Encontré un problema al intentar conectarme a un servidor VPN configurado en IKEv2 desde MacOS (Ventura 13.4.1) en una instalación nueva.
El servidor VPN es un RRAS alojado en un servidor Windows 2019, su certificado está firmado por mi CA que presenta las extensiones requeridas por Apple (KeyLength = 2048, KeyUsage = 0xA0, [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5. 7.3.1 ; Autenticación del servidor, etc.). Tiene el nombre del sujeto (nombre común), así como el nombre alternativo (nombre DNS) con su dirección pública, el certificado raíz se importó y se configuró como siempre confiable en el contenedor.
Puedo conectarme sin dificultades a clientes Windows, Linux (administrador de red/libstronswan), IpadOS (16.3.1), androides con la aplicación stongswan, y en MacOS antiguos puedo conectar BigSur y Monterey, también funciona después de actualizar desde Monterey.
Probé muchas cosas en particular en la plantilla de certificado, o intenté importar de otras formas el certificado de CA raíz.
Olí un poco el tráfico de la red y puedo ver claramente el flujo que llega al RRAS pero este último solo envía una respuesta y luego nada.
Observo un detalle de paso, cuando inicio la conexión desde mi Mac se corta casi instantáneamente haciéndome pensar que hay un problema con el sistema de esta Mac, por supuesto intenté reinstalarlo por completo y también lo probé desde otras Mac. que este también en Ventura, aquí está la pila de registros que obtengo durante la fase en la que intento iniciar la conexión:
neagent Looking for an extension with identifier com.apple.NetworkExtension.IKEv2Provider and extension point com.apple.networkextension.packet-tunnel
neagent [d <private>] <PKHost:0x7fc32a205b60> Beginning discovery for flags: 0, point: com.apple.networkextension.packet-tunnel
neagent [d <private>] <PKHost:0x7fc32a205b60> Completed discovery. Final # of matches: 1
neagent Found 1 extension(s) with identifier com.apple.NetworkExtension.IKEv2Provider and extension point com.apple.networkextension.packet-tunnel
neagent Beginning extension request with extension com.apple.NetworkExtension.IKEv2Provider
neagent Error acquiring assertion: <Error Domain=RBSAssertionErrorDomain Code=2 "Specified target process does not exist" UserInfo={NSLocalizedFailureReason=Specified target process does not exist}>
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] Ready plugins sent as euid = 501, uid = 501, personaid = -1, type = NOPERSONA, name = <unknown>
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] got pid from ready request: 1824
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] acquired startup assertion
neagent Hit the server for a process handle bd7cb2500000720 that resolved to: [xpcservice<com.apple.NetworkExtension.IKEv2Provider([osservice<com.apple.neagent(501)>:525:525])(501)>:1824]
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] Prepare using sent as euid = 501, uid = 501, personaid = -1, type = NOPERSONA, name = <unknown>
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E] [<private>(<private>)] Sending prepareUsing to managed extension; this should launch it if not already running.
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] Begin using sent as euid = 501, uid = 501, personaid = -1, type = NOPERSONA, name = <unknown>
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] plugin loaded and ready for host
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] invalidating startup assertion
neagent +[NSExtensionContext _allowedItemPayloadClasses] not implemented. Setting the allowed payload classes to <private>
neagent Extension request with extension com.apple.NetworkExtension.IKEv2Provider started with identifier 6DFB0610-487E-459D-8197-4DE783566C84
neagent Signature check failed: the code does not conform to the specified code requirements
neagent Signature check failed: the code does not conform to the specified code requirements
neagent Provider is not signed with a Developer ID certificate
neagent [Host com.apple.NetworkExtension.IKEv2Provider]: Starting with options 0x7fc32a10ab90
neagent Scheduing timer for extension failure/exit for (null)
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] Connection to plugin interrupted while in use.
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] all extension sessions ended
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] Connection to plugin invalidated while in use.
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] Emptying requests set
Algunos otros registros de muestra:
erreur 11:10:22.316241+0200 NEIKEv2Provider [IKE_SA_INIT R resp0 49B947259F346F1E-DB039B3DC80268EC] Initiator init received notify error Error Domain=NEIKEv2ProtocolErrorDomain Code=14 "NoProposalChosen" UserInfo={NSDebugDescription=NoProposalChosen}\
par défaut 11:10:22.316293+0200 NEIKEv2Provider IKEv2IKESA[1.1, 49B947259F346F1E-0000000000000000] state Connecting -> Disconnected error (null) -> Error Domain=NEIKEv2ProtocolErrorDomain Code=14 "NoProposalChosen" UserInfo={NSDebugDescription=NoProposalChosen}\
erreur 11:10:22.316333+0200 NEIKEv2Provider IKEv2Session[1, 49B947259F346F1E-0000000000000000] Failed to process IKE SA Init packet (connect)\
par défaut 11:10:22.316401+0200 NEIKEv2Provider IKEv2IKESA[1.1, 49B947259F346F1E-0000000000000000] not changing state Disconnected nor error Error Domain=NEIKEv2ProtocolErrorDomain Code=14 "NoProposalChosen" UserInfo={NSDebugDescription=NoProposalChosen} -> Error Domain=NEIKEv2ErrorDomain Code=6 "PeerInvalidSyntax: Failed to process IKE SA Init packet (connect)" UserInfo={NSLocalizedDescription=PeerInvalidSyntax: Failed to process IKE SA Init packet (connect)}