IKev2 strongswan got deleting half open IKE_SA with x.x.x.x after timeout with iOS device
I installed an IKEv2 strongswan vpn server on ubuntu 18.04 and also I use a valid Let's encrypte CA for that. I want to use it on an application for iOS. So here is the IPSec.conf :
config setup
charondebug="all"
# keep_alive=24h
uniqueids=never
conn %default
auto=route
type=tunnel
keyexchange=ikev2
fragmentation=no
forceencaps=no
mobike=yes
ike=aes256-sha256-modp1024,aes256-sha256-modp2048, aes256-aes128-sha1-modp1024-3des!
esp=aes256-sha256-sha1-3des!
dpdaction=clear
dpddelay=20s
dpdtimeout=1800s
rekey=no
reauth=no
left=%any
#leftallowany=yes
leftcert=cert.crt
leftca=%same
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any4
#rightallowany=yes
rightid=%any
rightsourceip=172.26.0.0/16
rightdns=8.8.8.8,8.8.4.4
eap_identity=%identity
rightauth=pubkey
keyingtries=%forever
conn ikev2-mschapv2
rightauth=eap-mschapv2
conn ikev2-mschapv2-apple
rightauth=eap-mschapv2
[email protected]
and here is the IPSec.sercets content:
sec.mydomain.com : RSA key.pem
vpnusername %any% : EAP "pass"
the problem is when I want to connect to server it stay still connecting state and after the 20 sec it is changed to disconnect and show timeout on log server.
here is log server on tail -f /var/log/syslog
:
Sep 3 07:25:25 vps-10d57688 systemd[7908]: Reached target Timers.
Sep 3 07:25:25 vps-10d57688 systemd[7908]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Sep 3 07:25:25 vps-10d57688 systemd[7908]: Listening on GnuPG network certificate management daemon.
Sep 3 07:25:25 vps-10d57688 systemd[7908]: Listening on GnuPG cryptographic agent and passphrase cache (access for web browsers).
Sep 3 07:25:25 vps-10d57688 systemd[7908]: Listening on GnuPG cryptographic agent and passphrase cache.
Sep 3 07:25:25 vps-10d57688 systemd[7908]: Reached target Sockets.
Sep 3 07:25:25 vps-10d57688 systemd[7908]: Reached target Basic System.
Sep 3 07:25:25 vps-10d57688 systemd[1]: Started User Manager for UID 1000.
Sep 3 07:25:25 vps-10d57688 systemd[7908]: Reached target Default.
Sep 3 07:25:25 vps-10d57688 systemd[7908]: Startup finished in 33ms.
Sep 3 07:25:38 vps-10d57688 charon: 13[NET] received packet: from 151.243.253.166[500] to x.x.x.x[500] (604 bytes)
Sep 3 07:25:38 vps-10d57688 charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Sep 3 07:25:38 vps-10d57688 charon: 13[IKE] 151.243.253.166 is initiating an IKE_SA
Sep 3 07:25:38 vps-10d57688 charon: 13[IKE] remote host is behind NAT
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-99-generic, x86_64)
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] PKCS11 module '<name>' lacks library path
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] disabling load-tester plugin, not configured
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] dnscert plugin is disabled
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] ipseckey plugin is disabled
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] attr-sql plugin: database URI not set
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loaded ca certificate "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root" from '/etc/ipsec.d/cacerts/chain.pem'
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/key.pem'
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loaded EAP secret for vpnusername %any%
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] sql plugin: database URI not set
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] eap-simaka-sql database URI missing
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loaded 0 RADIUS server configurations
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] HA config misses local/remote address
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] no threshold configured for systime-fix, disabled
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] coupling file path unspecified
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[JOB] spawning 16 worker threads
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 05[CFG] received stroke: add connection 'ikev2-mschapv2'
