<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class="">** THIS MESSAGE DOES NOT ANSWER YOUR QUESTION BUT STRENGTHENS YOUR OBSERVATION **</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">In the strongSwan logs, when the reauth time has expired, I get the following</div><div class=""><br class=""></div><div class=""><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">May  3 05:29:14 ip-10-0-5-202 charon-systemd[3125]: initiator did not reauthenticate as requested</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">May  3 05:29:14 ip-10-0-5-202 charon-systemd[3125]: IKE_SA rsa[1] will timeout in 48 seconds</span></div></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><br class=""></span></div><div style="margin: 0px; font-stretch: normal; line-height: normal; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures;" class=""><span style="font-family: Helvetica; font-size: 12px;" class="">And then the connection dies.</span><br style="font-family: Helvetica; font-size: 12px;" class=""><br style="font-family: Helvetica; font-size: 12px;" class="">It seems that OSX doesn’t respond to <span style="color: rgb(54, 0, 12); font-family: Verdana, sans-serif; font-size: 10.8px; font-variant-ligatures: normal; orphans: 2; widows: 2;" class="">AUTH_LIFETIME notify defined by </span><a href="https://tools.ietf.org/html/rfc4478" class="external" style="color: rgb(138, 0, 32); word-wrap: break-word; padding-left: 12px; background-image: url(applewebdata://F54596A7-0B67-409E-AD8F-D9564E6731F3/images/external.png); font-weight: bold; font-family: Verdana, sans-serif; font-size: 10.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-position: 0% 60%; background-repeat: no-repeat no-repeat;">RFC 4478</a>.  So setting </span>reauth_time = 0s is the safe option</div><div style="margin: 0px; font-stretch: normal; line-height: normal; background-color: rgb(255, 255, 255);" class=""><br class=""></div><div style="margin: 0px; font-stretch: normal; line-height: normal; background-color: rgb(255, 255, 255);" class=""><a href="https://wiki.strongswan.org/projects/strongswan/wiki/expiryrekey" class="">https://wiki.strongswan.org/projects/strongswan/wiki/expiryrekey</a></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><br class=""></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class="">———</div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><br class=""></div><div class="">My OSX 10.13.4 offers the following when connecting which do seem weak with todays availability.  I couldn’t see any way to enable GCM.</div><div class=""><br class=""></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><br class=""></span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><br class=""></span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">——</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><br class=""></span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">With regards to logging, h</span>ave you seen the logging help page [1]?</div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><br class=""></span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">I have my logging configured as</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><br class=""></span></div><div style="margin: 0px; font-stretch: normal; line-height: normal; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures; font-size: 11px;" class=""><font face="Menlo" class=""><div style="margin: 0px; font-stretch: normal; line-height: normal;" class="">$ /etc/strongswan.d/charon-systemd.conf</div><div style="margin: 0px; font-stretch: normal; line-height: normal;" class="">charon-systemd {</div><div style="margin: 0px; font-stretch: normal; line-height: normal;" class="">  filelog {</div><div style="margin: 0px; font-stretch: normal; line-height: normal;" class="">    /var/log/strongswan.log {</div><div style="margin: 0px; font-stretch: normal; line-height: normal;" class="">        time_format = %b %e %T</div><div style="margin: 0px; font-stretch: normal; line-height: normal;" class="">        flush_line = yes</div><div style="margin: 0px; font-stretch: normal; line-height: normal;" class="">        default = -1</div><div style="margin: 0px; font-stretch: normal; line-height: normal;" class="">        cfg = 4</div><div style="margin: 0px; font-stretch: normal; line-height: normal;" class="">    }</div><div style="margin: 0px; font-stretch: normal; line-height: normal;" class="">  }</div><div style="margin: 0px; font-stretch: normal; line-height: