentifier</key>
				<string>==Client ID==</string>
				<key>PayloadCertificateUUID</key>
				<string>B789443B-8636-4783-869E-1CD32EED7749</string>
				<key>RemoteAddress</key>
				<string>==Server IP==</string>
				<key>RemoteIdentifier</key>
				<string>==Server IP==</string>
				<key>UseConfigurationAttributeInternalIPSubnet</key>
				<integer>0</integer>
			</dict>
			<key>PayloadDescription</key>
			<string>Configures VPN settings</string>
			<key>PayloadDisplayName</key>
			<string>VPN</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.vpn.managed.05A33E81-CB15-43BB-A9D5-EF3360A23533</string>
			<key>PayloadType</key>
			<string>com.apple.vpn.managed</string>
			<key>PayloadUUID</key>
			<string>05A33E81-CB15-43BB-A9D5-EF3360A23533</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>Proxies</key>
			<dict>
				<key>HTTPEnable</key>
				<integer>0</integer>
				<key>HTTPSEnable</key>
				<integer>0</integer>
			</dict>
			<key>UserDefinedName</key>
			<string>MT Home</string>
			<key>VPNType</key>
			<string>IKEv2</string>
		</dict>
		<dict>
			<key>Password</key>
			<string>12345678</string>
			<key>PayloadCertificateFileName</key>
			<string>MT_Client.p12</string>
			<key>PayloadContent</key>
			<data>==CERTIFICATE==</data>
			<key>PayloadDescription</key>
			<string>Adds a PKCS#12-formatted certificate</string>
			<key>PayloadDisplayName</key>
			<string>MT_Artur.p12</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.security.pkcs12.B789443B-8636-4783-869E-1CD32EED7749</string>
			<key>PayloadType</key>
			<string>com.apple.security.pkcs12</string>
			<key>PayloadUUID</key>
			<string>B789443B-8636-4783-869E-1CD32EED7749</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
	</array>
	<key>PayloadDisplayName</key>
	<string>MT Home VPN</string>
	<key>PayloadIdentifier</key>
	<string>MT Home VPN</string>
	<key>PayloadRemovalDisallowed</key>
	<false/>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>D3AAAF5A-070D-48C1-83F2-FD92F73DE2FD</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