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 05[CFG] adding virtual IP address pool 172.26.0.0/16
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 05[CFG] loaded certificate "OU=Domain Control Validated, OU=EssentialSSL, CN=sec.mydomain.com" from 'cert.crt'
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 05[CFG] id '%any' not confirmed by certificate, defaulting to 'OU=Domain Control Validated, OU=EssentialSSL, CN=sec.mydomain.com'
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 05[CFG] added configuration 'ikev2-mschapv2'
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 07[CFG] received stroke: route 'ikev2-mschapv2'
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 07[CFG] installing trap failed, remote address unknown
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 09[CFG] received stroke: add connection 'ikev2-mschapv2-apple'
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 09[CFG] reusing virtual IP address pool 172.26.0.0/16
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 09[CFG] loaded certificate "OU=Domain Control Validated, OU=EssentialSSL, CN=sec.mydomain.com" from 'cert.crt'
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 09[CFG] added configuration 'ikev2-mschapv2-apple'
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 11[CFG] received stroke: route 'ikev2-mschapv2-apple'
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 11[CFG] installing trap failed, remote address unknown
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 16[NET] received packet: from 151.243.253.166[500] to x.x.x.x[500] (604 bytes)
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 16[IKE] 151.243.253.166 is initiating an IKE_SA
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 16[IKE] remote host is behind NAT
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 16[IKE] sending cert request for "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root"
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 16[NET] sending packet: from x.x.x.x[500] to 151.243.253.166[500] (473 bytes)
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 07[JOB] deleting half open IKE_SA with 151.243.253.166 after timeout
more log: I used tcpdump and nc for checking 4500 port and it worked , but when I try to connect to the vpn it does not receive or send any packages:
here is the result for call with nc
ubuntu@vps-10d57688:~$ sudo tcpdump -i ens3 udp port 4500 -vv -X
tcpdump: listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
15:49:46.754565 IP (tos 0x0, ttl 52, id 31208, offset 0, flags [none], proto UDP (17), length 31)
192.64.83.84.51285 > vps-10d57688.vps.ovh.ca.ipsec-nat-t: [udp sum ok] [|isakmp]
0x0000: 4500 001f 79e8 0000 3411 f82a c040 5354 E...y...4..*.@ST
0x0010: 4246 bee0 c855 1194 000b 9ec9 6869 0a BF...U......hi.
15:50:00.565036 IP (tos 0x0, ttl 52, id 4681, offset 0, flags [none], proto UDP (17), length 33)
192.64.83.84.51285 > vps-10d57688.vps.ovh.ca.ipsec-nat-t: [udp sum ok] UDP-encap: [|ESP]
0x0000: 4500 0021 1249 0000 3411 5fc8 c040 5354 E..!.I..4._..@ST
0x0010: 4246 bee0 c855 1194 000d 1f55 7465 7374 BF...U.....Utest
0x0020: 0a .
Note: the iOS mobile does not show me any error in LLDB console in XCode, but I checked iOS device log and here is the device log:
nesessionmanager NEVPNTunnelPlugin(com.apple.NetworkExtension.IKEv2Provider[inactive]): Sending start command
nesessionmanager com.apple.NetworkExtension.IKEv2Provider[inactive]: starting
NEIKEv2Provider Hello, I'm launching as euid = 501, uid = 501, personaid = 1000, type = DEFAULT, name = <private>
NEIKEv2Provider Initializing connection
NEIKEv2Provider Removing all cached process handles
NEIKEv2Provider Sending handshake request attempt #1 to server
NEIKEv2Provider Creating connection to com.apple.runningboard
runningboardd Resolved XPC Service com.apple.NetworkExtension.IKEv2Provider (NEIKEv2Provider.appex) with host pid 264, variant 2, scope 1, pid 1045, and euid 501
runningboardd Resolved pid 1045 to [xpcservice<com.apple.NetworkExtension.IKEv2Provider>:1045]
runningboardd [xpcservice<com.apple.NetworkExtension.IKEv2Provider>:1045] This process will be managed.