normal;" class="">}</div></font></span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><br class=""></span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><font face="Helvetica" class=""><span style="font-size: 12px;" class="">[1] <a href="https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration" class="">https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration</a></span></font></span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><br class=""></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><br class=""></div><div><br class=""><blockquote type="cite" class=""><div class="">On 3 May 2018, at 04:42, Darren S. <<a href="mailto:phatbuckett@gmail.com" class="">phatbuckett@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class=""><div class=""><div class="">The built-in VPN client has been a comedy of errors for my deployment... I don't have faith in the current iteration of Apple's IKEv2 implementation. I'm hoping to get around what appears to be a bug in the (rekeying? re-auth?) that happens every 8 minutes that currently drops the tunnel, and to be able to configure robust algorithms (I understand it also lacks support for things like AES-GCM, defaults to weak DH groups, etc.). I can't figure out the magic sauce required to get logging/debugging with IKEv2 (the common advice I see to enable Racoon logging appears to apply to IKEv1 keying). It appears that the only way of having granular control over settings is to use a configuration profile and deal with a config utility or the plist format. There are plenty of blog and forum posts and wiki pages in various places that talk about how to make things work, but there's also an equivalent amount of variance in what they recommend doing (including many that are wrong or recommend insecure configurations).<br class=""><br class=""></div>I'm hoping the next version of the OS brings significant improvements to the IPsec framework but at this point I was hoping to use a more robust and configurable (and easier to diagnose) client. I can roll with the Homebrew build but I was looking forward to trying out the graphical interface too.<br class=""><br class=""></div>- Darren<br class=""><div class=""><div class=""><div class=""><div class="gmail_extra"><br class=""><div class="gmail_quote">On Wed, May 2, 2018 at 12:30 PM, ccsalway <span dir="ltr" class=""><<a href="mailto:ccsalway@yahoo.co.uk" target="_blank" class="">ccsalway@yahoo.co.uk</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word;line-break:after-white-space" class=""><div class="">The built in VPN client is able to connect using Certificate and Username/Password, so I’m curious what you hope to gain from a native app?<span class="HOEnZb"><font color="#888888" class=""><br class=""><div class=""><br class=""></div><div class="">- C</div></font></span><div class=""><div class="h5"><div class=""><br class=""><blockquote type="cite" class=""><div class="">On 2 May 2018, at 19:28, Darren S. <<a href="mailto:phatbuckett@gmail.com" target="_blank" class="">phatbuckett@gmail.com</a>> wrote:</div><br class="m_-7292644515081995536Apple-interchange-newline"><div class=""><div dir="ltr" class=""><div class="">Hi,<br class=""><br class=""></div>Just noting that <a href="https://download.strongswan.org/osx/" target="_blank" class="">https://download.strongswan.<wbr class="">org/osx/</a> shows no current Mac native app builds. It's not mentioned at <a href="https://wiki.strongswan.org/projects/strongswan/wiki/MacOSX" target="_blank" class="">https://wiki.strongswan.org/<wbr class="">projects/strongswan/wiki/<wbr class="">MacOSX</a> so I'm curious if these builds are no longer being done. Is the current guidance for macOS to use Homebrew or do a manual build? (And if the .app bundle build is no longer occurring, is there currently no supported macOS native app option)? <br clear="all" class=""><div class=""><div class=""><div class=""><br class="">-- <br class=""><div class="m_-7292644515081995536gmail_signature">Darren Spruell<br class=""><a href="mailto:phatbuckett@gmail.com" target="_blank" class="">phatbuckett@gmail.com</a></div>
</div></div></div></div>
</div></blockquote></div><br class=""></div></div></div></div></blockquote></div><br class=""><br clear="all" class=""><br class="">-- <br class=""><div class="gmail_signature" data-smartmail="gmail_signature">Darren Spruell<br class=""><a href="mailto:phatbuckett@gmail.com" target="_blank" class="">phatbuckett@gmail.com</a></div>
</div></div></div></div></div>
</div></blockquote></div><br class=""></body></html>