Log

[seventh2@MikroTik] > /log print where topics~"ipsec" and time >= "YYYY-MM-DD HH:MM"
 YYYY-MM-DD HH:MM:50 ipsec -> ike2 request, exchange: SA_INIT:0 192.168.89.32[500] c2c8d72350c8d99c:0000000000000000
 YYYY-MM-DD HH:MM:50 ipsec ike2 respond
 YYYY-MM-DD HH:MM:50 ipsec payload seen: SA
 YYYY-MM-DD HH:MM:50 ipsec payload seen: KE
 YYYY-MM-DD HH:MM:50 ipsec payload seen: NONCE
 YYYY-MM-DD HH:MM:50 ipsec payload seen: NOTIFY
 YYYY-MM-DD HH:MM:50 ipsec payload seen: NOTIFY
 YYYY-MM-DD HH:MM:50 ipsec payload seen: NOTIFY
 YYYY-MM-DD HH:MM:50 ipsec payload seen: NOTIFY
 YYYY-MM-DD HH:MM:50 ipsec payload seen: NOTIFY
 YYYY-MM-DD HH:MM:50 ipsec processing payload: SA
 YYYY-MM-DD HH:MM:50 ipsec IKE Protocol: IKE
 YYYY-MM-DD HH:MM:50 ipsec  proposal #1
 YYYY-MM-DD HH:MM:50 ipsec   enc: aes256-cbc
 YYYY-MM-DD HH:MM:50 ipsec   prf: hmac-sha256
 YYYY-MM-DD HH:MM:50 ipsec   auth: sha256
 YYYY-MM-DD HH:MM:50 ipsec   dh: modp2048
 YYYY-MM-DD HH:MM:50 ipsec matched proposal:
 YYYY-MM-DD HH:MM:50 ipsec  proposal #1
 YYYY-MM-DD HH:MM:50 ipsec   enc: aes256-cbc
 YYYY-MM-DD HH:MM:50 ipsec   prf: hmac-sha256
 YYYY-MM-DD HH:MM:50 ipsec   auth: sha256
 YYYY-MM-DD HH:MM:50 ipsec   dh: modp2048
 YYYY-MM-DD HH:MM:50 ipsec processing payload: KE
 YYYY-MM-DD HH:MM:50 ipsec ike2 respond finish: request, exchange: SA_INIT:0 192.168.89.32[500] c2c8d72350c8d99c:0000000000000000
 YYYY-MM-DD HH:MM:50 ipsec processing payload: NONCE
 YYYY-MM-DD HH:MM:50 ipsec adding payload: SA
 YYYY-MM-DD HH:MM:50 ipsec adding payload: KE
 YYYY-MM-DD HH:MM:50 ipsec adding payload: NONCE
 YYYY-MM-DD HH:MM:50 ipsec adding notify: NAT_DETECTION_SOURCE_IP
 YYYY-MM-DD HH:MM:50 ipsec adding notify: NAT_DETECTION_DESTINATION_IP
 YYYY-MM-DD HH:MM:50 ipsec adding notify: IKEV2_FRAGMENTATION_SUPPORTED
 YYYY-MM-DD HH:MM:50 ipsec adding payload: CERTREQ
 YYYY-MM-DD HH:MM:50 ipsec <- ike2 reply, exchange: SA_INIT:0 192.168.89.32[500] c2c8d72350c8d99c:67c38baa80f2ab8a
 YYYY-MM-DD HH:MM:50 ipsec,info new ike2 SA (R): ike2 <Server IP>[500]-192.168.89.32[500] 67c38baa80f2ab8a:c2c8d72350c8d99c
 YYYY-MM-DD HH:MM:50 ipsec processing payloads: VID (none found)
 YYYY-MM-DD HH:MM:50 ipsec processing payloads: NOTIFY
 YYYY-MM-DD HH:MM:50 ipsec   notify: REDIRECT_SUPPORTED
 YYYY-MM-DD HH:MM:50 ipsec   notify: NAT_DETECTION_SOURCE_IP
 YYYY-MM-DD HH:MM:50 ipsec   notify: NAT_DETECTION_DESTINATION_IP
 YYYY-MM-DD HH:MM:50 ipsec   notify: IKEV2_FRAGMENTATION_SUPPORTED
 YYYY-MM-DD HH:MM:50 ipsec   notify: SIGNATURE_HASH_ALGORITHMS
 YYYY-MM-DD HH:MM:50 ipsec fragmentation negotiated
 YYYY-MM-DD HH:MM:50 ipsec -> ike2 request, exchange: AUTH:1 192.168.89.32[500] c2c8d72350c8d99c:67c38baa80f2ab8a
 YYYY-MM-DD HH:MM:50 ipsec payload seen: SKF
 YYYY-MM-DD HH:MM:50 ipsec processing payload: ENC (not found)
 YYYY-MM-DD HH:MM:50 ipsec processing payload: SKF
 YYYY-MM-DD HH:MM:50 ipsec -> ike2 request, exchange: AUTH:1 192.168.89.32[500] c2c8d72350c8d99c:67c38baa80f2ab8a
 YYYY-MM-DD HH:MM:50 ipsec payload seen: SKF
 YYYY-MM-DD HH:MM:50 ipsec processing payload: ENC (not found)
 YYYY-MM-DD HH:MM:50 ipsec processing payload: SKF
 YYYY-MM-DD HH:MM:50 ipsec -> ike2 request, exchange: AUTH:1 192.168.89.32[500] c2c8d72350c8d99c:67c38baa80f2ab8a
 YYYY-MM-DD HH:MM:50 ipsec payload seen: SKF
 YYYY-MM-DD HH:MM:50 ipsec processing payload: ENC (not found)
 YYYY-MM-DD HH:MM:50 ipsec processing payload: SKF
 YYYY-MM-DD HH:MM:50 ipsec -> ike2 request, exchange: AUTH:1 192.168.89.32[500] c2c8d72350c8d99c:67c38baa80f2ab8a
 YYYY-MM-DD HH:MM:50 ipsec payload seen: SKF
 YYYY-MM-DD HH:MM:50 ipsec processing payload: ENC (not found)
 YYYY-MM-DD HH:MM:50 ipsec processing payload: SKF
 YYYY-MM-DD HH:MM:50 ipsec payload seen: ID_I
 YYYY-MM-DD HH:MM:50 ipsec payload seen: CERT
 YYYY-MM-DD HH:MM:50 ipsec payload seen: NOTIFY
 YYYY-MM-DD HH:MM:50 ipsec payload seen: ID_R
 YYYY-MM-DD HH:MM:50 ipsec payload seen: AUTH
 YYYY-MM-DD HH:MM:50 ipsec payload seen: CONFIG
 YYYY-MM-DD HH:MM:50 ipsec payload seen: NOTIFY
 YYYY-MM-DD HH:MM:50 ipsec payload seen: NOTIFY
 YYYY-MM-DD HH:MM:50 ipsec payload seen: SA
 YYYY-MM-DD HH:MM:50 ipsec payload seen: TS_I
 YYYY-MM-DD HH:MM:50 ipsec payload seen: TS_R
 YYYY-MM-DD HH:MM:50 ipsec processing payloads: NOTIFY
 YYYY-MM-DD HH:MM:50 ipsec   notify: INITIAL_CONTACT
 YYYY-MM-DD HH:MM:50 ipsec   notify: ESP_TFC_PADDING_NOT_SUPPORTED
 YYYY-MM-DD HH:MM:50 ipsec   notify: NON_FIRST_FRAGMENTS_ALSO
 YYYY-MM-DD HH:MM:50 ipsec ike auth: respond
 YYYY-MM-DD HH:MM:50 ipsec processing payload: ID_I
 YYYY-MM-DD HH:MM:50 ipsec ID_I (FQDN): <Client ID>
 YYYY-MM-DD HH:MM:50 ipsec processing payload: ID_R
 YYYY-MM-DD HH:MM:50 ipsec ID_R (ADDR4): <Server IP>
 YYYY-MM-DD HH:MM:50 ipsec processing payload: AUTH
 YYYY-MM-DD HH:MM:50 ipsec processing payload: CERT
 YYYY-MM-DD HH:MM:50 ipsec Certificate:
 YYYY-MM-DD HH:MM:50 ipsec   serialNr:  77:b4:c1:c4:48:c7:c5:b4
 YYYY-MM-DD HH:MM:50 ipsec   issuer:    <C=Country, S=A, L=Location, O=Home, OU=Router, CN=MT CA>
 YYYY-MM-DD HH:MM:50 ipsec   subject:   <C=Country, S=A, L=Location, O=Home, OU=Router, CN=<Client ID>>
 YYYY-MM-DD HH:MM:50 ipsec   notBefore: Wed Aug 20 18:41:29 2025
 YYYY-MM-DD HH:MM:50 ipsec   notAfter:  Mon Aug 24 18:41:29 2026
 YYYY-MM-DD HH:MM:50 ipsec   selfSigned:0
 YYYY-MM-DD HH:MM:50 ipsec   extensions:
 YYYY-MM-DD HH:MM:50 ipsec     key usage: digital-signature
 YYYY-MM-DD HH:MM:50 ipsec     subject key id:  3b:fd:08:29:48:96:bf:4a:83:04:df:3f:c8:13:75:de:e9:28:38:8d
 YYYY-MM-DD HH:MM:50 ipsec     authority key id:fa:ad:ee:b5:4c:23:40:91:3d:0d:7d:81:a9:dc:5b:90:66:8b:cd:b3
 YYYY-MM-DD HH:MM:50 ipsec     subject alternative name:
 YYYY-MM-DD HH:MM:50 ipsec       DNS: <Client ID>
 YYYY-MM-DD HH:MM:50 ipsec   signed with: SHA256+RSA
 YYYY-MM-DD HH:MM:50 ipsec [RSA-PUBLIC]
 YYYY-MM-DD HH:MM:50 ipsec modulus: a220ecf55c946d172df20f61271a54226a8e37fcd2298426050cd7da241ac5eecf0834ebdfd7ad6fd98f9998d080973f3c44cff34fba75ad71c3c4469016e359e521b73ebab6bfa07827961a04c0e4fbf5f41925d19c76beb5d2c955b4fd7548bf2a22aadd085bd021d279355c89e71975618b6fb87cbdcf6deb186ae8f18f2d71350c10705bc0acf733002dea375c26355db4a2ff5f0f3448fea74b46df0d2a0a5043b3bf0b21400021bae70c5ba9a3c20c05092d846685c9e38c0a0937bb884d2987fd46fa3d958578aeff1eb0f6debcc091efb632df0ed4ff2ac6ef1be2bb393fb0dae5cf94a508c0d0d988090c5423a570ccecce3bb3dcd8f3b00df96257
 YYYY-MM-DD HH:MM:50 ipsec publicExponent: 10001
 YYYY-MM-DD HH:MM:50 ipsec requested server id: <Server IP>
 YYYY-MM-DD HH:MM:50 ipsec processing payloads: NOTIFY
 YYYY-MM-DD HH:MM:50 ipsec   notify: INITIAL_CONTACT
 YYYY-MM-DD HH:MM:50 ipsec   notify: ESP_TFC_PADDING_NOT_SUPPORTED
 YYYY-MM-DD HH:MM:50 ipsec   notify: NON_FIRST_FRAGMENTS_ALSO
 YYYY-MM-DD HH:MM:50 ipsec processing payload: AUTH
 YYYY-MM-DD HH:MM:50 ipsec requested auth method: RSA
 YYYY-MM-DD HH:MM:50 ipsec trust chain:
 YYYY-MM-DD HH:MM:50 ipsec 0: SKID: 3b:fd:08:29:48:96:bf:4a:83:04:df:3f:c8:13:75:de:e9:28:38:8d
 YYYY-MM-DD HH:MM:50 ipsec    AKID: fa:ad:ee:b5:4c:23:40:91:3d:0d:7d:81:a9:dc:5b:90:66:8b:cd:b3
 YYYY-MM-DD HH:MM:50 ipsec 1: SKID: fa:ad:ee:b5:4c:23:40:91:3d:0d:7d:81:a9:dc:5b:90:66:8b:cd:b3
 YYYY-MM-DD HH:MM:50 ipsec,info,account peer authorized: ike2 <Server IP>[500]-192.168.89.32[500] 67c38baa80f2ab8a:c2c8d72350c8d99c
 YYYY-MM-DD HH:MM:50 ipsec processing payloads: NOTIFY
 YYYY-MM-DD HH:MM:50 ipsec   notify: INITIAL_CONTACT
 YYYY-MM-DD HH:MM:50 ipsec   notify: ESP_TFC_PADDING_NOT_SUPPORTED
 YYYY-MM-DD HH:MM:50 ipsec   notify: NON_FIRST_FRAGMENTS_ALSO
 YYYY-MM-DD HH:MM:50 ipsec peer wants tunnel mode
 YYYY-MM-DD HH:MM:50 ipsec processing payload: CONFIG
 YYYY-MM-DD HH:MM:50 ipsec   attribute: internal IPv4 address
 YYYY-MM-DD HH:MM:50 ipsec   attribute: internal IPv4 netmask
 YYYY-MM-DD HH:MM:50 ipsec   attribute: internal IPv4 DHCP
 YYYY-MM-DD HH:MM:50 ipsec   attribute: internal IPv4 DNS
 YYYY-MM-DD HH:MM:50 ipsec   attribute: internal IPv6 address
 YYYY-MM-DD HH:MM:50 ipsec   attribute: internal IPv6 DHCP
 YYYY-MM-DD HH:MM:50 ipsec   attribute: internal IPv6 DNS
 YYYY-MM-DD HH:MM:50 ipsec   attribute: internal DNS domain
 YYYY-MM-DD HH:MM:50 ipsec,info acquired 192.168.77.20 address for 192.168.89.32, <Client ID>
 YYYY-MM-DD HH:MM:50 ipsec processing payload: SA
 YYYY-MM-DD HH:MM:50 ipsec IKE Protocol: ESP
 YYYY-MM-DD HH:MM:50 ipsec  proposal #1
 YYYY-MM-DD HH:MM:50 ipsec   enc: aes256-cbc
 YYYY-MM-DD HH:MM:50 ipsec   auth: sha256
 YYYY-MM-DD HH:MM:50 ipsec processing payload: TS_I
 YYYY-MM-DD HH:MM:50 ipsec 0.0.0.0/0
 YYYY-MM-DD HH:MM:50 ipsec [::/0]
 YYYY-MM-DD HH:MM:50 ipsec processing payload: TS_R
 YYYY-MM-DD HH:MM:50 ipsec 0.0.0.0/0
 YYYY-MM-DD HH:MM:50 ipsec [::/0]
 YYYY-MM-DD HH:MM:50 ipsec TSi in tunnel mode replaced with config address: 192.168.77.20
