MacOS VPN Log (random disconnects at about 20-30 min mark)

Dunham

I am connecting to a VPN that I setup in my company on the Zyxel USD 60 Router, IKEv2.

Recv IPSec sa: SA([0] protocol = ESP (3), spi_len = 4, spi = 0x07d3ea59, AES CBC key len = 256, HMAC-SHA256-128, No ESN; ).

This VPN works as expected until it randomly disconnects after about 20-30 mins. (Which of course breaks all my Terminal-sessions, other SFTP panels etc. = basically very dangerous to rely on)

• This VPN has been properly working (no random disconnects) since Catalina / Big Sur (so since 2020)
• Macbook 12" (Catalina) also since a few months has this disconnect problem
• iMac 27" + Macbook pro 14" (Sonoma 14.1.1) have this problem as well

Log in Zyxel USG 60:

My setup in Zyxel USG 60:

*VPN Gateway

*VPN Connection

Agor76

Hello Dunham,

It's seems to be a wide known issue. Please take a look here:

https://discussions.apple.com/thread/255158874

I've been having this issue since I've upgraded to Sonoma. My ikev2 VPN is dropping every 24 minutes due to a rekeying failure. Didn't have so much time on trying to fix this, but it seems that following one of the latest post in the forum linked above does the trick.

In the meantime I've downgraded my vpn to l2tp which is rock solid. If you'll be lucky enough to solve this issue please update this post.

Regards

Agor

Dunham

https://community.zyxel.com/en/discussion/comment/58922#Comment_58922

The comment linked suggest raising DH to 15 and above …

→ My Zyxel USG 60 / 40 only support DH14 (not higher)

2. I will try "l2tp" any post back (thank you for the tip)

PS: May I also note, that I am having this problem with a MacOS Catalina as well… since mid-2022 (at which Sonoma was not available)

Dunham

https://community.zyxel.com/en/discussion/comment/58922#Comment_58922

!!! Still fails after 24 Minutes !!! DH19 does not help…

• Updated Zyxel USG 40 to latest Firmware 4.73.
• Setup DH-19 (PFS) in VPN Gateway / Connection

Agor76

Hi Dunham,

yes, DH19 doesn't seeems to help by itself.
But I've had some spare time and was able to try what JoshHibschman has suggested in his latest post on the apple board.

In short, I've deleted every previous VPN's profile and created a new one using iMazing Profile Editor following his directive. Rekeying process now works fine

Agor

Dunham

https://community.zyxel.com/en/discussion/comment/59015#Comment_59015

…can you at least link the post, man!? 🙉 ..when I click on his username I cannot see where he commented…

Agor76

Hi Dunham,

here you go:
https://discussions.apple.com/thread/255158874?answerId=259755811022&page=2

Just see his last post

Agor

Dunham

https://community.zyxel.com/en/discussion/comment/59015#Comment_59015

…for other people who may stumble into here I will actually put context. This is the answer on Apple-Communities:

So, (I believe) this is a project (hosted on github: https://github.com/hwdsl2/setup-ipsec-vpn) that creates a VPN Server out of a CentOS Linux Server! …which is great, but I fail to see how this relates to this Thread which is about configs on Zyxel modems 😐

Dunham

My actual solution, still using DH14 (or even DH2) on Sonoma 14.1.1 (no 24Min disconnects) 🏞️!

Agor76

Hi Dunham,

I'm glad to see that you too solved the issue.
The solution proposed on the apple board isn't strictly related to the Zyxel's routers but it did lead me to fix the issue. Editing an ikev2 profile with AES256/SHA2_256 and DH19 as DH group did the trick for me

Regards

Agor

StefanZ

Same problem/s here with the new MacBooks we got.

Setting both phases to 256 Bit and using DH19 solved the connection issues.

But here come the disconnection issues… :-D

https://forums.macrumors.com/threads/sonoma-bug-ikev2-vpn-no-longer-rekeys-so-vpn-connections-drop-every-20-25-minutes.2406029/page-2

Here it is suggested to set the phase-2 timeout to something below 1440 seconds, so that the gateway initiates a re-keying before OSX tries and fails to do so.

Let's see if it helps…