我在全新安裝時嘗試從 MacOS (Ventura 13.4.1) 連接到在 IKEv2 中配置的 VPN 伺服器時遇到問題。
VPN 伺服器是託管在Windows Server 2019 中的RRAS,其憑證由我的CA 簽署,該CA 提供Apple 所需的擴充功能(KeyLength = 2048,KeyUsage = 0xA0,[EnhancedKeyUsageExtension] OID=1.3.6.1.5.57.3.3. 1伺服器身份驗證等)。它具有主題名稱(公用名稱)以及備用名稱(DNS 名稱)及其公共位址,根憑證已匯入並在容器中設定為始終受信任。
我可以毫無困難地連接Windows 用戶端、Linux(網路管理器/libstronswan)、IpadOS(16.3.1)、帶有stongswan 應用程式的Android,在舊的MacOS 上我可以連接BigSur 和Monterey,從Monterey 升級後也可以使用。
我嘗試了很多方法,特別是在憑證範本上,或嘗試以其他方式匯入根 CA 憑證。
我稍微嗅了一下網路流量,可以清楚地看到到達 RRAS 的流量,但後者只發迴回應,然後什麼也沒有發回。
我順便注意到一個細節,當我從我的Mac啟動連接時,它幾乎立即切斷,這讓我認為這台Mac的系統有問題,我當然嘗試完全重新安裝它,並在其他Mac上測試它比Ventura 上的這個還要多,這是我在嘗試啟動連線的階段所獲得的日誌堆疊:
neagent Looking for an extension with identifier com.apple.NetworkExtension.IKEv2Provider and extension point com.apple.networkextension.packet-tunnel
neagent [d <private>] <PKHost:0x7fc32a205b60> Beginning discovery for flags: 0, point: com.apple.networkextension.packet-tunnel
neagent [d <private>] <PKHost:0x7fc32a205b60> Completed discovery. Final # of matches: 1
neagent Found 1 extension(s) with identifier com.apple.NetworkExtension.IKEv2Provider and extension point com.apple.networkextension.packet-tunnel
neagent Beginning extension request with extension com.apple.NetworkExtension.IKEv2Provider
neagent Error acquiring assertion: <Error Domain=RBSAssertionErrorDomain Code=2 "Specified target process does not exist" UserInfo={NSLocalizedFailureReason=Specified target process does not exist}>
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] Ready plugins sent as euid = 501, uid = 501, personaid = -1, type = NOPERSONA, name = <unknown>
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] got pid from ready request: 1824
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] acquired startup assertion
neagent Hit the server for a process handle bd7cb2500000720 that resolved to: [xpcservice<com.apple.NetworkExtension.IKEv2Provider([osservice<com.apple.neagent(501)>:525:525])(501)>:1824]
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] Prepare using sent as euid = 501, uid = 501, personaid = -1, type = NOPERSONA, name = <unknown>
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E] [<private>(<private>)] Sending prepareUsing to managed extension; this should launch it if not already running.
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] Begin using sent as euid = 501, uid = 501, personaid = -1, type = NOPERSONA, name = <unknown>
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] plugin loaded and ready for host
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] invalidating startup assertion
neagent +[NSExtensionContext _allowedItemPayloadClasses] not implemented. Setting the allowed payload classes to <private>
neagent Extension request with extension com.apple.NetworkExtension.IKEv2Provider started with identifier 6DFB0610-487E-459D-8197-4DE783566C84
neagent Signature check failed: the code does not conform to the specified code requirements
neagent Signature check failed: the code does not conform to the specified code requirements
neagent Provider is not signed with a Developer ID certificate
neagent [Host com.apple.NetworkExtension.IKEv2Provider]: Starting with options 0x7fc32a10ab90
neagent Scheduing timer for extension failure/exit for (null)
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] Connection to plugin interrupted while in use.
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] all extension sessions ended
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] Connection to plugin invalidated while in use.
neagent [u 60A21109-AF3F-4E41-BD4F-12716689E26E:m (null)] [<private>(<private>)] Emptying requests set
其他一些日誌範例:
erreur 11:10:22.316241+0200 NEIKEv2Provider [IKE_SA_INIT R resp0 49B947259F346F1E-DB039B3DC80268EC] Initiator init received notify error Error Domain=NEIKEv2ProtocolErrorDomain Code=14 "NoProposalChosen" UserInfo={NSDebugDescription=NoProposalChosen}\
par défaut 11:10:22.316293+0200 NEIKEv2Provider IKEv2IKESA[1.1, 49B947259F346F1E-0000000000000000] state Connecting -> Disconnected error (null) -> Error Domain=NEIKEv2ProtocolErrorDomain Code=14 "NoProposalChosen" UserInfo={NSDebugDescription=NoProposalChosen}\
erreur 11:10:22.316333+0200 NEIKEv2Provider IKEv2Session[1, 49B947259F346F1E-0000000000000000] Failed to process IKE SA Init packet (connect)\
par défaut 11:10:22.316401+0200 NEIKEv2Provider IKEv2IKESA[1.1, 49B947259F346F1E-0000000000000000] not changing state Disconnected nor error Error Domain=NEIKEv2ProtocolErrorDomain Code=14 "NoProposalChosen" UserInfo={NSDebugDescription=NoProposalChosen} -> Error Domain=NEIKEv2ErrorDomain Code=6 "PeerInvalidSyntax: Failed to process IKE SA Init packet (connect)" UserInfo={NSLocalizedDescription=PeerInvalidSyntax: Failed to process IKE SA Init packet (connect)}