 YYYY-MM-DD HH:MM:50 ipsec candidate selectors: 0.0.0.0/0 <=> 192.168.77.20
 YYYY-MM-DD HH:MM:50 ipsec candidate selectors: [::/0] <=> [::/0]
 YYYY-MM-DD HH:MM:50 ipsec searching for policy for selector: 0.0.0.0/0 <=> 192.168.77.20
 YYYY-MM-DD HH:MM:50 ipsec generating policy
 YYYY-MM-DD HH:MM:50 ipsec matched proposal:
 YYYY-MM-DD HH:MM:50 ipsec  proposal #1
 YYYY-MM-DD HH:MM:50 ipsec   enc: aes256-cbc
 YYYY-MM-DD HH:MM:50 ipsec   auth: sha256
 YYYY-MM-DD HH:MM:50 ipsec acquired spi 0xc1fbfb7: ike2 <Server IP>[500]-192.168.89.32[500] 67c38baa80f2ab8a:c2c8d72350c8d99c
 YYYY-MM-DD HH:MM:50 ipsec ike auth: finish
 YYYY-MM-DD HH:MM:50 ipsec ID_R (ADDR4): <Server IP>
 YYYY-MM-DD HH:MM:50 ipsec adding payload: ID_R
 YYYY-MM-DD HH:MM:50 ipsec adding payload: AUTH
 YYYY-MM-DD HH:MM:50 ipsec Certificate:
 YYYY-MM-DD HH:MM:50 ipsec   serialNr:  75:4c:ce:d6:a0:6b:2b:2f
 YYYY-MM-DD HH:MM:50 ipsec   issuer:    <C=Country, S=A, L=Location, O=Home, OU=Router, CN=MT CA>
 YYYY-MM-DD HH:MM:50 ipsec   subject:   <C=Country, S=A, L=Location, O=Home, OU=Router, CN=<Server IP>>
 YYYY-MM-DD HH:MM:50 ipsec   notBefore: Thu Mar 13 19:20:04 2025
 YYYY-MM-DD HH:MM:50 ipsec   notAfter:  Tue Mar 17 19:20:04 2026
 YYYY-MM-DD HH:MM:50 ipsec   selfSigned:0
 YYYY-MM-DD HH:MM:50 ipsec   extensions:
 YYYY-MM-DD HH:MM:50 ipsec     key usage: digital-signature
 YYYY-MM-DD HH:MM:50 ipsec     subject key id:  15:47:59:6b:db:52:ba:5f:12:37:1d:50:ad:34:9f:75:d5:1f:e1:e5
 YYYY-MM-DD HH:MM:50 ipsec     authority key id:fa:ad:ee:b5:4c:23:40:91:3d:0d:7d:81:a9:dc:5b:90:66:8b:cd:b3
 YYYY-MM-DD HH:MM:50 ipsec     subject alternative name:
 YYYY-MM-DD HH:MM:50 ipsec       IP: <Server IP>
 YYYY-MM-DD HH:MM:50 ipsec   signed with: SHA256+RSA
 YYYY-MM-DD HH:MM:50 ipsec [RSA-PUBLIC]
 YYYY-MM-DD HH:MM:50 ipsec modulus: b6a12aca91bcbf996a5eac236944650c03be0485283209c416cfeafd1fe80cf70b52b9da465b5c7e6b1b206ab7b200976d0233de163e11ec8b514d5a2ae3ea26d44e9b2a991b840e157739f8ea66d464d2d8099d254cdcb46efeed6403998559f40780bf02da9486818f933435634e38b5c53ac56ef15486e98794e2b8a17318c18f5a84c45f1986f8243d3f0b6730f08a6e04c60fef35f4fe4e803e0802278caf3b95de1f858045bdd77490ca18817d5a626600ee2b505a9b24de17d70377c0eda773c0bed672d812915356e836162d209ae467bcb238a3aaac198cbf9533fbabb080d94945372c86fd98e20de703f911c0775a6332364222d0c794ab76b2e3
 YYYY-MM-DD HH:MM:50 ipsec publicExponent: 10001
 YYYY-MM-DD HH:MM:50 ipsec adding payload: CERT
 YYYY-MM-DD HH:MM:50 ipsec preparing internal IPv4 address
 YYYY-MM-DD HH:MM:50 ipsec preparing internal IPv4 netmask
 YYYY-MM-DD HH:MM:50 ipsec preparing internal IPv4 DNS
 YYYY-MM-DD HH:MM:50 ipsec adding payload: CONFIG
 YYYY-MM-DD HH:MM:50 ipsec initiator selector: 192.168.77.20
 YYYY-MM-DD HH:MM:50 ipsec adding payload: TS_I
 YYYY-MM-DD HH:MM:50 ipsec responder selector: 0.0.0.0/0
 YYYY-MM-DD HH:MM:50 ipsec adding payload: TS_R
 YYYY-MM-DD HH:MM:50 ipsec adding payload: SA
 YYYY-MM-DD HH:MM:50 ipsec <- ike2 reply, exchange: AUTH:1 192.168.89.32[500] c2c8d72350c8d99c:67c38baa80f2ab8a
 YYYY-MM-DD HH:MM:50 ipsec fragmenting into 2 chunks
 YYYY-MM-DD HH:MM:50 ipsec adding payload: SKF
 YYYY-MM-DD HH:MM:50 ipsec adding payload: SKF
 YYYY-MM-DD HH:MM:50 ipsec IPsec-SA established: 192.168.89.32[500]-><Server IP>[500] spi=0xc1fbfb7
 YYYY-MM-DD HH:MM:50 ipsec IPsec-SA established: <Server IP>[500]->192.168.89.32[500] spi=0x2bb465
 YYYY-MM-DD HH:MM:50 ipsec -> ike2 request, exchange: SA_INIT:0 192.168.89.32[500] 1ed069d97fb76e4c:0000000000000000
 YYYY-MM-DD HH:MM:50 ipsec ike2 respond
 YYYY-MM-DD HH:MM:50 ipsec payload seen: SA
 YYYY-MM-DD HH:MM:50 ipsec payload seen: KE
 YYYY-MM-DD HH:MM:50 ipsec payload seen: NONCE
 YYYY-MM-DD HH:MM:50 ipsec payload seen: NOTIFY
 YYYY-MM-DD HH:MM:50 ipsec payload seen: NOTIFY
 YYYY-MM-DD HH:MM:50 ipsec payload seen: NOTIFY
 YYYY-MM-DD HH:MM:50 ipsec payload seen: NOTIFY
 YYYY-MM-DD HH:MM:50 ipsec payload seen: NOTIFY
 YYYY-MM-DD HH:MM:50 ipsec processing payload: SA
 YYYY-MM-DD HH:MM:50 ipsec IKE Protocol: IKE
 YYYY-MM-DD HH:MM:50 ipsec  proposal #1
 YYYY-MM-DD HH:MM:50 ipsec   enc: aes256-cbc
 YYYY-MM-DD HH:MM:50 ipsec   prf: hmac-sha256
 YYYY-MM-DD HH:MM:50 ipsec   auth: sha256
 YYYY-MM-DD HH:MM:50 ipsec   dh: modp2048
 YYYY-MM-DD HH:MM:50 ipsec matched proposal:
 YYYY-MM-DD HH:MM:50 ipsec  proposal #1
 YYYY-MM-DD HH:MM:50 ipsec   enc: aes256-cbc
 YYYY-MM-DD HH:MM:50 ipsec   prf: hmac-sha256
 YYYY-MM-DD HH:MM:50 ipsec   auth: sha256
 YYYY-MM-DD HH:MM:50 ipsec   dh: modp2048
 YYYY-MM-DD HH:MM:50 ipsec processing payload: KE
 YYYY-MM-DD HH:MM:50 ipsec ike2 respond finish: request, exchange: SA_INIT:0 192.168.89.32[500] 1ed069d97fb76e4c:0000000000000000
 YYYY-MM-DD HH:MM:50 ipsec processing payload: NONCE
 YYYY-MM-DD HH:MM:50 ipsec adding payload: SA
 YYYY-MM-DD HH:MM:50 ipsec adding payload: KE
 YYYY-MM-DD HH:MM:50 ipsec adding payload: NONCE
 YYYY-MM-DD HH:MM:50 ipsec adding notify: NAT_DETECTION_SOURCE_IP
 YYYY-MM-DD HH:MM:50 ipsec adding notify: NAT_DETECTION_DESTINATION_IP
 YYYY-MM-DD HH:MM:50 ipsec adding notify: IKEV2_FRAGMENTATION_SUPPORTED
 YYYY-MM-DD HH:MM:50 ipsec adding payload: CERTREQ
 YYYY-MM-DD HH:MM:50 ipsec <- ike2 reply, exchange: SA_INIT:0 192.168.89.32[500] 1ed069d97fb76e4c:5873d5bd27dfda08
 YYYY-MM-DD HH:MM:50 ipsec,info new ike2 SA (R): ike2 <Server IP>[500]-192.168.89.32[500] 5873d5bd27dfda08:1ed069d97fb76e4c
 YYYY-MM-DD HH:MM:50 ipsec processing payloads: VID (none found)
 YYYY-MM-DD HH:MM:50 ipsec processing payloads: NOTIFY
 YYYY-MM-DD HH:MM:50 ipsec   notify: REDIRECT_SUPPORTED
 YYYY-MM-DD HH:MM:50 ipsec   notify: NAT_DETECTION_SOURCE_IP
 YYYY-MM-DD HH:MM:50 ipsec   notify: NAT_DETECTION_DESTINATION_IP
 YYYY-MM-DD HH:MM:50 ipsec   notify: IKEV2_FRAGMENTATION_SUPPORTED
 YYYY-MM-DD HH:MM:50 ipsec   notify: SIGNATURE_HASH_ALGORITHMS
 YYYY-MM-DD HH:MM:50 ipsec fragmentation negotiated
 YYYY-MM-DD HH:MM:50 ipsec -> ike2 request, exchange: AUTH:1 192.168.89.32[500] 1ed069d97fb76e4c:5873d5bd27dfda08
 YYYY-MM-DD HH:MM:50 ipsec payload seen: SKF
 YYYY-MM-DD HH:MM:50 ipsec processing payload: ENC (not found)
 YYYY-MM-DD HH:MM:50 ipsec processing payload: SKF
 YYYY-MM-DD HH:MM:50 ipsec -> ike2 request, exchange: AUTH:1 192.168.89.32[500] 1ed069d97fb76e4c:5873d5bd27dfda08
 YYYY-MM-DD HH:MM:50 ipsec payload seen: SKF
 YYYY-MM-DD HH:MM:50 ipsec processing payload: ENC (not found)
 YYYY-MM-DD HH:MM:50 ipsec processing payload: SKF
 YYYY-MM-DD HH:MM:50 ipsec -> ike2 request, exchange: AUTH:1 192.168.89.32[500] 1ed069d97fb76e4c:5873d5bd27dfda08
 YYYY-MM-DD HH:MM:50 ipsec payload seen: SKF
 YYYY-MM-DD HH:MM:50 ipsec processing payload: ENC (not found)
 YYYY-MM-DD HH:MM:50 ipsec processing payload: SKF
 YYYY-MM-DD HH:MM:50 ipsec -> ike2 request, exchange: AUTH:1 192.168.89.32[500] 1ed069d97fb76e4c:5873d5bd27dfda08
 YYYY-MM-DD HH:MM:50 ipsec payload seen: SKF
 YYYY-MM-DD HH:MM:50 ipsec processing payload: ENC (not found)
 YYYY-MM-DD HH:MM:50 ipsec processing payload: SKF
 YYYY-MM-DD HH:MM:50 ipsec payload seen: ID_I
 YYYY-MM-DD HH:MM:50 ipsec payload seen: CERT
 YYYY-MM-DD HH:MM:50 ipsec payload seen: NOTIFY
 YYYY-MM-DD HH:MM:50 ipsec payload seen: ID_R
 YYYY-MM-DD HH:MM:50 ipsec payload seen: AUTH
 YYYY-MM-DD HH:MM:50 ipsec payload seen: CONFIG
 YYYY-MM-DD HH:MM:50 ipsec payload seen: NOTIFY
 YYYY-MM-DD HH:MM:50 ipsec payload seen: NOTIFY
 YYYY-MM-DD HH:MM:50 ipsec payload seen: SA
 YYYY-MM-DD HH:MM:50 ipsec payload seen: TS_I
 YYYY-MM-DD HH:MM:50 ipsec payload seen: TS_R
 YYYY-MM-DD HH:MM:50 ipsec processing payloads: NOTIFY
 YYYY-MM-DD HH:MM:50 ipsec   notify: INITIAL_CONTACT
 YYYY-MM-DD HH:MM:50 ipsec   notify: ESP_TFC_PADDING_NOT_SUPPORTED
 YYYY-MM-DD HH:MM:50 ipsec   notify: NON_FIRST_FRAGMENTS_ALSO
 YYYY-MM-DD HH:MM:50 ipsec ike auth: respond
 YYYY-MM-DD HH:MM:50 ipsec processing payload: ID_I
 YYYY-MM-DD HH:MM:50 ipsec ID_I (FQDN): <Client ID>
 YYYY-MM-DD HH:MM:50 ipsec processing payload: ID_R
 YYYY-MM-DD HH:MM:50 ipsec ID_R (ADDR4): <Server IP>
 YYYY-MM-DD HH:MM:50 ipsec processing payload: AUTH
 YYYY-MM-DD HH:MM:50 ipsec processing payload: CERT
 YYYY-MM-DD HH:MM:50 ipsec Certificate:
 YYYY-MM-DD HH:MM:50 ipsec   serialNr:  77:b4:c1:c4:48:c7:c5:b4
 YYYY-MM-DD HH:MM:50 ipsec   issuer:    <C=Country, S=A, L=Location, O=Home, OU=Router, CN=MT CA>
 YYYY-MM-DD HH:MM:50 ipsec   subject:   <C=Country, S=A, L=Location, O=Home, OU=Router, CN=<Client ID>>
 YYYY-MM-DD HH:MM:50 ipsec   notBefore: Wed Aug 20 18:41:29 2025
 YYYY-MM-DD HH:MM:50 ipsec   notAfter:  Mon Aug 24 18:41:29 2026
 YYYY-MM-DD HH:MM:50 ipsec   selfSigned:0
 YYYY-MM-DD HH:MM:50 ipsec   extensions:
 YYYY-MM-DD HH:MM:50 ipsec     key usage: digital-signature
 YYYY-MM-DD HH:MM:50 ipsec     subject key id:  3b:fd:08:29:48:96:bf:4a:83:04:df:3f:c8:13:75:de:e9:28:38:8d