runningboardd Now tracking process: [xpcservice<com.apple.NetworkExtension.IKEv2Provider>:1045]
runningboardd Calculated state for xpcservice<com.apple.NetworkExtension.IKEv2Provider>: running-suspended (role: None)
runningboardd Acquiring assertion targeting xpcservice<com.apple.NetworkExtension.IKEv2Provider> from originator [xpcservice<com.apple.NetworkExtension.IKEv2Provider>:1045] with description <RBSAssertionDescriptor; "plug-in checkin"; ID: 28-1045-18758; target: 1045> attributes = {
<RBSDomainAttribute: 0x10047ea00; domain: com.apple.pluginkit; name: checkin; sourceEnvironment: 0x0>;
}
NEIKEv2Provider Handshake succeeded
NEIKEv2Provider Identity resolved as xpcservice<com.apple.NetworkExtension.IKEv2Provider>:1045
NEIKEv2Provider Bootstrapping; Bootstrap complete. Ready for handshake from host.
runningboardd Assertion 28-1045-18758 (target:xpcservice<com.apple.NetworkExtension.IKEv2Provider>) will be created as active
NEIKEv2Provider [u FDD88F03-7FCC-4C2F-8607-B2E2513A2C0B] [(null)((null))] Prepare received as euid = 501, uid = 501, personaid = 1000, type = DEFAULT, name = <private>
NEIKEv2Provider [u 9081918D-B18E-4049-9763-411C314D8A08] [<private>(<private>)] Set sole personality.
NEIKEv2Provider [u 9081918D-B18E-4049-9763-411C314D8A08] [<private>(<private>)] Begin using received as euid = 501, uid = 501, personaid = 1000, type = DEFAULT, name = <private>
runningboardd Calculated state for xpcservice<com.apple.NetworkExtension.IKEv2Provider>: running-active (role: UserInteractiveNonFocal)
runningboardd Acquiring assertion targeting xpcservice<com.apple.NetworkExtension.IKEv2Provider> from originator [daemon<com.apple.neagent-ios>:264] with description <RBSAssertionDescriptor; com.apple.extension.session; ID: 28-264-18759; target: 1045> attributes = {
<RBSLegacyAttribute: 0x1001dfd70; requestedReason: ViewService; reason: ViewService; flags: AllowIdleSleep | PreventTaskSuspend | PreventTaskThrottleDown | WantsForegroundResourcePriority>;
<RBSAcquisitionCompletionAttribute: 0x10014baa0; policy: 0>;
}
runningboardd Assertion 28-264-18759 (target:xpcservice<com.apple.NetworkExtension.IKEv2Provider>) will be created as active
runningboardd Calculated state for xpcservice<com.apple.NetworkExtension.IKEv2Provider>: running-active (role: UserInteractiveNonFocal)
kernel memorystatus: set assertion priority(3) target NEIKEv2Provider:1045
runningboardd [xpcservice<com.apple.NetworkExtension.IKEv2Provider>:1045] Set jetsam priority to 3 [0] flag[1]
runningboardd [xpcservice<com.apple.NetworkExtension.IKEv2Provider>:1045] Resuming task.
runningboardd [xpcservice<com.apple.NetworkExtension.IKEv2Provider>:1045] Error 45 setting darwin role to UserInteractiveNonFocal: Operation not supported, falling back to setting priority
runningboardd [xpcservice<com.apple.NetworkExtension.IKEv2Provider>:1045] Set darwin priority to: PRIO_DEFAULT
runningboardd [xpcservice<com.apple.NetworkExtension.IKEv2Provider>:1045] Set GPU priority to "deny"
runningboardd [xpcservice<com.apple.NetworkExtension.IKEv2Provider>:1045] Set jetsam priority to 14 [0] flag[1]
kernel memorystatus: set assertion priority(14) target NEIKEv2Provider:1045
