hi,
I am running version 6.45.7, configured iOS12 IKEv2 to Mikrotik and after 8 minutes I received disconnect. What could be wrong?
log:
23:26:44 ipsec,info new ike2 SA (R): publicIPmikrotik[500]-ip_iphone[4805] spi:d541b057d8dee6f1:82f4ac78771cbdfd
23:26:44 ipsec,info,account peer authorized: publicIPmikrotik[4500]-ip_iphone[4806] spi:d541b057d8dee6f1:82f4ac78771cbdfd
23:26:44 ipsec,info acquired 192.168.89.255 address for ip_iphone, vpn.client
23:34:00 wireless,info 70:EE:50:2A:FE:14@wlan1: connected, signal strength -62
23:34:01 dhcp,info defconf assigned 192.168.88.244 to 70:EE:50:2A:FE:14
23:34:09 dhcp,info defconf deassigned 192.168.88.244 from 70:EE:50:2A:FE:14
23:34:10 wireless,info 70:EE:50:2A:FE:14@wlan1: disconnected, received disassoc: sending station leaving (8)
23:34:45 ipsec,info killing ike2 SA: publicIPmikrotik[4500]-ip_iphone[4806] spi:d541b057d8dee6f1:82f4ac78771cbdfd
23:34:45 ipsec,info releasing address 192.168.89.255




configuration:
/certificate add name=my.ca common-name=my.ca key-usage=key-cert-sign,crl-sign trusted=yes
/certificate sign my.ca

/certificate add name=vpn.server common-name=vpn.server subject-alt-name=DNS:vpn.server
/certificate sign vpn.server ca=my.ca

/certificate set trusted=yes vpn.server

/certificate add name=vpn.client common-name=vpn.client
/certificate sign vpn.client ca=my.ca


/certificate set trusted=yes vpn.client

/certificate export-certificate my.ca

/certificate export-certificate vpn.client export-passphrase=12345678 type=pkcs12

/ip pool add name=vpn ranges=192.168.89.0/24

/ip ipsec mode-config
add address-pool=vpn name=cfg1 static-dns=8.8.8.8 system-dns=no

/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ios-ikev2-proposal pfs-group=none

/ip ipsec profile
add name=iOS hash-algorithm=sha256 enc-algorithm=aes-256,aes-128 dh-group=modp2048 lifetime=1h dpd-interval=1h

/ip ipsec peer
add address=0.0.0.0/0 exchange-mode=ike2 profile=iOS name=iPhone

/ip ipsec identity
add auth-method=digital-signature certificate=vpn.server generate-policy=port-strict match-by=certificate mode-config=cfg1 my-id=fqdn:vpn.server peer=iPhone remote-certificate=vpn.client

Please try the latest testing release of RouterOS 6.46beta59. Let me know whether it resolves the issue.

*) ike2 - improved CHILD SA rekey process with Apple iOS 13;

Hi,
I have upgraded to 6.46beta59. It didn't help, after 8 minutes is disconnected.

Post IPsec debug logs (topics=ipsec,!packet) from time when the disconnect happens.