 YYYY-MM-DD HH:MM:50 ipsec     authority key id:fa:ad:ee:b5:4c:23:40:91:3d:0d:7d:81:a9:dc:5b:90:66:8b:cd:b3
 YYYY-MM-DD HH:MM:50 ipsec     subject alternative name:
 YYYY-MM-DD HH:MM:50 ipsec       DNS: <Client ID>
 YYYY-MM-DD HH:MM:50 ipsec   signed with: SHA256+RSA
 YYYY-MM-DD HH:MM:50 ipsec [RSA-PUBLIC]
 YYYY-MM-DD HH:MM:50 ipsec modulus: a220ecf55c946d172df20f61271a54226a8e37fcd2298426050cd7da241ac5eecf0834ebdfd7ad6fd98f9998d080973f3c44cff34fba75ad71c3c4469016e359e521b73ebab6bfa07827961a04c0e4fbf5f41925d19c76beb5d2c955b4fd7548bf2a22aadd085bd021d279355c89e71975618b6fb87cbdcf6deb186ae8f18f2d71350c10705bc0acf733002dea375c26355db4a2ff5f0f3448fea74b46df0d2a0a5043b3bf0b21400021bae70c5ba9a3c20c05092d846685c9e38c0a0937bb884d2987fd46fa3d958578aeff1eb0f6debcc091efb632df0ed4ff2ac6ef1be2bb393fb0dae5cf94a508c0d0d988090c5423a570ccecce3bb3dcd8f3b00df96257
 YYYY-MM-DD HH:MM:50 ipsec publicExponent: 10001
 YYYY-MM-DD HH:MM:50 ipsec requested server id: <Server IP>
 YYYY-MM-DD HH:MM:50 ipsec processing payloads: NOTIFY
 YYYY-MM-DD HH:MM:50 ipsec   notify: INITIAL_CONTACT
 YYYY-MM-DD HH:MM:50 ipsec   notify: ESP_TFC_PADDING_NOT_SUPPORTED
 YYYY-MM-DD HH:MM:50 ipsec   notify: NON_FIRST_FRAGMENTS_ALSO
 YYYY-MM-DD HH:MM:50 ipsec processing payload: AUTH
 YYYY-MM-DD HH:MM:50 ipsec requested auth method: RSA
 YYYY-MM-DD HH:MM:50 ipsec trust chain:
 YYYY-MM-DD HH:MM:50 ipsec 0: SKID: 3b:fd:08:29:48:96:bf:4a:83:04:df:3f:c8:13:75:de:e9:28:38:8d
 YYYY-MM-DD HH:MM:50 ipsec    AKID: fa:ad:ee:b5:4c:23:40:91:3d:0d:7d:81:a9:dc:5b:90:66:8b:cd:b3
 YYYY-MM-DD HH:MM:50 ipsec 1: SKID: fa:ad:ee:b5:4c:23:40:91:3d:0d:7d:81:a9:dc:5b:90:66:8b:cd:b3
 YYYY-MM-DD HH:MM:50 ipsec,info,account peer authorized: ike2 <Server IP>[500]-192.168.89.32[500] 5873d5bd27dfda08:1ed069d97fb76e4c
 YYYY-MM-DD HH:MM:50 ipsec processing payloads: NOTIFY
 YYYY-MM-DD HH:MM:50 ipsec   notify: INITIAL_CONTACT
 YYYY-MM-DD HH:MM:50 ipsec   notify: ESP_TFC_PADDING_NOT_SUPPORTED
 YYYY-MM-DD HH:MM:50 ipsec   notify: NON_FIRST_FRAGMENTS_ALSO
 YYYY-MM-DD HH:MM:50 ipsec peer wants tunnel mode
 YYYY-MM-DD HH:MM:50 ipsec processing payload: CONFIG
 YYYY-MM-DD HH:MM:50 ipsec   attribute: internal IPv4 address
 YYYY-MM-DD HH:MM:50 ipsec   attribute: internal IPv4 netmask
 YYYY-MM-DD HH:MM:50 ipsec   attribute: internal IPv4 DHCP
 YYYY-MM-DD HH:MM:50 ipsec   attribute: internal IPv4 DNS
 YYYY-MM-DD HH:MM:50 ipsec   attribute: internal IPv6 address
 YYYY-MM-DD HH:MM:50 ipsec   attribute: internal IPv6 DHCP
 YYYY-MM-DD HH:MM:50 ipsec   attribute: internal IPv6 DNS
 YYYY-MM-DD HH:MM:50 ipsec   attribute: internal DNS domain
 YYYY-MM-DD HH:MM:50 ipsec,info acquired 192.168.77.23 address for 192.168.89.32, <Client ID>
 YYYY-MM-DD HH:MM:50 ipsec processing payload: SA
 YYYY-MM-DD HH:MM:50 ipsec IKE Protocol: ESP
 YYYY-MM-DD HH:MM:50 ipsec  proposal #1
 YYYY-MM-DD HH:MM:50 ipsec   enc: aes256-cbc
 YYYY-MM-DD HH:MM:50 ipsec   auth: sha256
 YYYY-MM-DD HH:MM:50 ipsec processing payload: TS_I
 YYYY-MM-DD HH:MM:50 ipsec 0.0.0.0/0
 YYYY-MM-DD HH:MM:50 ipsec [::/0]
 YYYY-MM-DD HH:MM:50 ipsec processing payload: TS_R
 YYYY-MM-DD HH:MM:50 ipsec 0.0.0.0/0
 YYYY-MM-DD HH:MM:50 ipsec [::/0]
 YYYY-MM-DD HH:MM:50 ipsec TSi in tunnel mode replaced with config address: 192.168.77.23
 YYYY-MM-DD HH:MM:50 ipsec candidate selectors: 0.0.0.0/0 <=> 192.168.77.23
 YYYY-MM-DD HH:MM:50 ipsec candidate selectors: [::/0] <=> [::/0]
 YYYY-MM-DD HH:MM:50 ipsec searching for policy for selector: 0.0.0.0/0 <=> 192.168.77.23
 YYYY-MM-DD HH:MM:50 ipsec generating policy
 YYYY-MM-DD HH:MM:50 ipsec matched proposal:
 YYYY-MM-DD HH:MM:50 ipsec  proposal #1
 YYYY-MM-DD HH:MM:50 ipsec   enc: aes256-cbc
 YYYY-MM-DD HH:MM:50 ipsec   auth: sha256
 YYYY-MM-DD HH:MM:50 ipsec acquired spi 0xfbc1e40: ike2 <Server IP>[500]-192.168.89.32[500] 5873d5bd27dfda08:1ed069d97fb76e4c
 YYYY-MM-DD HH:MM:50 ipsec ike auth: finish
 YYYY-MM-DD HH:MM:50 ipsec ID_R (ADDR4): <Server IP>
 YYYY-MM-DD HH:MM:50 ipsec adding payload: ID_R
 YYYY-MM-DD HH:MM:50 ipsec adding payload: AUTH
 YYYY-MM-DD HH:MM:50 ipsec Certificate:
 YYYY-MM-DD HH:MM:50 ipsec   serialNr:  75:4c:ce:d6:a0:6b:2b:2f
 YYYY-MM-DD HH:MM:50 ipsec   issuer:    <C=Country, S=A, L=Location, O=Home, OU=Router, CN=MT CA>
 YYYY-MM-DD HH:MM:50 ipsec   subject:   <C=Country, S=A, L=Location, O=Home, OU=Router, CN=<Server IP>>
 YYYY-MM-DD HH:MM:50 ipsec   notBefore: Thu Mar 13 19:20:04 2025
 YYYY-MM-DD HH:MM:50 ipsec   notAfter:  Tue Mar 17 19:20:04 2026
 YYYY-MM-DD HH:MM:50 ipsec   selfSigned:0
 YYYY-MM-DD HH:MM:50 ipsec   extensions:
 YYYY-MM-DD HH:MM:50 ipsec     key usage: digital-signature
 YYYY-MM-DD HH:MM:50 ipsec     subject key id:  15:47:59:6b:db:52:ba:5f:12:37:1d:50:ad:34:9f:75:d5:1f:e1:e5
 YYYY-MM-DD HH:MM:50 ipsec     authority key id:fa:ad:ee:b5:4c:23:40:91:3d:0d:7d:81:a9:dc:5b:90:66:8b:cd:b3
 YYYY-MM-DD HH:MM:50 ipsec     subject alternative name:
 YYYY-MM-DD HH:MM:50 ipsec       IP: <Server IP>
 YYYY-MM-DD HH:MM:50 ipsec   signed with: SHA256+RSA
 YYYY-MM-DD HH:MM:50 ipsec [RSA-PUBLIC]
 YYYY-MM-DD HH:MM:50 ipsec modulus: b6a12aca91bcbf996a5eac236944650c03be0485283209c416cfeafd1fe80cf70b52b9da465b5c7e6b1b206ab7b200976d0233de163e11ec8b514d5a2ae3ea26d44e9b2a991b840e157739f8ea66d464d2d8099d254cdcb46efeed6403998559f40780bf02da9486818f933435634e38b5c53ac56ef15486e98794e2b8a17318c18f5a84c45f1986f8243d3f0b6730f08a6e04c60fef35f4fe4e803e0802278caf3b95de1f858045bdd77490ca18817d5a626600ee2b505a9b24de17d70377c0eda773c0bed672d812915356e836162d209ae467bcb238a3aaac198cbf9533fbabb080d94945372c86fd98e20de703f911c0775a6332364222d0c794ab76b2e3
 YYYY-MM-DD HH:MM:50 ipsec publicExponent: 10001
 YYYY-MM-DD HH:MM:50 ipsec adding payload: CERT
 YYYY-MM-DD HH:MM:50 ipsec preparing internal IPv4 address
 YYYY-MM-DD HH:MM:50 ipsec preparing internal IPv4 netmask
 YYYY-MM-DD HH:MM:50 ipsec preparing internal IPv4 DNS
 YYYY-MM-DD HH:MM:50 ipsec adding payload: CONFIG
 YYYY-MM-DD HH:MM:50 ipsec initiator selector: 192.168.77.23
 YYYY-MM-DD HH:MM:50 ipsec adding payload: TS_I
 YYYY-MM-DD HH:MM:50 ipsec responder selector: 0.0.0.0/0
 YYYY-MM-DD HH:MM:50 ipsec adding payload: TS_R
 YYYY-MM-DD HH:MM:50 ipsec adding payload: SA
 YYYY-MM-DD HH:MM:50 ipsec <- ike2 reply, exchange: AUTH:1 192.168.89.32[500] 1ed069d97fb76e4c:5873d5bd27dfda08
 YYYY-MM-DD HH:MM:50 ipsec fragmenting into 2 chunks
 YYYY-MM-DD HH:MM:50 ipsec adding payload: SKF
 YYYY-MM-DD HH:MM:50 ipsec adding payload: SKF
 YYYY-MM-DD HH:MM:50 ipsec IPsec-SA established: 192.168.89.32[500]-><Server IP>[500] spi=0xfbc1e40
 YYYY-MM-DD HH:MM:50 ipsec IPsec-SA established: <Server IP>[500]->192.168.89.32[500] spi=0xe8196ad
 YYYY-MM-DD HH:MM:58 ipsec sending dpd packet
 YYYY-MM-DD HH:MM:58 ipsec <- ike2 request, exchange: INFORMATIONAL:0 192.168.89.32[500] c2c8d72350c8d99c:67c38baa80f2ab8a
 YYYY-MM-DD HH:MM:58 ipsec sending dpd packet
 YYYY-MM-DD HH:MM:58 ipsec <- ike2 request, exchange: INFORMATIONAL:0 192.168.89.32[500] 1ed069d97fb76e4c:5873d5bd27dfda08
 YYYY-MM-DD HH:MM:03 ipsec dpd: retransmit
 YYYY-MM-DD HH:MM:03 ipsec dpd: retransmit
 YYYY-MM-DD HH:MM:08 ipsec dpd: retransmit
 YYYY-MM-DD HH:MM:08 ipsec dpd: retransmit
 YYYY-MM-DD HH:MM:13 ipsec dpd: retransmit
 YYYY-MM-DD HH:MM:13 ipsec dpd: retransmit
 YYYY-MM-DD HH:MM:18 ipsec dpd: retransmit
 YYYY-MM-DD HH:MM:18 ipsec dpd: retransmit
 YYYY-MM-DD HH:MM:23 ipsec dpd: max retransmit failures reached
 YYYY-MM-DD HH:MM:23 ipsec,info killing ike2 SA: ike2 <Server IP>[500]-192.168.89.32[500] 67c38baa80f2ab8a:c2c8d72350c8d99c
 YYYY-MM-DD HH:MM:23 ipsec IPsec-SA killing: 192.168.89.32[500]-><Server IP>[500] spi=0xc1fbfb7
 YYYY-MM-DD HH:MM:23 ipsec IPsec-SA killing: <Server IP>[500]->192.168.89.32[500] spi=0x2bb465
 YYYY-MM-DD HH:MM:23 ipsec removing generated policy
 YYYY-MM-DD HH:MM:23 ipsec adding payload: DELETE
 YYYY-MM-DD HH:MM:23 ipsec <- ike2 request, exchange: INFORMATIONAL:1 192.168.89.32[500] c2c8d72350c8d99c:67c38baa80f2ab8a
 YYYY-MM-DD HH:MM:23 ipsec,info releasing address 192.168.77.20
 YYYY-MM-DD HH:MM:23 ipsec dpd: max retransmit failures reached
 YYYY-MM-DD HH:MM:23 ipsec,info killing ike2 SA: ike2 <Server IP>[500]-192.168.89.32[500] 5873d5bd27dfda08:1ed069d97fb76e4c
 YYYY-MM-DD HH:MM:23 ipsec IPsec-SA killing: 192.168.89.32[500]-><Server IP>[500] spi=0xfbc1e40
 YYYY-MM-DD HH:MM:23 ipsec IPsec-SA killing: <Server IP>[500]->192.168.89.32[500] spi=0xe8196ad
 YYYY-MM-DD HH:MM:23 ipsec removing generated policy
 YYYY-MM-DD HH:MM:23 ipsec adding payload: DELETE
 YYYY-MM-DD HH:MM:23 ipsec <- ike2 request, exchange: INFORMATIONAL:1 192.168.89.32[500] 1ed069d97fb76e4c:5873d5bd27dfda08
 YYYY-MM-DD HH:MM:23 ipsec,info releasing address 192.168.77.23