runningboardd [xpcservice<com.apple.NetworkExtension.IKEv2Provider>:1045] Set GPU priority to "allow"
mediaserverd -CMSessionMgr- CMSessionMgrHandleApplicationStateChange: CMSession: Client com.apple.NetworkExtension.IKEv2Provider with pid '1045' is now Background Suspended. Background entitlement: NO ActiveLongFormVideoSession: NO WhitelistedLongFormVideoApp NO
mediaserverd -CMSessionMgr- CMSessionMgrHandleApplicationStateChange: CMSession: Sending stop command to com.apple.NetworkExtension.IKEv2Provider with pid '1045' because client is background suspended and there is no AirPlay video session for it
mediaserverd SSServerImp.cpp:1179:SystemSoundServerKillSoundsForPID: pid 1045(NEIKEv2Provider)
runningboardd Finished acquiring assertion 28-1045-18758 (target:xpcservice<com.apple.NetworkExtension.IKEv2Provider>)
runningboardd Finished acquiring assertion 28-264-18759 (target:xpcservice<com.apple.NetworkExtension.IKEv2Provider>)
NEIKEv2Provider Invalidating plugin handshake assertion id 28-1045-18758
NEIKEv2Provider networkd_settings_read_from_file initialized networkd settings by reading plist directly
NEIKEv2Provider nw_path_evaluator_start [7D30D23D-E7DF-4288-825E-99AC5A26D94E <NULL> generic, indefinite]
path: satisfied (Path is satisfied), interface: en0, ipv4, ipv6, dns
NEIKEv2Provider <NEIKEv2Provider: (ifIndex 0)>: : New scoped interface (null) (0) (SATISFIED: 0)
NEIKEv2Provider <NEIKEv2Provider: (ifIndex 0)>: : New scoped interface en0 (8) (SATISFIED: 1)
nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:testVpn:2A64C821-848C-4475-9228-C55B0EC945C1:(null)]: Plugin NEVPNTunnelPlugin(com.apple.NetworkExtension.IKEv2Provider[264]) initialized with Mach-O UUIDs (
"A2F09822-6D48-317E-9449-F3E2BAD89E46"
)
NEIKEv2Provider <NEIKEv2Provider: (ifIndex 8)>: : Starting tunnel on scoped interface UP (8)
NEIKEv2Provider [Extension com.apple.NetworkExtension.IKEv2Provider]: Calling startTunnelWithOptions with options 0x1029115c0
NEIKEv2Provider <NEIKEv2Provider: (ifIndex 8)>: : startTunnelWithOptions Invoked
NEIKEv2Provider <NEIKEv2Provider: Primary Tunnel (ifIndex 8)>: : Starting IKEv2 Tunnel on scoped ifindex 8
NEIKEv2Provider NEIKEv2Transport: Adding client IKEv2Session[1, 0000000000000000-0000000000000000] with SPI CFA46EDC190B0782 on <NEIKEv2Transport> UDP 0.0.0.0:500 -> 66.70.190.224:500
NEIKEv2Provider [C1 44DF13F4-C4D3-4145-A044-CE0954EBD4EA IPv4#986e6b65:500 udp, interface: en0, local: IPv4#f480cbb5:500, prohibit joining] start
NEIKEv2Provider <NEIKEv2Provider: Primary Tunnel (ifIndex 8)>: tunnel bringup requested
NEIKEv2Provider Connect IKEv2Session[1, CFA46EDC190B0782-0000000000000000]
NEIKEv2Provider nw_connection_report_state_with_handler_on_nw_queue [C1] reporting state preparing
NEIKEv2Provider nw_flow_connected [C1 IPv4#986e6b65:500 in_progress socket-flow (satisfied (Path is satisfied), interface: en0, scoped, ipv4, ipv6, dns)] Output protocol connected
NEIKEv2Provider nw_connection_report_state_with_handler_on_nw_queue [C1] reporting state ready
NEIKEv2Provider IKEv2Session[1, CFA46EDC190B0782-0000000000000000] Initiating IKEv2 connection
NEIKEv2Provider IKEv2IKESA[1.1, CFA46EDC190B0782-0000000000000000] state Disconnected -> Connecting
NEIKEv2Provider ChildSA[1, (null)-(null)] state Disconnected -> Connecting
