I recently started seeing some ipsec clients fail on newer versions of MacOS and iOS. After MacOS 12.1, connecting to my head end now fails with NO_PROPOSAL_CHOSEN using mod1024 in my ipsec.conf. I've also tried, with no success:
main auth "hmac-sha2" enc "aes" group modp1024 quick auth "hmac-sha2" enc "aes" group modp1024 Has anyone gotten ipsec working between recent versions of Apple devices? If so, could you share your proposals and/or configs? Below are my configs -- thanks in advance for any help. macbook-client:~$ uname -a Darwin neptune.example.org 21.2.0 Darwin Kernel Version 21.2.0: Sun Nov 28 20:28:54 PST 2021; root:xnu-8019.61.5~1/RELEASE_X86_64 x86_64 server# uname -a OpenBSD lax 7.0 GENERIC#5 amd64 # tail -f /var/log/messages Feb 18 11:11:31 server isakmpd[10385]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC Feb 18 11:11:31 server last message repeated 11 times Feb 18 11:11:31 server isakmpd[10385]: attribute_unacceptable:AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG Feb 18 11:11:31 server isakmpd[10385]: attribute_unacceptable: AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG Feb 18 11:11:31 server isakmpd[10385]: message_negotiate_sa: no compatible proposal found Feb 18 11:11:31 server isakmpd[10385]: dropped message from 100.64.10.10 port 63434 due to notification type NO_PROPOSAL_CHOSEN # cat /etc/ipsec.conf public_ip = "203.0.113.1" ike passive esp tunnel proto udp from $public_ip to any \ main group "modp1024" quick group "modp1024" \ psk "THIS_IS_MY_IPSEC_PASSPHRASE" # ipssecctl -vnf /etc/ipsec.conf public_ip = "203.0.113.1" C set [Phase 1]:Default=peer-default force C set [peer-default]:Phase=1 force C set [peer-default]:Authentication=THIS_IS_MY_IPSEC_PASSPHRASE force C set [peer-default]:Configuration=phase1-peer-default force C set [phase1-peer-default]:EXCHANGE_TYPE=ID_PROT force C add [phase1-peer-default]:Transforms=phase1-transform-peer-default-PRE_SHARED-SHA-AES128-MODP_1024 force C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128-MODP_1024]:AUTHENTICATION_METHOD=PRE_SHARED force C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128-MODP_1024]:HASH_ALGORITHM=SHA force C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128-MODP_1024]:KEY_LENGTH=128,128:256 force C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128-MODP_1024]:Life=LIFE_MAIN_MODE force C set [from-203.0.113.1=17-to-0.0.0.0/0=17]:Phase=2 force C set [from-203.0.113.1=17-to-0.0.0.0/0=17]:ISAKMP-peer=peer-default force C set [from-203.0.113.1=17-to-0.0.0.0/0=17]:Configuration=phase2-from-203.0.113.1=17-to-0.0.0.0/0=17 force C set [from-203.0.113.1=17-to-0.0.0.0/0=17]:Local-ID=from-203.0.113.1=17 force C set [from-203.0.113.1=17-to-0.0.0.0/0=17]:Remote-ID=to-0.0.0.0/0=17 force C set [phase2-from-203.0.113.1=17-to-0.0.0.0/0=17]:EXCHANGE_TYPE=QUICK_MODE force C set [phase2-from-203.0.113.1=17-to-0.0.0.0/0=17]:Suites=phase2-suite-from-203.0.113.1=17-to-0.0.0.0/0=17 force C set [phase2-suite-from-203.0.113.1=17-to-0.0.0.0/0=17]:Protocols=phase2-protocol-from-203.0.113.1=17-to-0.0.0.0/0=17 force C set [phase2-protocol-from-203.0.113.1=17-to-0.0.0.0/0=17]:PROTOCOL_ID=IPSEC_ESP force C set [phase2-protocol-from-203.0.113.1=17-to-0.0.0.0/0=17]:Transforms=phase2-transform-from-203.0.113.1=17-to-0.0.0.0/0=17-AES128-SHA C set [phase2-transform-from-203.0.113.1=17-to-0.0.0.0/0=17-AES128-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force C set [phase2-transform-from-203.0.113.1=17-to-0.0.0.0/0=17-AES128-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force C set [phase2-transform-from-203.0.113.1=17-to-0.0.0.0/0=17-AES128-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force C set [phase2-transform-from-203.0.113.1=17-to-0.0.0.0/0=17-AES128-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 f C set [phase2-transform-from-203.0.113.1=17-to-0.0.0.0/0=17-AES128-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force C set [phase2-transform-from-203.0.113.1=17-to-0.0.0.0/0=17-AES128-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force C set [from-203.0.113.1=17]:ID-type=IPV4_ADDR force C set [from-203.0.113.1=17]:Address=203.0.113.1 force C set [to-0.0.0.0/0=17]:ID-type=IPV4_ADDR_SUBNET force C set [to-0.0.0.0/0=17]:Network=0.0.0.0 force C set [to-0.0.0.0/0=17]:Netmask=0.0.0.0 force C set [from-203.0.113.1=17]:Protocol=17 force C set [to-0.0.0.0/0=17]:Protocol=17 force C add [Phase 2]:Passive-Connections=from-203.0.113.1=17-to-0.0.0.0/0=17