IlKa · December 7, 2025, 9:20pm

Dead Peer Detection failed to check a connection and disconnected a client.

Try setting dpd-intervalto, say, 20sand dpd-maximum-failures to 20. Does it affect the disconnect time?

PS: This is not a production ready solution, just increase timeout to make sure it is the root cause.

Identical4 · December 8, 2025, 9:24am

Nope, unfortunately it has no effect and behaviour is exactly as it was before: one iOS client creates exactly two connections on the router which die and the iOS client disconnecting immediately.

IlKa · December 8, 2025, 10:21am

hmm, attach the log along with these addresses, so we could match log entries with them. You do not need to hide them, because they are local (rfc1918) anyway. Everything happens on a localnet, no public IP involved (and UDP/500 clearly means there is no NAT between the router and the client) as I see, right?

Are your ios and OS X in the same subnet?

Two connections are, indeed, strange.

Identical4 · December 8, 2025, 9:06pm

Yes, iOS and OSX in the same subnet — but very different behaviour.

Here is the log

2025-12-08 21:31:16 ipsec -> ike2 request, exchange: SA_INIT:0 192.168.89.28[500] f0fce0c019413e8e:0000000000000000
2025-12-08 21:31:16 ipsec ike2 respond
2025-12-08 21:31:16 ipsec payload seen: SA
2025-12-08 21:31:16 ipsec payload seen: KE
2025-12-08 21:31:16 ipsec payload seen: NONCE
2025-12-08 21:31:16 ipsec payload seen: NOTIFY
2025-12-08 21:31:16 ipsec payload seen: NOTIFY
2025-12-08 21:31:16 ipsec payload seen: NOTIFY
2025-12-08 21:31:16 ipsec payload seen: NOTIFY
2025-12-08 21:31:16 ipsec payload seen: NOTIFY
2025-12-08 21:31:16 ipsec processing payload: SA
2025-12-08 21:31:16 ipsec IKE Protocol: IKE
2025-12-08 21:31:16 ipsec  proposal #1
2025-12-08 21:31:16 ipsec   enc: aes256-cbc
2025-12-08 21:31:16 ipsec   prf: hmac-sha256
2025-12-08 21:31:16 ipsec   auth: sha256
2025-12-08 21:31:16 ipsec   dh: modp2048
2025-12-08 21:31:16 ipsec matched proposal:
2025-12-08 21:31:16 ipsec  proposal #1
2025-12-08 21:31:16 ipsec   enc: aes256-cbc
2025-12-08 21:31:16 ipsec   prf: hmac-sha256
2025-12-08 21:31:16 ipsec   auth: sha256
2025-12-08 21:31:16 ipsec   dh: modp2048
2025-12-08 21:31:16 ipsec processing payload: KE
2025-12-08 21:31:16 ipsec ike2 respond finish: request, exchange: SA_INIT:0 192.168.89.28[500] f0fce0c019413e8e:0000000000000000
2025-12-08 21:31:16 ipsec processing payload: NONCE
2025-12-08 21:31:16 ipsec adding payload: SA
2025-12-08 21:31:16 ipsec adding payload: KE
2025-12-08 21:31:16 ipsec adding payload: NONCE
2025-12-08 21:31:16 ipsec adding notify: NAT_DETECTION_SOURCE_IP
2025-12-08 21:31:16 ipsec adding notify: NAT_DETECTION_DESTINATION_IP
2025-12-08 21:31:16 ipsec adding notify: IKEV2_FRAGMENTATION_SUPPORTED
2025-12-08 21:31:16 ipsec adding payload: CERTREQ
2025-12-08 21:31:16 ipsec <- ike2 reply, exchange: SA_INIT:0 192.168.89.28[500] f0fce0c019413e8e:941825aab9bf3ab0
2025-12-08 21:31:16 ipsec,info new ike2 SA (R): ike2 ==SERVER IP==[500]-192.168.89.28[500] 941825aab9bf3ab0:f0fce0c019413e8e
2025-12-08 21:31:16 ipsec processing payloads: VID (none found)
2025-12-08 21:31:16 ipsec processing payloads: NOTIFY
2025-12-08 21:31:16 ipsec   notify: REDIRECT_SUPPORTED
2025-12-08 21:31:16 ipsec   notify: NAT_DETECTION_SOURCE_IP
2025-12-08 21:31:16 ipsec   notify: NAT_DETECTION_DESTINATION_IP
2025-12-08 21:31:16 ipsec   notify: IKEV2_FRAGMENTATION_SUPPORTED
2025-12-08 21:31:16 ipsec   notify: SIGNATURE_HASH_ALGORITHMS
2025-12-08 21:31:16 ipsec fragmentation negotiated
2025-12-08 21:31:16 ipsec -> ike2 request, exchange: AUTH:1 192.168.89.28[500] f0fce0c019413e8e:941825aab9bf3ab0
2025-12-08 21:31:16 ipsec payload seen: SKF
2025-12-08 21:31:16 ipsec processing payload: ENC (not found)
2025-12-08 21:31:16 ipsec processing payload: SKF
2025-12-08 21:31:16 ipsec -> ike2 request, exchange: AUTH:1 192.168.89.28[500] f0fce0c019413e8e:941825aab9bf3ab0
2025-12-08 21:31:16 ipsec payload seen: SKF
2025-12-08 21:31:16 ipsec processing payload: ENC (not found)
2025-12-08 21:31:16 ipsec processing payload: SKF
2025-12-08 21:31:16 ipsec -> ike2 request, exchange: AUTH:1 192.168.89.28[500] f0fce0c019413e8e:941825aab9bf3ab0
2025-12-08 21:31:16 ipsec payload seen: SKF
2025-12-08 21:31:16 ipsec processing payload: ENC (not found)
2025-12-08 21:31:16 ipsec processing payload: SKF
2025-12-08 21:31:16 ipsec -> ike2 request, exchange: AUTH:1 192.168.89.28[500] f0fce0c019413e8e:941825aab9bf3ab0
2025-12-08 21:31:16 ipsec payload seen: SKF
2025-12-08 21:31:16 ipsec processing payload: ENC (not found)
2025-12-08 21:31:16 ipsec processing payload: SKF
2025-12-08 21:31:16 ipsec payload seen: ID_I
2025-12-08 21:31:16 ipsec payload seen: CERT
2025-12-08 21:31:16 ipsec payload seen: NOTIFY
2025-12-08 21:31:16 ipsec payload seen: ID_R
2025-12-08 21:31:16 ipsec payload seen: AUTH
2025-12-08 21:31:16 ipsec payload seen: CONFIG
2025-12-08 21:31:16 ipsec payload seen: NOTIFY
2025-12-08 21:31:16 ipsec payload seen: NOTIFY
2025-12-08 21:31:16 ipsec payload seen: SA
2025-12-08 21:31:16 ipsec payload seen: TS_I
2025-12-08 21:31:16 ipsec payload seen: TS_R
2025-12-08 21:31:16 ipsec processing payloads: NOTIFY
2025-12-08 21:31:16 ipsec   notify: INITIAL_CONTACT
2025-12-08 21:31:16 ipsec   notify: ESP_TFC_PADDING_NOT_SUPPORTED
2025-12-08 21:31:16 ipsec   notify: NON_FIRST_FRAGMENTS_ALSO
2025-12-08 21:31:16 ipsec ike auth: respond
2025-12-08 21:31:16 ipsec processing payload: ID_I
2025-12-08 21:31:16 ipsec ID_I (FQDN): Artur
2025-12-08 21:31:16 ipsec processing payload: ID_R
2025-12-08 21:31:16 ipsec ID_R (ADDR4): ==SERVER IP==
2025-12-08 21:31:16 ipsec processing payload: AUTH
2025-12-08 21:31:16 ipsec processing payload: CERT
2025-12-08 21:31:16 ipsec Certificate:
2025-12-08 21:31:16 ipsec   serialNr:  77:b4:c1:c4:48:c7:c5:b4
2025-12-08 21:31:16 ipsec   issuer:    <C=NL, S=NH, L=Haarlem, O=Home, OU=Router, CN=MT CA>
2025-12-08 21:31:16 ipsec   subject:   <C=NL, S=NH, L=Haarlem, O=Home, OU=Router, CN=Artur>
2025-12-08 21:31:16 ipsec   notBefore: Wed Aug 20 18:41:29 2025
2025-12-08 21:31:16 ipsec   notAfter:  Mon Aug 24 18:41:29 2026
2025-12-08 21:31:16 ipsec   selfSigned:0
2025-12-08 21:31:16 ipsec   extensions:
2025-12-08 21:31:16 ipsec     key usage: digital-signature
2025-12-08 21:31:16 ipsec     subject key id:  3b:fd:08:29:48:96:bf:4a:83:04:df:3f:c8:13:75:de:e9:28:38:8d
2025-12-08 21:31:16 ipsec     authority key id:fa:ad:ee:b5:4c:23:40:91:3d:0d:7d:81:a9:dc:5b:90:66:8b:cd:b3
2025-12-08 21:31:16 ipsec     subject alternative name:
2025-12-08 21:31:16 ipsec       DNS: Artur
2025-12-08 21:31:16 ipsec   signed with: SHA256+RSA
2025-12-08 21:31:16 ipsec [RSA-PUBLIC]
2025-12-08 21:31:16 ipsec modulus: a220ecf55c946d172df20f61271a54226a8e37fcd2298426050cd7da241ac5eecf0834ebdfd7ad6fd98f9998d080973f3c44cff34fba75ad71c3c4469016e359e521b73ebab6bfa07827961a04c0e4fbf5f41925d19c76beb5d2c955b4fd7548bf2a22aadd085bd021d279355c89e71975618b6fb87cbdcf6deb186ae8f18f2d71350c10705bc0acf733002dea375c26355db4a2ff5f0f3448fea74b46df0d2a0a5043b3bf0b21400021bae70c5ba9a3c20c05092d846685c9e38c0a0937bb884d2987fd46fa3d958578aeff1eb0f6debcc091efb632df0ed4ff2ac6ef1be2bb393fb0dae5cf94a508c0d0d988090c5423a570ccecce3bb3dcd8f3b00df96257
2025-12-08 21:31:16 ipsec publicExponent: 10001
2025-12-08 21:31:16 ipsec requested server id: ==SERVER IP==
2025-12-08 21:31:16 ipsec processing payloads: NOTIFY
2025-12-08 21:31:16 ipsec   notify: INITIAL_CONTACT
2025-12-08 21:31:16 ipsec   notify: ESP_TFC_PADDING_NOT_SUPPORTED
2025-12-08 21:31:16 ipsec   notify: NON_FIRST_FRAGMENTS_ALSO
2025-12-08 21:31:16 ipsec processing payload: AUTH
2025-12-08 21:31:16 ipsec requested auth method: RSA
2025-12-08 21:31:16 ipsec trust chain:
2025-12-08 21:31:16 ipsec 0: SKID: 3b:fd:08:29:48:96:bf:4a:83:04:df:3f:c8:13:75:de:e9:28:38:8d
2025-12-08 21:31:16 ipsec    AKID: fa:ad:ee:b5:4c:23:40:91:3d:0d:7d:81:a9:dc:5b:90:66:8b:cd:b3
2025-12-08 21:31:16 ipsec 1: SKID: fa:ad:ee:b5:4c:23:40:91:3d:0d:7d:81:a9:dc:5b:90:66:8b:cd:b3
2025-12-08 21:31:16 ipsec,info,account peer authorized: ike2 ==SERVER IP==[500]-192.168.89.28[500] 941825aab9bf3ab0:f0fce0c019413e8e
2025-12-08 21:31:16 ipsec processing payloads: NOTIFY
2025-12-08 21:31:16 ipsec   notify: INITIAL_CONTACT
2025-12-08 21:31:16 ipsec   notify: ESP_TFC_PADDING_NOT_SUPPORTED
2025-12-08 21:31:16 ipsec   notify: NON_FIRST_FRAGMENTS_ALSO
2025-12-08 21:31:16 ipsec peer wants tunnel mode
2025-12-08 21:31:16 ipsec processing payload: CONFIG
2025-12-08 21:31:16 ipsec   attribute: internal IPv4 address
2025-12-08 21:31:16 ipsec   attribute: internal IPv4 netmask
2025-12-08 21:31:16 ipsec   attribute: internal IPv4 DHCP
2025-12-08 21:31:16 ipsec   attribute: internal IPv4 DNS
2025-12-08 21:31:16 ipsec   attribute: internal IPv6 address
