[Bug 1687711] Re: strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

[Launchpad Bug Tracker]

This bug was fixed in the package strongswan - 5.3.5-1ubuntu4.2

---
strongswan (5.3.5-1ubuntu4.2) yakkety; urgency=medium

  * d/p/ikev2-Only-add-NAT-D-notifies-to-DPDs-as-initiator.patch: fix issue
related to DPD vs iOS10 (LP: #1687711)

 -- Christian Ehrhardt   Mon, 15 May
2017 07:48:30 +0200

** Changed in: strongswan (Ubuntu Yakkety)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1687711

Title:
  strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1687711/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1687711] Re: strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

[Launchpad Bug Tracker]

This bug was fixed in the package strongswan - 5.3.5-1ubuntu3.2

---
strongswan (5.3.5-1ubuntu3.2) xenial; urgency=medium

  * d/p/ikev2-Only-add-NAT-D-notifies-to-DPDs-as-initiator.patch: fix issue
related to DPD vs iOS10 (LP: #1687711)

 -- Christian Ehrhardt   Wed, 03 May
2017 17:37:06 +0200

** Changed in: strongswan (Ubuntu Xenial)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1687711

Title:
  strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1687711/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1687711] Re: strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

[ChristianEhrhardt]

On Thu, May 18, 2017 at 2:21 AM, Simon Déziel <1687...@bugs.launchpad.net>
wrote:

> With a Yakkety server running 5.3.5-1ubuntu4.1 and an iOS 10.3.2 client, I
> can reproduce the issue.
> The package from -proposed (5.3.5-1ubuntu4.2) fixes the issue, thanks
> Christian!
>

Thank you so much Simon,
I have a note here in my office which is titled "Beer for people if I ever
meet them", you just scored a +1 there!


** Tags removed: verification-needed
** Tags added: verification-done

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1687711

Title:
  strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1687711/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1687711] Re: strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

[Simon Déziel]

With a Yakkety server running 5.3.5-1ubuntu4.1 and an iOS 10.3.2 client, I can 
reproduce the issue.
The package from -proposed (5.3.5-1ubuntu4.2) fixes the issue, thanks Christian!

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1687711

Title:
  strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1687711/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1687711] Re: strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

[Simon Déziel]

On 2017-05-17 01:35 AM, ChristianEhrhardt wrote:
> Thanks Simon, do you (or dguido) have a chance to test on Yakkety as
> well or would that be too much setup effort?

I don't have any (interest in) Yakkety but I'll give it a try since you
took the time to prepare a SRU.

Simon

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1687711

Title:
  strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1687711/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1687711] Re: strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

[ChristianEhrhardt]

Also found no other things in Xenial and autopkgtests are fine on X
Seting v-done for xenial, but yakkety has to be checked one with the right 
devices (and setup).

** Tags added: verification-done-xenial

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1687711

Title:
  strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1687711/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1687711] Re: strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

[ChristianEhrhardt]

Thanks Simon, do you (or dguido) have a chance to test on Yakkety as
well or would that be too much setup effort?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1687711

Title:
  strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1687711/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1687711] Re: strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

[Simon Déziel]

5.3.5-1ubuntu3.2 from xenial-proposed fixes the issue.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1687711

Title:
  strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1687711/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1687711] Re: strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

[Łukasz Zemczak]

Hello dguido, or anyone else affected,

Accepted strongswan into yakkety-proposed. The package will build now
and be available at
https://launchpad.net/ubuntu/+source/strongswan/5.3.5-1ubuntu4.2 in a
few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Tags added: verification-needed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1687711

Title:
  strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1687711/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1687711] Re: strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

[ChristianEhrhardt]

Ok, all tests succeeded as well, so I'd think this is good for SRU - so
I pushed it to unapproved for Xenial and Yakkety.

Please help me testing -proposed once it appears there.

Note (to myself) - related bileto tickets:
https://bileto.ubuntu.com/#/ticket/2752
https://bileto.ubuntu.com/#/ticket/2761

** Changed in: strongswan (Ubuntu Xenial)
   Status: Triaged => Fix Committed

** Changed in: strongswan (Ubuntu Yakkety)
   Status: Triaged => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1687711

Title:
  strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1687711/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1687711] Re: strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

[ChristianEhrhardt]

Updated SRU template, matching that we intend to fix the issue now and
not as initially requested backport the full newer strongswan.

