My apologues, I forgot to cc the mailing list, here is my reply to Tom:
---------- Forwarded message --------- From: Carlo Fusco fusco.carlo@gmail.com Date: Fri, Apr 5, 2019 at 2:37 PM Subject: Re: Change in IPSec roadwarrior configuration for MacOSX 10.12 To: Tom Rymes trymes@rymes.com
On Thu, Apr 4, 2019 at 8:09 PM Tom Rymes trymes@rymes.com wrote:
Carlo,
Just to confirm, have you put this text into the ipsec.user.conf file and restarted IPSec?
Yes, I followed your tutorial to the letter. By the way, thank you so much for writing it. It has been extremely useful for me
conn CONNECTION_NAME leftsendcert=always leftallowany=yes rightdns=10.100.2.1 rekey=no reauth=no
Specifically, the rekey and reauth portions.
About that, I did not have the time to research the issue, so this is just an hypothesis. I assume that the rekey=no in that configuration file will prevent the server to initiate a rekey negotiation with the client, not the other way around.
According to the apple developer response to the bug report I referenced in my previous message, the issue is that strongswan defaults to use perfect forward secrecy when the DH group is specified for ESP while the Mac OS implementation, if set in the GUI, defaults to no DH group. This leads the server to reject the rekey request and dropping the communication. This happens every 480 seconds, the time set by Apple to initiate a rekey. Therefore there are two solutions to the problem:
1) The first is what I tested and reported in the wiki is to not set the DH group for ESP. This works very well, but I guess is not the best option from a security point of view; 2) the second is to change the default setting of macos and enable PFS key, but this cannot be done from the gui and requires messing with the xml configuration profiles of MacOS.
I do not know yet how to pursue the second strategy (yet), therefore I did not mention it in the wiki, but I left the reference to the original bug report that explains all this. What would be your suggestion? Should we leave the text I introduced in the wiki? Move it somewhere else? Send it only to the forum? Or any other solution? I welcome any guidance on this issue.
Before I end the mail, I would like to thank you again Tom for your work in the wiki. As I said it was really helpful. The same goes for any other author of the text of the wiki, which for such a small project is really remarkable in terms of quality.
Cheers,
-- Carlo Fusco
documentation@lists.ipfire.org