/system logging add topics=ipsec,!packet

[admin@MikroTik] >
18:36:56 echo: ipsec,debug KA: mikrotikIP[4500]->iphoneIP[6981]
18:36:56 echo: ipsec,debug 1 times of 1 bytes message will be sent to iphoneIP[6981]
18:36:56 echo: ipsec,debug,packet ff
[admin@MikroTik] >
(42 messages discarded)
18:36:57 echo: ipsec enc: aes256-cbc
18:36:57 echo: ipsec prf: hmac-sha256
18:36:57 echo: ipsec auth: sha256
18:36:57 echo: ipsec dh: modp2048
18:36:57 echo: ipsec matched proposal:
18:36:57 echo: ipsec proposal #1
18:36:57 echo: ipsec enc: aes256-cbc
18:36:57 echo: ipsec prf: hmac-sha256
18:36:57 echo: ipsec auth: sha256
18:36:57 echo: ipsec dh: modp2048
18:36:57 echo: ipsec processing payload: KE
18:36:57 echo: ipsec processing payload: NONCE
[admin@MikroTik] >
(107 messages discarded)
18:36:58 echo: ipsec,debug,packet ca4eef5c 6fa47d9d 04d8152e 90ad8818 00202520 00000003 0000001c
18:36:58 echo: ipsec adding payload: ENC
18:36:58 echo: ipsec,debug => (size 0x44)
18:36:58 echo: ipsec,debug 00000044 9bb30818 411c6cb0 92b74d4c fe825763 69ec23fd 197da91d 50635cec
18:36:58 echo: ipsec,debug d5a40e3a a5b6bf8a 82a36b2e 633d76ce a4746875 00000000 00000000 00000000
18:36:58 echo: ipsec,debug 00000000
18:36:58 echo: ipsec,debug ===== sending 96 bytes from mikrotikIP[4500] to iphoneIP[6981]
18:36:58 echo: ipsec,debug 1 times of 100 bytes message will be sent to iphoneIP[6981]
18:36:58 echo: ipsec,debug,packet ca4eef5c 6fa47d9d 04d8152e 90ad8818 2e202520 00000003 00000060 00000044
18:36:58 echo: ipsec,debug,packet 9bb30818 411c6cb0 92b74d4c fe825763 69ec23fd 197da91d 50635cec d5a40e3a
18:36:58 echo: ipsec,debug,packet a5b6bf8a 82a36b2e 633d76ce a4746875 504a2b74 73dd70c0 b80c0fe4 3c127bf8
18:36:58 echo: ipsec rekey done
[admin@MikroTik] >
(96 messages discarded)
18:36:58 echo: ipsec,debug,packet ef10ff62 eac6e483 7872cc98 54c640b3 1b46f440 ff908203 9767c883 f2934fa9
18:36:58 echo: ipsec,debug,packet 714564dd a162745b 68089f5d afd03d68 1ad9a789 2566fe7d 2816c142 4fd51409
18:36:58 echo: ipsec,debug,packet fdce946a 72cdae70 07481211 acf2a85f 865afe05 c01f8b42 5f3913e6 faa967a9
18:36:58 echo: ipsec,debug,packet b7d62664 536dcd0a 7a40b237 6d02227f
18:36:58 echo: ipsec,info killing ike2 SA: mikrotikIP[4500]-iphoneIP[6981] spi:d54840038ead6bc6:c0ef75fe22f007ce
18:36:58 echo: ipsec IPsec-SA killing: iphoneIP[6981]->mikrotikIP[4500] spi=0x1904a8d
18:36:58 echo: ipsec IPsec-SA killing: mikrotikIP[4500]->iphoneIP[6981] spi=0x1476ca0
18:36:58 echo: ipsec removing generated policy
18:36:58 echo: ipsec KA remove: mikrotikIP[4500]->iphoneIP[6981]
18:36:58 echo: ipsec,debug KA tree dump: mikrotikIP[4500]->iphoneIP[6981] (in_use=1)
18:36:58 echo: ipsec,debug KA removing this one...
18:36:58 echo: ipsec,info releasing address 192.168.89.255

Hi,

I am running version 6.45.7 on RB4011 and have the same problem.
Is there any news or solution about the 8 minute issue?

Thanks.

I have the same issue on 4011 with 6.45.9

I have the same problem with RB951 version 6.48.1

Did anyone found a solution ? I'm running V.7.6 and this issue still happening...

Setting PFS Group for the proposal to `modp2048` fixed the issue – apparently, iOS/macOS tries to renew the keys requiring this PFS Group. Previous value I had was `modp1024`.

@heney99079 - where had you set that? on RouterOS side or on Apple side?

I was able to fix that by setting up as pfs-group in ipsec proposals.