2025-12-08 21:31:16 ipsec   attribute: internal IPv6 DHCP
2025-12-08 21:31:16 ipsec   attribute: internal IPv6 DNS
2025-12-08 21:31:16 ipsec   attribute: internal DNS domain
2025-12-08 21:31:16 ipsec,info acquired 192.168.77.22 address for 192.168.89.28, Artur
2025-12-08 21:31:16 ipsec processing payload: SA
2025-12-08 21:31:16 ipsec IKE Protocol: ESP
2025-12-08 21:31:16 ipsec  proposal #1
2025-12-08 21:31:16 ipsec   enc: aes256-cbc
2025-12-08 21:31:16 ipsec   auth: sha256
2025-12-08 21:31:16 ipsec processing payload: TS_I
2025-12-08 21:31:16 ipsec 0.0.0.0/0
2025-12-08 21:31:16 ipsec [::/0]
2025-12-08 21:31:16 ipsec processing payload: TS_R
2025-12-08 21:31:16 ipsec 0.0.0.0/0
2025-12-08 21:31:16 ipsec [::/0]
2025-12-08 21:31:16 ipsec TSi in tunnel mode replaced with config address: 192.168.77.22
2025-12-08 21:31:16 ipsec candidate selectors: 0.0.0.0/0 <=> 192.168.77.22
2025-12-08 21:31:16 ipsec candidate selectors: [::/0] <=> [::/0]
2025-12-08 21:31:16 ipsec searching for policy for selector: 0.0.0.0/0 <=> 192.168.77.22
2025-12-08 21:31:16 ipsec generating policy
2025-12-08 21:31:16 ipsec matched proposal:
2025-12-08 21:31:16 ipsec  proposal #1
2025-12-08 21:31:16 ipsec   enc: aes256-cbc
2025-12-08 21:31:16 ipsec   auth: sha256
2025-12-08 21:31:16 ipsec acquired spi 0xb6a8626: ike2 ==SERVER IP==[500]-192.168.89.28[500] 941825aab9bf3ab0:f0fce0c019413e8e
2025-12-08 21:31:16 ipsec ike auth: finish
2025-12-08 21:31:16 ipsec ID_R (ADDR4): ==SERVER IP==
2025-12-08 21:31:16 ipsec adding payload: ID_R
2025-12-08 21:31:16 ipsec adding payload: AUTH
2025-12-08 21:31:16 ipsec Certificate:
2025-12-08 21:31:16 ipsec   serialNr:  75:4c:ce:d6:a0:6b:2b:2f
2025-12-08 21:31:16 ipsec   issuer:    <C=NL, S=NH, L=Haarlem, O=Home, OU=Router, CN=MT CA>
2025-12-08 21:31:16 ipsec   subject:   <C=NL, S=NH, L=Haarlem, O=Home, OU=Router, CN===SERVER IP==>
2025-12-08 21:31:16 ipsec   notBefore: Thu Mar 13 19:20:04 2025
2025-12-08 21:31:16 ipsec   notAfter:  Tue Mar 17 19:20:04 2026
2025-12-08 21:31:16 ipsec   selfSigned:0
2025-12-08 21:31:16 ipsec   extensions:
2025-12-08 21:31:16 ipsec     key usage: digital-signature
2025-12-08 21:31:16 ipsec     subject key id:  15:47:59:6b:db:52:ba:5f:12:37:1d:50:ad:34:9f:75:d5:1f:e1:e5
2025-12-08 21:31:16 ipsec     authority key id:fa:ad:ee:b5:4c:23:40:91:3d:0d:7d:81:a9:dc:5b:90:66:8b:cd:b3
2025-12-08 21:31:16 ipsec     subject alternative name:
2025-12-08 21:31:16 ipsec       IP: ==SERVER IP==
2025-12-08 21:31:16 ipsec   signed with: SHA256+RSA
2025-12-08 21:31:16 ipsec [RSA-PUBLIC]
2025-12-08 21:31:16 ipsec modulus: b6a12aca91bcbf996a5eac236944650c03be0485283209c416cfeafd1fe80cf70b52b9da465b5c7e6b1b206ab7b200976d0233de163e11ec8b514d5a2ae3ea26d44e9b2a991b840e157739f8ea66d464d2d8099d254cdcb46efeed6403998559f40780bf02da9486818f933435634e38b5c53ac56ef15486e98794e2b8a17318c18f5a84c45f1986f8243d3f0b6730f08a6e04c60fef35f4fe4e803e0802278caf3b95de1f858045bdd77490ca18817d5a626600ee2b505a9b24de17d70377c0eda773c0bed672d812915356e836162d209ae467bcb238a3aaac198cbf9533fbabb080d94945372c86fd98e20de703f911c0775a6332364222d0c794ab76b2e3
2025-12-08 21:31:16 ipsec publicExponent: 10001
2025-12-08 21:31:16 ipsec adding payload: CERT
2025-12-08 21:31:16 ipsec preparing internal IPv4 address
2025-12-08 21:31:16 ipsec preparing internal IPv4 netmask
2025-12-08 21:31:16 ipsec preparing internal IPv4 DNS
2025-12-08 21:31:16 ipsec adding payload: CONFIG
2025-12-08 21:31:16 ipsec initiator selector: 192.168.77.22
2025-12-08 21:31:16 ipsec adding payload: TS_I
2025-12-08 21:31:16 ipsec responder selector: 0.0.0.0/0
2025-12-08 21:31:16 ipsec adding payload: TS_R
2025-12-08 21:31:16 ipsec adding payload: SA
2025-12-08 21:31:16 ipsec <- ike2 reply, exchange: AUTH:1 192.168.89.28[500] f0fce0c019413e8e:941825aab9bf3ab0
2025-12-08 21:31:16 ipsec fragmenting into 2 chunks
2025-12-08 21:31:16 ipsec adding payload: SKF
2025-12-08 21:31:16 ipsec adding payload: SKF
2025-12-08 21:31:16 ipsec IPsec-SA established: 192.168.89.28[500]->==SERVER IP==[500] spi=0xb6a8626
2025-12-08 21:31:16 ipsec IPsec-SA established: ==SERVER IP==[500]->192.168.89.28[500] spi=0xbb073e
2025-12-08 21:31:16 ipsec -> ike2 request, exchange: SA_INIT:0 192.168.89.28[500] 7aa0b2647e84c4df:0000000000000000
2025-12-08 21:31:16 ipsec ike2 respond
2025-12-08 21:31:16 ipsec payload seen: SA
2025-12-08 21:31:16 ipsec payload seen: KE
2025-12-08 21:31:16 ipsec payload seen: NONCE
2025-12-08 21:31:16 ipsec payload seen: NOTIFY
2025-12-08 21:31:16 ipsec payload seen: NOTIFY
2025-12-08 21:31:16 ipsec payload seen: NOTIFY
2025-12-08 21:31:16 ipsec payload seen: NOTIFY
2025-12-08 21:31:16 ipsec payload seen: NOTIFY
2025-12-08 21:31:16 ipsec processing payload: SA
2025-12-08 21:31:16 ipsec IKE Protocol: IKE
2025-12-08 21:31:16 ipsec  proposal #1
2025-12-08 21:31:16 ipsec   enc: aes256-cbc
2025-12-08 21:31:16 ipsec   prf: hmac-sha256
2025-12-08 21:31:16 ipsec   auth: sha256
2025-12-08 21:31:16 ipsec   dh: modp2048
2025-12-08 21:31:16 ipsec matched proposal:
2025-12-08 21:31:16 ipsec  proposal #1
2025-12-08 21:31:16 ipsec   enc: aes256-cbc
2025-12-08 21:31:16 ipsec   prf: hmac-sha256
2025-12-08 21:31:16 ipsec   auth: sha256
2025-12-08 21:31:16 ipsec   dh: modp2048
2025-12-08 21:31:16 ipsec processing payload: KE
2025-12-08 21:31:16 ipsec ike2 respond finish: request, exchange: SA_INIT:0 192.168.89.28[500] 7aa0b2647e84c4df:0000000000000000
2025-12-08 21:31:16 ipsec processing payload: NONCE
2025-12-08 21:31:16 ipsec adding payload: SA
2025-12-08 21:31:16 ipsec adding payload: KE
2025-12-08 21:31:16 ipsec adding payload: NONCE
2025-12-08 21:31:16 ipsec adding notify: NAT_DETECTION_SOURCE_IP
2025-12-08 21:31:16 ipsec adding notify: NAT_DETECTION_DESTINATION_IP
2025-12-08 21:31:16 ipsec adding notify: IKEV2_FRAGMENTATION_SUPPORTED
2025-12-08 21:31:16 ipsec adding payload: CERTREQ
2025-12-08 21:31:16 ipsec <- ike2 reply, exchange: SA_INIT:0 192.168.89.28[500] 7aa0b2647e84c4df:9a5400576e3fab63
2025-12-08 21:31:16 ipsec,info new ike2 SA (R): ike2 ==SERVER IP==[500]-192.168.89.28[500] 9a5400576e3fab63:7aa0b2647e84c4df
2025-12-08 21:31:16 ipsec processing payloads: VID (none found)
2025-12-08 21:31:16 ipsec processing payloads: NOTIFY
2025-12-08 21:31:16 ipsec   notify: REDIRECT_SUPPORTED
2025-12-08 21:31:16 ipsec   notify: NAT_DETECTION_SOURCE_IP
2025-12-08 21:31:16 ipsec   notify: NAT_DETECTION_DESTINATION_IP
2025-12-08 21:31:16 ipsec   notify: IKEV2_FRAGMENTATION_SUPPORTED
2025-12-08 21:31:16 ipsec   notify: SIGNATURE_HASH_ALGORITHMS
2025-12-08 21:31:16 ipsec fragmentation negotiated
2025-12-08 21:31:16 ipsec -> ike2 request, exchange: AUTH:1 192.168.89.28[500] 7aa0b2647e84c4df:9a5400576e3fab63
2025-12-08 21:31:16 ipsec payload seen: SKF
2025-12-08 21:31:16 ipsec processing payload: ENC (not found)
2025-12-08 21:31:16 ipsec processing payload: SKF
2025-12-08 21:31:16 ipsec -> ike2 request, exchange: AUTH:1 192.168.89.28[500] 7aa0b2647e84c4df:9a5400576e3fab63
2025-12-08 21:31:16 ipsec payload seen: SKF
2025-12-08 21:31:16 ipsec processing payload: ENC (not found)
2025-12-08 21:31:16 ipsec processing payload: SKF
2025-12-08 21:31:16 ipsec -> ike2 request, exchange: AUTH:1 192.168.89.28[500] 7aa0b2647e84c4df:9a5400576e3fab63
2025-12-08 21:31:16 ipsec payload seen: SKF
2025-12-08 21:31:16 ipsec processing payload: ENC (not found)
2025-12-08 21:31:16 ipsec processing payload: SKF
2025-12-08 21:31:16 ipsec -> ike2 request, exchange: AUTH:1 192.168.89.28[500] 7aa0b2647e84c4df:9a5400576e3fab63
2025-12-08 21:31:16 ipsec payload seen: SKF
2025-12-08 21:31:16 ipsec processing payload: ENC (not found)
2025-12-08 21:31:16 ipsec processing payload: SKF
2025-12-08 21:31:16 ipsec payload seen: ID_I
2025-12-08 21:31:16 ipsec payload seen: CERT
2025-12-08 21:31:16 ipsec payload seen: NOTIFY
2025-12-08 21:31:16 ipsec payload seen: ID_R
2025-12-08 21:31:16 ipsec payload seen: AUTH
2025-12-08 21:31:16 ipsec payload seen: CONFIG
2025-12-08 21:31:16 ipsec payload seen: NOTIFY
2025-12-08 21:31:16 ipsec payload seen: NOTIFY
2025-12-08 21:31:16 ipsec payload seen: SA
2025-12-08 21:31:16 ipsec payload seen: TS_I
2025-12-08 21:31:16 ipsec payload seen: TS_R
2025-12-08 21:31:16 ipsec processing payloads: NOTIFY
2025-12-08 21:31:16 ipsec   notify: INITIAL_CONTACT
2025-12-08 21:31:16 ipsec   notify: ESP_TFC_PADDING_NOT_SUPPORTED
2025-12-08 21:31:16 ipsec   notify: NON_FIRST_FRAGMENTS_ALSO
2025-12-08 21:31:16 ipsec ike auth: respond
2025-12-08 21:31:16 ipsec processing payload: ID_I
2025-12-08 21:31:16 ipsec ID_I (FQDN): Artur
2025-12-08 21:31:16 ipsec processing payload: ID_R
2025-12-08 21:31:16 ipsec ID_R (ADDR4): ==SERVER IP==
2025-12-08 21:31:16 ipsec processing payload: AUTH
2025-12-08 21:31:16 ipsec processing payload: CERT
2025-12-08 21:31:16 ipsec Certificate:
2025-12-08 21:31:16 ipsec   serialNr:  77:b4:c1:c4:48:c7:c5:b4