mediaserverd -CMSessionMgr- CMSessionMgrHandleApplicationStateChange: CMSession: Client com.apple.NetworkExtension.IKEv2Provider with pid '1045' is now Background Running. Background entitlement: NO ActiveLongFormVideoSession: NO WhitelistedLongFormVideoApp NO
mediaserverd -CMSessionMgr- CMSessionMgrHandleApplicationStateChange: CMSession: Sending stop command to com.apple.NetworkExtension.IKEv2Provider with pid '1045' because client is not allowed to play in the background AND does not continue AirPlaying video when device locks
mediaserverd SSServerImp.cpp:1179:SystemSoundServerKillSoundsForPID: pid 1045(NEIKEv2Provider)
runningboardd Invalidating assertion 28-1045-18758 (target:xpcservice<com.apple.NetworkExtension.IKEv2Provider>) from originator 1045
nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:testVpn:2A64C821-848C-4475-9228-C55B0EC945C1:(null)] in state NESMVPNSessionStateStarting: plugin NEVPNTunnelPlugin(com.apple.NetworkExtension.IKEv2Provider[264]) started with PID 1045 error (null)
runningboardd Calculated state for xpcservice<com.apple.NetworkExtension.IKEv2Provider>: running-active (role: UserInteractiveNonFocal)
NEIKEv2Provider <NEIKEv2Provider: Primary Tunnel (ifIndex 8)>: : New scoped interface en0 (8) (SATISFIED: 1)
NEIKEv2Provider Disabling wildcard for client [NEIKEv2TransportClient CFA46EDC190B0782 IKEv2Session[1, CFA46EDC190B0782-C458DCA64125D8AA]] on <NEIKEv2Transport> UDP 192.168.1.35:500 -> 66.70.190.224:500
NEIKEv2Provider [C2 ACEA609A-76B1-4A6D-BBBB-1028C4D262A2 IPv4#986e6b65:4500 udp, interface: en0, local: IPv4#f480cbb5:4500, prohibit joining] start
NEIKEv2Provider NEIKEv2Transport: Adding client IKEv2Session[1, CFA46EDC190B0782-C458DCA64125D8AA] with SPI CFA46EDC190B0782 on <NEIKEv2Transport> UDP NAT-T 192.168.1.35:4500 -> 66.70.190.224:4500
NEIKEv2Provider nw_connection_report_state_with_handler_on_nw_queue [C2] reporting state preparing
NEIKEv2Provider nw_flow_connected [C2 IPv4#986e6b65:4500 in_progress socket-flow (satisfied (Path is satisfied), interface: en0, scoped, ipv4, ipv6, dns)] Transport protocol connected
NEIKEv2Provider nw_flow_connected [C2 IPv4#986e6b65:4500 in_progress socket-flow (satisfied (Path is satisfied), interface: en0, scoped, ipv4, ipv6, dns)] Output protocol connected
NEIKEv2Provider nw_connection_report_state_with_handler_on_nw_queue [C2] reporting state ready
apsd <private> wifi is historically cheap? NO awakePercentage = 0.008911, wifiGrowAttemptDelta 24 wifiKeepAliveInterval 600.000000
NEIKEv2Provider IKEv2IKESA[1.1, CFA46EDC190B0782-C458DCA64125D8AA] state Connecting -> Disconnected error (null) -> Error Domain=NEIKEv2ErrorDomain Code=3 "PeerDidNotRespond" UserInfo={NSLocalizedDescription=PeerDidNotRespond}
NEIKEv2Provider IKEv2Session[1, CFA46EDC190B0782-C458DCA64125D8AA] Failed to receive IKE Auth packet (connect)
NEIKEv2Provider IKEv2IKESA[1.1, CFA46EDC190B0782-C458DCA64125D8AA] not changing state Disconnected nor error Error Domain=NEIKEv2ErrorDomain Code=3 "PeerDidNotRespond" UserInfo={NSLocalizedDescription=PeerDidNotRespond} -> Error Domain=NEIKEv2ErrorDomain Code=6 "PeerInvalidSyntax: Failed to receive IKE Auth packet (connect)" UserInfo={NSLocalizedDescription=PeerInvalidSyntax: Failed to receive IKE Auth packet (connect)}
