[strongSwan] Up to date macOS native app builds

Tobias Brunner tobias at strongswan.org
Fri May 4 12:29:39 CEST 2018


Hi Darren,

>>> Just noting that https://download.strongswan.org/osx/ shows no current
>>> Mac native app builds. It's not mentioned at
>>> https://wiki.strongswan.org/projects/strongswan/wiki/MacOSX so I'm
>>> curious if these builds are no longer being done.
>>
>> See [1].
> 
> Thanks! Would a subsequent remark in that wiki page be appropriate?
> (Is it something I can do if I register)?

Sure, go ahead.

>>> I don't have faith in the current iteration of Apple's IKEv2 implementation. I'm hoping to get around what appears to be a bug in the (rekeying? re-auth?) that happens every 8 minutes that currently drops the tunnel, and to be able to configure robust algorithms
>>
>> This might be due to bug that Apple knows about since at least over a
>> year (I reported it in January 2017 and it was already marked as
>> duplicate), which seems to occur when the server sends back an
>> INVALID_KE_PAYLOAD during IKE_SA_INIT.  During the IKE rekeying (which
>> it does after eight minutes) the client will send an incorrect DH public
>> value for the group it originally proposed, not the one the server
>> requested and was used during IKE_SA_INIT.
> 
> Is that the same as noted here?
> 
> http://www.openradar.appspot.com/29821241

Doesn't look like it, the issue I described is regarding IKE_SA
rekeying, not CHILD_SA rekeying.

> I can't tell if the response from Apple is suggesting strongSwan is
> acting incorrectly in the described case (and if so, if the behavior
> is in fact incorrect).

It sounds like a configuration mismatch (one side wants to use PFS, the
other doesn't).

So check your log to see if the issue you have is related to IKE_SA or
CHILD_SA rekeying.

Regards,
Tobias


More information about the Users mailing list