2025-12-08 21:31:16 ipsec   issuer:    <C=NL, S=NH, L=Haarlem, O=Home, OU=Router, CN=MT CA>
2025-12-08 21:31:16 ipsec   subject:   <C=NL, S=NH, L=Haarlem, O=Home, OU=Router, CN=Artur>
2025-12-08 21:31:16 ipsec   notBefore: Wed Aug 20 18:41:29 2025
2025-12-08 21:31:16 ipsec   notAfter:  Mon Aug 24 18:41:29 2026
2025-12-08 21:31:16 ipsec   selfSigned:0
2025-12-08 21:31:16 ipsec   extensions:
2025-12-08 21:31:16 ipsec     key usage: digital-signature
2025-12-08 21:31:16 ipsec     subject key id:  3b:fd:08:29:48:96:bf:4a:83:04:df:3f:c8:13:75:de:e9:28:38:8d
2025-12-08 21:31:16 ipsec     authority key id:fa:ad:ee:b5:4c:23:40:91:3d:0d:7d:81:a9:dc:5b:90:66:8b:cd:b3
2025-12-08 21:31:16 ipsec     subject alternative name:
2025-12-08 21:31:16 ipsec       DNS: Artur
2025-12-08 21:31:16 ipsec   signed with: SHA256+RSA
2025-12-08 21:31:16 ipsec [RSA-PUBLIC]
2025-12-08 21:31:16 ipsec modulus: a220ecf55c946d172df20f61271a54226a8e37fcd2298426050cd7da241ac5eecf0834ebdfd7ad6fd98f9998d080973f3c44cff34fba75ad71c3c4469016e359e521b73ebab6bfa07827961a04c0e4fbf5f41925d19c76beb5d2c955b4fd7548bf2a22aadd085bd021d279355c89e71975618b6fb87cbdcf6deb186ae8f18f2d71350c10705bc0acf733002dea375c26355db4a2ff5f0f3448fea74b46df0d2a0a5043b3bf0b21400021bae70c5ba9a3c20c05092d846685c9e38c0a0937bb884d2987fd46fa3d958578aeff1eb0f6debcc091efb632df0ed4ff2ac6ef1be2bb393fb0dae5cf94a508c0d0d988090c5423a570ccecce3bb3dcd8f3b00df96257
2025-12-08 21:31:16 ipsec publicExponent: 10001
2025-12-08 21:31:16 ipsec requested server id: ==SERVER IP==
2025-12-08 21:31:16 ipsec processing payloads: NOTIFY
2025-12-08 21:31:16 ipsec   notify: INITIAL_CONTACT
2025-12-08 21:31:16 ipsec   notify: ESP_TFC_PADDING_NOT_SUPPORTED
2025-12-08 21:31:16 ipsec   notify: NON_FIRST_FRAGMENTS_ALSO
2025-12-08 21:31:16 ipsec processing payload: AUTH
2025-12-08 21:31:16 ipsec requested auth method: RSA
2025-12-08 21:31:16 ipsec trust chain:
2025-12-08 21:31:16 ipsec 0: SKID: 3b:fd:08:29:48:96:bf:4a:83:04:df:3f:c8:13:75:de:e9:28:38:8d
2025-12-08 21:31:16 ipsec    AKID: fa:ad:ee:b5:4c:23:40:91:3d:0d:7d:81:a9:dc:5b:90:66:8b:cd:b3
2025-12-08 21:31:16 ipsec 1: SKID: fa:ad:ee:b5:4c:23:40:91:3d:0d:7d:81:a9:dc:5b:90:66:8b:cd:b3
2025-12-08 21:31:16 ipsec,info,account peer authorized: ike2 ==SERVER IP==[500]-192.168.89.28[500] 9a5400576e3fab63:7aa0b2647e84c4df
2025-12-08 21:31:16 ipsec processing payloads: NOTIFY
2025-12-08 21:31:16 ipsec   notify: INITIAL_CONTACT
2025-12-08 21:31:16 ipsec   notify: ESP_TFC_PADDING_NOT_SUPPORTED
2025-12-08 21:31:16 ipsec   notify: NON_FIRST_FRAGMENTS_ALSO
2025-12-08 21:31:16 ipsec peer wants tunnel mode
2025-12-08 21:31:16 ipsec processing payload: CONFIG
2025-12-08 21:31:16 ipsec   attribute: internal IPv4 address
2025-12-08 21:31:16 ipsec   attribute: internal IPv4 netmask
2025-12-08 21:31:16 ipsec   attribute: internal IPv4 DHCP
2025-12-08 21:31:16 ipsec   attribute: internal IPv4 DNS
2025-12-08 21:31:16 ipsec   attribute: internal IPv6 address
2025-12-08 21:31:16 ipsec   attribute: internal IPv6 DHCP
2025-12-08 21:31:16 ipsec   attribute: internal IPv6 DNS
2025-12-08 21:31:16 ipsec   attribute: internal DNS domain
2025-12-08 21:31:16 ipsec,info acquired 192.168.77.34 address for 192.168.89.28, Artur
2025-12-08 21:31:16 ipsec processing payload: SA
2025-12-08 21:31:16 ipsec IKE Protocol: ESP
2025-12-08 21:31:16 ipsec  proposal #1
2025-12-08 21:31:16 ipsec   enc: aes256-cbc
2025-12-08 21:31:16 ipsec   auth: sha256
2025-12-08 21:31:16 ipsec processing payload: TS_I
2025-12-08 21:31:16 ipsec 0.0.0.0/0
2025-12-08 21:31:16 ipsec [::/0]
2025-12-08 21:31:16 ipsec processing payload: TS_R
2025-12-08 21:31:16 ipsec 0.0.0.0/0
2025-12-08 21:31:16 ipsec [::/0]
2025-12-08 21:31:16 ipsec TSi in tunnel mode replaced with config address: 192.168.77.34
2025-12-08 21:31:16 ipsec candidate selectors: 0.0.0.0/0 <=> 192.168.77.34
2025-12-08 21:31:16 ipsec candidate selectors: [::/0] <=> [::/0]
2025-12-08 21:31:16 ipsec searching for policy for selector: 0.0.0.0/0 <=> 192.168.77.34
2025-12-08 21:31:16 ipsec generating policy
2025-12-08 21:31:16 ipsec matched proposal:
2025-12-08 21:31:16 ipsec  proposal #1
2025-12-08 21:31:16 ipsec   enc: aes256-cbc
2025-12-08 21:31:16 ipsec   auth: sha256
2025-12-08 21:31:16 ipsec acquired spi 0x5b62e5f: ike2 ==SERVER IP==[500]-192.168.89.28[500] 9a5400576e3fab63:7aa0b2647e84c4df
2025-12-08 21:31:16 ipsec ike auth: finish
2025-12-08 21:31:16 ipsec ID_R (ADDR4): ==SERVER IP==
2025-12-08 21:31:16 ipsec adding payload: ID_R
2025-12-08 21:31:16 ipsec adding payload: AUTH
2025-12-08 21:31:16 ipsec Certificate:
2025-12-08 21:31:16 ipsec   serialNr:  75:4c:ce:d6:a0:6b:2b:2f
2025-12-08 21:31:16 ipsec   issuer:    <C=NL, S=NH, L=Haarlem, O=Home, OU=Router, CN=MT CA>
2025-12-08 21:31:16 ipsec   subject:   <C=NL, S=NH, L=Haarlem, O=Home, OU=Router, CN===SERVER IP==>
2025-12-08 21:31:16 ipsec   notBefore: Thu Mar 13 19:20:04 2025
2025-12-08 21:31:16 ipsec   notAfter:  Tue Mar 17 19:20:04 2026
2025-12-08 21:31:16 ipsec   selfSigned:0
2025-12-08 21:31:16 ipsec   extensions:
2025-12-08 21:31:16 ipsec     key usage: digital-signature
2025-12-08 21:31:16 ipsec     subject key id:  15:47:59:6b:db:52:ba:5f:12:37:1d:50:ad:34:9f:75:d5:1f:e1:e5
2025-12-08 21:31:16 ipsec     authority key id:fa:ad:ee:b5:4c:23:40:91:3d:0d:7d:81:a9:dc:5b:90:66:8b:cd:b3
2025-12-08 21:31:16 ipsec     subject alternative name:
2025-12-08 21:31:16 ipsec       IP: ==SERVER IP==
2025-12-08 21:31:16 ipsec   signed with: SHA256+RSA
2025-12-08 21:31:16 ipsec [RSA-PUBLIC]
2025-12-08 21:31:16 ipsec modulus: b6a12aca91bcbf996a5eac236944650c03be0485283209c416cfeafd1fe80cf70b52b9da465b5c7e6b1b206ab7b200976d0233de163e11ec8b514d5a2ae3ea26d44e9b2a991b840e157739f8ea66d464d2d8099d254cdcb46efeed6403998559f40780bf02da9486818f933435634e38b5c53ac56ef15486e98794e2b8a17318c18f5a84c45f1986f8243d3f0b6730f08a6e04c60fef35f4fe4e803e0802278caf3b95de1f858045bdd77490ca18817d5a626600ee2b505a9b24de17d70377c0eda773c0bed672d812915356e836162d209ae467bcb238a3aaac198cbf9533fbabb080d94945372c86fd98e20de703f911c0775a6332364222d0c794ab76b2e3
2025-12-08 21:31:16 ipsec publicExponent: 10001
2025-12-08 21:31:16 ipsec adding payload: CERT
2025-12-08 21:31:16 ipsec preparing internal IPv4 address
2025-12-08 21:31:16 ipsec preparing internal IPv4 netmask
2025-12-08 21:31:16 ipsec preparing internal IPv4 DNS
2025-12-08 21:31:16 ipsec adding payload: CONFIG
2025-12-08 21:31:16 ipsec initiator selector: 192.168.77.34
2025-12-08 21:31:16 ipsec adding payload: TS_I
2025-12-08 21:31:16 ipsec responder selector: 0.0.0.0/0
2025-12-08 21:31:16 ipsec adding payload: TS_R
2025-12-08 21:31:16 ipsec adding payload: SA
2025-12-08 21:31:16 ipsec <- ike2 reply, exchange: AUTH:1 192.168.89.28[500] 7aa0b2647e84c4df:9a5400576e3fab63
2025-12-08 21:31:16 ipsec fragmenting into 2 chunks
2025-12-08 21:31:16 ipsec adding payload: SKF
2025-12-08 21:31:16 ipsec adding payload: SKF
2025-12-08 21:31:16 ipsec IPsec-SA established: 192.168.89.28[500]->==SERVER IP==[500] spi=0x5b62e5f
2025-12-08 21:31:16 ipsec IPsec-SA established: ==SERVER IP==[500]->192.168.89.28[500] spi=0x13d44f9
2025-12-08 21:32:21 ipsec dpd: retransmit
2025-12-08 21:32:21 ipsec dpd: retransmit
2025-12-08 21:32:26 ipsec dpd: retransmit
2025-12-08 21:32:26 ipsec dpd: retransmit
2025-12-08 21:32:31 ipsec dpd: retransmit
2025-12-08 21:32:31 ipsec dpd: retransmit
2025-12-08 21:32:36 ipsec dpd: retransmit
2025-12-08 21:32:36 ipsec dpd: retransmit
2025-12-08 21:32:41 ipsec dpd: max retransmit failures reached
2025-12-08 21:32:41 ipsec,info killing ike2 SA: ike2 ==SERVER IP==[500]-192.168.89.28[500] 941825aab9bf3ab0:f0fce0c019413e8e
2025-12-08 21:32:41 ipsec IPsec-SA killing: 192.168.89.28[500]->==SERVER IP==[500] spi=0xb6a8626
2025-12-08 21:32:41 ipsec IPsec-SA killing: ==SERVER IP==[500]->192.168.89.28[500] spi=0xbb073e
2025-12-08 21:32:41 ipsec removing generated policy
2025-12-08 21:32:41 ipsec adding payload: DELETE
2025-12-08 21:32:41 ipsec <- ike2 request, exchange: INFORMATIONAL:1 192.168.89.28[500] f0fce0c019413e8e:941825aab9bf3ab0
2025-12-08 21:32:41 ipsec,info releasing address 192.168.77.22
2025-12-08 21:32:41 ipsec dpd: max retransmit failures reached
2025-12-08 21:32:41 ipsec,info killing ike2 SA: ike2 ==SERVER IP==[500]-192.168.89.28[500] 9a5400576e3fab63:7aa0b2647e84c4df
2025-12-08 21:32:41 ipsec IPsec-SA killing: 192.168.89.28[500]->==SERVER IP==[500] spi=0x5b62e5f
2025-12-08 21:32:41 ipsec IPsec-SA killing: ==SERVER IP==[500]->192.168.89.28[500] spi=0x13d44f9
2025-12-08 21:32:41 ipsec removing generated policy
2025-12-08 21:32:41 ipsec adding payload: DELETE
2025-12-08 21:32:41 ipsec <- ike2 request, exchange: INFORMATIONAL:1 192.168.89.28[500] 7aa0b2647e84c4df:9a5400576e3fab63
2025-12-08 21:32:41 ipsec,info releasing address 192.168.77.34