NEIKEv2Provider ChildSA[1, (null)-(null)] state Connecting -> Disconnected error (null) -> Error Domain=NEIKEv2ErrorDomain Code=3 "PeerDidNotRespond" UserInfo={NSLocalizedDescription=PeerDidNotRespond}
NEIKEv2Provider Resetting IKEv2Session[1, CFA46EDC190B0782-C458DCA64125D8AA]
NEIKEv2Provider Aborting session IKEv2Session[1, CFA46EDC190B0782-C458DCA64125D8AA]
NEIKEv2Provider IKEv2Session[1, CFA46EDC190B0782-C458DCA64125D8AA] KernelSASession[1, IKEv2 Session Database] Uninstalling all child SAs
NEIKEv2Provider Invalidating transports for IKEv2IKESA[1.1, CFA46EDC190B0782-C458DCA64125D8AA]
NEIKEv2Provider Cancelling client CFA46EDC190B0782 for <NEIKEv2Transport> UDP 192.168.1.35:500 -> 66.70.190.224:500
NEIKEv2Provider <NEIKEv2Transport> UDP 192.168.1.35:500 -> 66.70.190.224:500 out of clients, invalidating
NEIKEv2Provider Cancelling client CFA46EDC190B0782 for <NEIKEv2Transport> UDP NAT-T 192.168.1.35:4500 -> 66.70.190.224:4500
NEIKEv2Provider <NEIKEv2Transport> UDP NAT-T 192.168.1.35:4500 -> 66.70.190.224:4500 out of clients, invalidating
NEIKEv2Provider [C1 44DF13F4-C4D3-4145-A044-CE0954EBD4EA IPv4#986e6b65:500 udp, interface: en0, local: IPv4#f480cbb5:500, prohibit joining] cancel
NEIKEv2Provider [C1 44DF13F4-C4D3-4145-A044-CE0954EBD4EA IPv4#986e6b65:500 udp, interface: en0, local: IPv4#f480cbb5:500, prohibit joining] cancelled
[C1 DC1F3C3E-FC2F-45E2-8E72-2CB4DB542E88 192.168.1.35:500<->IPv4#986e6b65:500]
Connected Path: satisfied (Path is satisfied), interface: en0, scoped, ipv4, ipv6, dns
Duration: 31.454s, , UDP @0.000s took 0.001s
NEIKEv2Provider 0.000s [C1 DC1F3C3E-FC2F-45E2-8E72-2CB4DB542E88 192.168.1.35:500<->IPv4#986e6b65:500 socket-flow path=satisfied (Path is satisfied), interface: en0, scoped, ipv4, ipv6, dns] path:start
NEIKEv2Provider 0.000s [C1 DC1F3C3E-FC2F-45E2-8E72-2CB4DB542E88 192.168.1.35:500<->IPv4#986e6b65:500 socket-flow path=satisfied (Path is satisfied), interface: en0, scoped, ipv4, ipv6, dns] path:satisfied
NEIKEv2Provider 0.000s [C1 DC1F3C3E-FC2F-45E2-8E72-2CB4DB542E88 192.168.1.35:500<->IPv4#986e6b65:500 socket-flow path=satisfied (Path is satisfied), interface: en0, scoped, ipv4, ipv6, dns] flow:start_connect
NEIKEv2Provider 0.001s [C1 DC1F3C3E-FC2F-45E2-8E72-2CB4DB542E88 192.168.1.35:500<->IPv4#986e6b65:500 socket-flow path=satisfied (Path is satisfied), interface: en0, scoped, ipv4, ipv6, dns] flow:finish_connect
NEIKEv2Provider <NEIKEv2Provider: Primary Tunnel (ifIndex 8)>: : stopping tunnel since IKE disconnected 14
NEIKEv2Provider Invalidating IKEv2Session[1, 256FD287653EA863-0000000000000000]
NEIKEv2Provider <NEIKEv2Provider: Primary Tunnel (ifIndex 8)>: : Invalidated session (IKEv2Session[1, 256FD287653EA863-0000000000000000])
NEIKEv2Provider 0.001s [C1 DC1F3C3E-FC2F-45E2-8E72-2CB4DB542E88 192.168.1.35:500<->IPv4#986e6b65:500 socket-flow path=satisfied (Path is satisfied), interface: en0, scoped, ipv4, ipv6, dns] flow:changed_viability
NEIKEv2Provider 31.454s [C1] path:cancel
NEIKEv2Provider [Extension com.apple.NetworkExtension.IKEv2Provider]: IPC detached
nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:testVpn:2A64C821-848C-4475-9228-C55B0EC945C1:(null)] in state NESMVPNSessionStateStarting: plugin NEVPNTunnelPlugin(com.apple.NetworkExtension.IKEv2Provider[264]) did detach from IPC
nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:testVpn:2A64C821-848C-4475-9228-C55B0EC945C1:(null)] in state NESMVPNSessionStateStarting: plugin NEVPNTunnelPlugin(com.apple.NetworkExtension.IKEv2Provider[264]) disconnected with reason Server is not responding
NEIKEv2Provider Aborting session IKEv2Session[1, 256FD287653EA863-0000000000000000]
NEIKEv2Provider Resetting IKEv2Session[1, 256FD287653EA863-0000000000000000]
NEIKEv2Provider Aborting session IKEv2Session[1, 256FD287653EA863-0000000000000000]
NEIKEv2Provider IKEv2Session[1, 256FD287653EA863-0000000000000000] KernelSASession[1, IKEv2 Session Database] Uninstalling all child SAs
NEIKEv2Provider Invalidating transports for IKEv2IKESA[1.1, 256FD287653EA863-0000000000000000]
NEIKEv2Provider IKEv2IKESA[1.1, 256FD287653EA863-0000000000000000] not changing state Disconnected nor error Error Domain=NEIKEv2ErrorDomain Code=3 "PeerDidNotRespond" UserInfo={NSLocalizedDescription=PeerDidNotRespond} -> (null)
NEIKEv2Provider <NEIPSecDB 0x102832b00 [0x1ee0bf728]> {UniqueIndex = 1} invalidating
NEIKEv2Provider IKEv2Session[1, 256FD287653EA863-0000000000000000] (null) Uninstalling all child SAs
error 00:23:49.541604+0430 NEIKEv2Provider IKE received error Operation canceled
NEIKEv2Provider nw_flow_disconnected [C1 IPv4#986e6b65:500 cancelled socket-flow ((null))] Output protocol disconnected
NEIKEv2Provider nw_connection_report_state_with_handler_on_nw_queue [C1] reporting state cancelled
nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:testVpn:2A64C821-848C-4475-9228-C55B0EC945C1:(null)]: Leaving state NESMVPNSessionStateStarting
nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:testVpn:2A64C821-848C-4475-9228-C55B0EC945C1:(null)]: Entering state NESMVPNSessionStateStopping, timeout 20 seconds
nesessionmanager <NESMServer: 0x102b04530>: Request to uninstall session: NESMIKEv2VPNSession[Primary Tunnel:testVpn:2A64C821-848C-4475-9228-C55B0EC945C1:(null)]
nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:testVpn:2A64C821-848C-4475-9228-C55B0EC945C1:(null)]: status changed to disconnecting
nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:testVpn:2A64C821-848C-4475-9228-C55B0EC945C1:(null)]: Updated network agent (inactive, compulsory, not-user-activiated, not-kernel-activated)
NEIKEv2Provider [C2 ACEA609A-76B1-4A6D-BBBB-1028C4D262A2 IPv4#986e6b65:4500 udp, interface: en0, local: IPv4#f480cbb5:4500, prohibit joining] cancel
NEIKEv2Provider [C2 ACEA609A-76B1-4A6D-BBBB-1028C4D262A2 IPv4#986e6b65:4500 udp, interface: en0, local: IPv4#f480cbb5:4500, prohibit joining] cancelled
[C2 266C8052-AA5C-4EB8-8C2E-AC40CC1393D2 192.168.1.35:4500<->IPv4#986e6b65:4500]
Connected Path: satisfied (Path is satisfied), interface: en0, scoped, ipv4, ipv6, dns
Duration: 31.064s, , UDP @0.004s took 0.000s
NEIKEv2Provider 0.000s [C2 266C8052-AA5C-4EB8-8C2E-AC40CC1393D2 192.168.1.35:4500<->IPv4#986e6b65:4500 socket-flow path=satisfied (Path is satisfied), interface: en0, scoped, ipv4, ipv6, dns] path:start
NEIKEv2Provider 0.000s [C2 266C8052-AA5C-4EB8-8C2E-AC40CC1393D2 192.168.1.35:4500<->IPv4#986e6b65:4500 socket-flow path=satisfied (Path is satisfied), interface: en0, scoped, ipv4, ipv6, dns] path:satisfied
NEIKEv2Provider 0.004s [C2 266C8052-AA5C-4EB8-8C2E-AC40CC1393D2 192.168.1.35:4500<->IPv4#986e6b65:4500 socket-flow path=satisfied (Path is satisfied), interface: en0, scoped, ipv4, ipv6, dns] flow:start_connect
NEIKEv2Provider 0.004s [C2 266C8052-AA5C-4EB8-8C2E-AC40CC1393D2 192.168.1.35:4500<->IPv4#986e6b65:4500 socket-flow path=satisfied (Path is satisfied), interface: en0, scoped, ipv4, ipv6, dns] flow:finish_transport
NEIKEv2Provider 0.005s [C2 266C8052-AA5C-4EB8-8C2E-AC40CC1393D2 192.168.1.35:4500<->IPv4#986e6b65:4500 socket-flow path=satisfied (Path is satisfied), interface: en0, scoped, ipv4, ipv6, dns] flow:finish_connect
NEIKEv2Provider 0.005s [C2 266C8052-AA5C-4EB8-8C2E-AC40CC1393D2 192.168.1.35:4500<->IPv4#986e6b65:4500 socket-flow path=satisfied (Path is satisfied), interface: en0, scoped, ipv4, ipv6, dns] flow:changed_viability
NEIKEv2Provider 31.064s [C2] path:cancel
NEIKEv2Provider nw_flow_disconnected [C2 IPv4#986e6b65:4500 cancelled socket-flow ((null))] Output protocol disconnected
NEIKEv2Provider IKE received error Operation canceled
NEIKEv2Provider nw_flow_disconnected [C2 IPv4#986e6b65:4500 cancelled socket-flow ((null))] Output protocol disconnected
NEIKEv2Provider nw_connection_report_state_with_handler_on_nw_queue [C2] reporting state cancelled
nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:testVpn:2A64C821-848C-4475-9228-C55B0EC945C1:(null)]: Leaving state NESMVPNSessionStateStopping
nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:testVpn:2A64C821-848C-4475-9228-C55B0EC945C1:(null)]: Entering state NESMVPNSessionStateDisposing, timeout 5 seconds
nesessionmanager com.apple.NetworkExtension.IKEv2Provider[264]: disposing
nesessionmanager com.apple.NetworkExtension.IKEv2Provider[264]: Tearing down agent connection
nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:testVpn:2A64C821-848C-4475-9228-C55B0EC945C1:(null)] in state NESMVPNSessionStateDisposing: plugin NEVPNTunnelPlugin(com.apple.NetworkExtension.IKEv2Provider[264]) dispose complete
nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:testVpn:2A64C821-848C-4475-9228-C55B0EC945C1:(null)] in state NESMVPNSessionStateDisposing: all plugins have disposed
nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:testVpn:2A64C821-848C-4475-9228-C55B0EC945C1:(null)]: Leaving state NESMVPNSessionStateDisposing
nesessionmanager com.apple.NetworkExtension.IKEv2Provider[264]: XPC connection went away
nesessionmanager NEVPNTunnelPlugin(com.apple.NetworkExtension.IKEv2Provider[264]): Tearing down plugin connection
nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:testVpn:2A64C821-848C-4475-9228-C55B0EC945C1:(null)]: Entering state NESMVPNSessionStateIdle
nesessionmanager NESMIKEv2VPNSession[Primary Tunnel:testVpn:2A64C821-848C-4475-9228-C55B0EC945C1:(null)]: status changed to disconnected, last stop reason Server is not responding
It is correct to keep an eye upon port 4500/udp, but the IKE SA init response is sent to the port of the peer initiating the connection (usually 500/udp). See the second to last line in the log file above.