IlKa · December 10, 2025, 11:38am

iOS, indeed, creates second connection for unknown reasons. I wonder could it be an ios bug?
I still see dpd disconnect, are you sure you changed the time?

If I faced this issue, I’d disable dpd completely, and then tried the same client with other IKE implementations (i.e. strongSWAN) to find the culprit

Identical4 · December 10, 2025, 8:22pm

I’ve collected some logs from the iOS client and it seems it doesn’t trust the certificate.

2025-12-10 20:47:02.402626+0100  localhost NEIKEv2Provider\[2420\]: (NetworkExtension) \[com.apple.networkextension:\] IKEv2Session\[2, 0BF9DE32D6B044C2-FDB68E1004284247\] Processing response for message 1
2025-12-10 20:47:02.402683+0100  localhost NEIKEv2Provider\[2420\]: (NetworkExtension) \[com.apple.networkextension:\] IKEv2Session\[2, 0BF9DE32D6B044C2-FDB68E1004284247\], current rtt 64
2025-12-10 20:47:02.403053+0100  localhost NEIKEv2Provider\[2420\]: (Security) Created Activity ID: 0xa5174, Description: SecTrustEvaluateIfNecessary
2025-12-10 20:47:02.403564+0100  localhost NEIKEv2Provider\[2420\]: (libxpc.dylib) \[com.apple.xpc:connection\] \[0xb360a4300\] activating connection: mach=true listener=false peer=false name=com.apple.trustd
2025-12-10 20:47:02.408963+0100  localhost NEIKEv2Provider\[2420\]: (libxpc.dylib) \[com.apple.xpc:connection\] \[0xb360a4300\] invalidated because the current process cancelled the connection by calling xpc_connection_cancel()
2025-12-10 20:47:02.409264+0100  localhost NEIKEv2Provider\[2420\]: (Security) \[com.apple.securityd:SecError\] Trust evaluate failure: \[leaf MissingIntermediate\]
2025-12-10 20:47:02.409274+0100  localhost NEIKEv2Provider\[2420\]: (NetworkExtension) \[com.apple.networkextension:\] Certificate evaluation error = kSecTrustResultRecoverableTrustFailure
2025-12-10 20:47:02.409307+0100  localhost NEIKEv2Provider\[2420\]: (NetworkExtension) \[com.apple.networkextension:\] Certificate is not trusted
2025-12-10 20:47:02.409325+0100  localhost NEIKEv2Provider\[2420\]: (NetworkExtension) \[com.apple.networkextension:\] Certificate chain could not be verified
2025-12-10 20:47:02.409581+0100  localhost NEIKEv2Provider\[2420\]: (NetworkExtension) \[com.apple.networkextension:\] IKEv2IKESA\[2.2, 0BF9DE32D6B044C2-FDB68E1004284247\] state Connecting -> Disconnected error (null) -> Error Domain=NEIKEv2ErrorDomain Code=8 "Authentication: Certificate chain could not be verified" UserInfo={NSLocalizedDescription=Authentication: Certificate chain could not be verified}
2025-12-10 20:47:02.409651+0100  localhost NEIKEv2Provider\[2420\]: (NetworkExtension) \[com.apple.networkextension:\] IKEv2Session\[2, 0BF9DE32D6B044C2-FDB68E1004284247\] Failed to process IKE Auth packet (connect)
2025-12-10 20:47:02.409815+0100  localhost NEIKEv2Provider\[2420\]: (NetworkExtension) \[com.apple.networkextension:\] IKEv2IKESA\[2.2, 0BF9DE32D6B044C2-FDB68E1004284247\] not changing state Disconnected nor error Error Domain=NEIKEv2ErrorDomain Code=8 "Authentication: Certificate chain could not be verified" UserInfo={NSLocalizedDescription=Authentication: Certificate chain could not be verified} -> Error Domain=NEIKEv2ErrorDomain Code=6 "PeerInvalidSyntax: Failed to process IKE Auth packet (connect)" UserInfo={NSLocalizedDescription=PeerInvalidSyntax: Failed to process IKE Auth packet (connect)}
2025-12-10 20:47:02.409912+0100  localhost NEIKEv2Provider\[2420\]: (NetworkExtension) \[com.apple.networkextension:\] IKEv2Session\[2, 0BF9DE32D6B044C2-FDB68E1004284247\] Reporting state Disconnected error Error Domain=NEIKEv2ErrorDomain Code=8 "Authentication: Certificate chain could not be verified" UserInfo={NSLocalizedDescription=Authentication: Certificate chain could not be verified}
2025-12-10 20:47:02.409996+0100  localhost NEIKEv2Provider\[2420\]: (NetworkExtension) \[com.apple.networkextension:\] ChildSA\[2, (null)-(null)\] state Connecting -> Disconnected error (null) -> Error Domain=NEIKEv2ErrorDomain Code=8 "Authentication: Certificate chain could not be verified" UserInfo={NSLocalizedDescription=Authentication: Certificate chain could not be verified}
2025-12-10 20:47:02.410038+0100  localhost NEIKEv2Provider\[2420\]: (NetworkExtension) \[com.apple.networkextension:\] Resetting IKEv2Session\[2, 0BF9DE32D6B044C2-FDB68E1004284247\]
2025-12-10 20:47:02.410079+0100  localhost NEIKEv2Provider\[2420\]: (NetworkExtension) \[com.apple.networkextension:\] Aborting session IKEv2Session\[2, 0BF9DE32D6B044C2-FDB68E1004284247\]
2025-12-10 20:47:02.410178+0100  localhost NEIKEv2Provider\[2420\]: (NetworkExtension) \[com.apple.networkextension:\] IKEv2Session\[2, 0BF9DE32D6B044C2-FDB68E1004284247\] KernelSASession\[2, IKEv2 Session Database\] Uninstalling all child SAs
2025-12-10 20:47:02.410208+0100  localhost NEIKEv2Provider\[2420\]: (NetworkExtension) \[com.apple.networkextension:\] KernelSASession\[2, IKEv2 Session Database\] Removing all SAs

I’m wondering why could that be how this could be fixed? The profile obviously has the CA certificate, which should be trusted by default when imported.

pe1chl · December 10, 2025, 8:31pm

That normally means the certificate wasn’t properly installed.

Remember you do not only need to provide the certificate but also the chain of certificates above it up to the point where the client has trusted certificates (normally the root).

When you get a certificate you often get both the “cert” and the “fullchain” versions, install the latter.

IlKa · December 10, 2025, 8:32pm

Did you add the whole chain, the server certificate or CA only?
Does it have CLR or OCSP address which might be inaccessible?
Do you use the same server name you have as DNS name and CN in the cert? I believe, you can’t use IP address.

Identical4 · December 10, 2025, 8:53pm

Correct, I’ve figured that, thanks.

This is because I used PKCS certificate for authentication with the VPN, but that is not enough for iOS. It needs the CA certificate to be imported separately. This has been fixed and the certificate is accepted, though it fails for another reason now: 2025-12-10 21:24:32.562978+0100 localhost NEIKEv2Provider[2808]: (NetworkExtension) [com.apple.networkextension:] ChildSA[2, (null)-(null)] state Connecting -> Disconnected error (null) -> Error Domain=NEIKEv2ProtocolErrorDomain Code=38 "TSUnacceptable" UserInfo={NSDebugDescription=TSUnacceptable}

2025-12-10 21:24:32.562338+0100  localhost NEIKEv2Provider[2808]: (NetworkExtension) [com.apple.networkextension:] IKEv2Session[2, 932057DE50F1C419-A8AAA9F4C0CAAF3F] Processing response for message 1
2025-12-10 21:24:32.562373+0100  localhost NEIKEv2Provider[2808]: (NetworkExtension) [com.apple.networkextension:] IKEv2Session[2, 932057DE50F1C419-A8AAA9F4C0CAAF3F], current rtt 56
2025-12-10 21:24:32.562518+0100  localhost NEIKEv2Provider[2808]: (NetworkExtension) [com.apple.networkextension:] [IKE_AUTH R resp1 932057DE50F1C419-A8AAA9F4C0CAAF3F] Initiator auth received notify error Error Domain=NEIKEv2ProtocolErrorDomain Code=38 "TSUnacceptable" UserInfo={NSDebugDescription=TSUnacceptable}
2025-12-10 21:24:32.562656+0100  localhost NEIKEv2Provider[2808]: (NetworkExtension) [com.apple.networkextension:] IKEv2IKESA[2.2, 932057DE50F1C419-A8AAA9F4C0CAAF3F] state Connecting -> Disconnected error (null) -> Error Domain=NEIKEv2ProtocolErrorDomain Code=38 "TSUnacceptable" UserInfo={NSDebugDescription=TSUnacceptable}
2025-12-10 21:24:32.562695+0100  localhost NEIKEv2Provider[2808]: (NetworkExtension) [com.apple.networkextension:] IKEv2Session[2, 932057DE50F1C419-A8AAA9F4C0CAAF3F] Failed to process IKE Auth packet (connect)
2025-12-10 21:24:32.562833+0100  localhost NEIKEv2Provider[2808]: (NetworkExtension) [com.apple.networkextension:] IKEv2IKESA[2.2, 932057DE50F1C419-A8AAA9F4C0CAAF3F] not changing state Disconnected nor error Error Domain=NEIKEv2ProtocolErrorDomain Code=38 "TSUnacceptable" UserInfo={NSDebugDescription=TSUnacceptable} -> Error Domain=NEIKEv2ErrorDomain Code=6 "PeerInvalidSyntax: Failed to process IKE Auth packet (connect)" UserInfo={NSLocalizedDescription=PeerInvalidSyntax: Failed to process IKE Auth packet (connect)}
2025-12-10 21:24:32.562905+0100  localhost NEIKEv2Provider[2808]: (NetworkExtension) [com.apple.networkextension:] IKEv2Session[2, 932057DE50F1C419-A8AAA9F4C0CAAF3F] Reporting state Disconnected error Error Domain=NEIKEv2ProtocolErrorDomain Code=38 "TSUnacceptable" UserInfo={NSDebugDescription=TSUnacceptable}
2025-12-10 21:24:32.562978+0100  localhost NEIKEv2Provider[2808]: (NetworkExtension) [com.apple.networkextension:] ChildSA[2, (null)-(null)] state Connecting -> Disconnected error (null) -> Error Domain=NEIKEv2ProtocolErrorDomain Code=38 "TSUnacceptable" UserInfo={NSDebugDescription=TSUnacceptable}
2025-12-10 21:24:32.563021+0100  localhost NEIKEv2Provider[2808]: (NetworkExtension) [com.apple.networkextension:] Resetting IKEv2Session[2, 932057DE50F1C419-A8AAA9F4C0CAAF3F]
2025-12-10 21:24:32.563062+0100  localhost NEIKEv2Provider[2808]: (NetworkExtension) [com.apple.networkextension:] Aborting session IKEv2Session[2, 932057DE50F1C419-A8AAA9F4C0CAAF3F]
2025-12-10 21:24:32.563155+0100  localhost NEIKEv2Provider[2808]: (NetworkExtension) [com.apple.networkextension:] IKEv2Session[2, 932057DE50F1C419-A8AAA9F4C0CAAF3F] KernelSASession[2, IKEv2 Session Database] Uninstalling all child SAs
2025-12-10 21:24:32.563177+0100  localhost NEIKEv2Provider[2808]: (NetworkExtension) [com.apple.networkextension:] KernelSASession[2, IKEv2 Session Database] Removing all SAs
2025-12-10 21:24:32.563476+0100  localhost NEIKEv2Provider[2808]: (NetworkExtension) [com.apple.networkextension:] Invalidate

Identical4 · December 15, 2025, 8:07pm

Thanks, @IlKa, @pe1chl for your help.

The issue was the wrongly configured iOS profile, which didn't include the root certificate. The latter error with Code 38 was caused by broken configuration while I was trying to fix it. It worked on macOS because I've imported the certificate manually before using the profile.