** Description changed:

+ [Impact]
+ 
+  * iOS10+/MacOS10+ devices fail at dead peer detection and re-establish 
+the connection over and over
+ 
+  * Backport of upstream fix.
+ 
+ 
+ [Test Case]
+ 
+  * Set up strongswan (the reporter did so via algo, but other preferred 
+setups are good as well) and prepare iOS10+ devices to dial in.
+ 
+  * check for the reconnects to start based on broken dead peer detection
+ 
+ 
+ [Regression Potential] 
+ 
+  * Due to the fact that this is a backport there could be dependencies to 
+the newer code. The change isn't too bug and it looks safe, as well as 
+compiling and regression testing fine - but if we want to look out for 
+regressions that certainly is the biggest potential one.
+  * From the behavior change itself it should be safe, to quote from 
+upstream "If a responder is natted it will usually be a static NAT 
+(unless it's a mediated connection) in which case adding these notifies 
+makes not much sense (if the initiator's NAT mapping had changed the 
+responder wouldn't be able to reach it anyway).
+ 
+ [Other Info]
+  
+  * I can do general regression check, but for the actual issue 
+verification I lack the apple devices and have to rely on the reporters 
+(fortunately two active on the bug now, and confirmed on the ppa 
+already)
+ 
+ 
+ ---
+ 
+ Original bug asked to backport the full newer release, but given SRU
+ policy and that it seems to be fixable with much smaller change we
+ decided for a backported patch - keeping original content below:
+ 
+ ---
+ 
  strongSwan is effectively incompatible with iOS 10+ and macOS 10.11+
  devices. Dead peer detection does not work for these devices and they
  continually re-establish security associations (SAs) as a result. Please
  see the issues described in further detail below:
  
  strongSwan confirmed the issue and patched it in 5.5.1:
  https://wiki.strongswan.org/issues/2126
  
  strongSwan recommends a workaround that breaks other functionality:
  
https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients#IKEv2-on-iOS-9-and-iOS-10
  
  Ubuntu 17.04 has packaged strongSwan 5.5.1 which fixes this issue. I
  would recommend an SRU for strongSwan 5.3.5 to 5.5.1 in Ubuntu 16.04.
  
  [Impact]
  Ubuntu users are running into this bug in normal usage:
  https://github.com/trailofbits/algo/issues/430
  
  [Test Case]
  In order to test this issue:
  1. Deploy an Ubuntu 16.04 server with strongSwan via Algo 
(https://github.com/trailofbits/algo)
  2. Connect an iOS client
  3. Wait a few minutes for the reconnects to start based on broken dead peer 
detection
  
  In order to test the fix for this issue:
  1. Deploy an Ubuntu 17.04 server with strongSwan via Algo (modify config.cfg 
to select 17.04)
  2. Connect an iOS client
  3. Wait the same time period as before and notice that the connection does 
not drop
  
  [Regression Potential]
  strongSwan and IPSEC software in general change at a very slow rate. In our 
tests with Algo, the exact same ipsec.conf and related configuration work for 
strongSwan 5.5.1 that worked for 5.3.5.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1687711

Title:
  strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1687711/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1687711] Re: strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

[ChristianEhrhardt]

Thanks for the check, I also couldn't find anything too obviously broken.
I'm prepping Yakkety as well now and if things go well would put it to the SRU 
queue later.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1687711

Title:
  strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1687711/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1687711] Re: strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

[ChristianEhrhardt]

** Tags added: server-next

** Changed in: strongswan (Ubuntu Xenial)
   Status: Confirmed => Triaged

** Changed in: strongswan (Ubuntu Yakkety)
   Status: Confirmed => Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1687711

Title:
  strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1687711/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1687711] Re: strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

[Simon Déziel]

I was able to reproduce the problematic scenario with an iOS 10.3.1
client and I'm happy to say that 5.3.5-1ubuntu3.2 [*] fixes it. Thanks
Christian!

*: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/2752

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1687711

Title:
  strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1687711/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1687711] Re: strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

[ChristianEhrhardt]

** Changed in: strongswan (Ubuntu Xenial)
   Status: New => Confirmed

** Changed in: strongswan (Ubuntu Yakkety)
   Status: New => Confirmed

** Changed in: strongswan (Ubuntu Xenial)
   Importance: Undecided => Medium

** Changed in: strongswan (Ubuntu Yakkety)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1687711

Title:
  strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1687711/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1687711] Re: strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

[dguido]

Thanks, I will test the package you provided soon and get back to you
with the results.

In the meantime, we have setup Algo to pull in strongSwan packages from
17.04. This has not caused any issues:
https://github.com/trailofbits/algo/pull/515/files

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1687711

Title:
  strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1687711/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1687711] Re: strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

[ChristianEhrhardt]

The following is a bit of a quick shot but maybe good for your to verify.
I backported the change I identified to Xenial (eventually Y is needed as well).

The package starts building in:
  https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/2752

If you could try and verify if that fixes the issue that would be great.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1687711

Title:
  strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1687711/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1687711] Re: strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

[ChristianEhrhardt]

We might try if [1] applies and fixes the issue without all the major
changes that 5.5.1 would imply.

[1]:
https://wiki.strongswan.org/projects/strongswan/repository/revisions/33241871a82a0c374128373e47380be60f0431fa/diff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1687711

Title:
  strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1687711/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1687711] Re: strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

[ChristianEhrhardt]

I'm only now reading into details, but in general just taking 5.5.1 can be a 
backport but not easily an SRU.
We have to check if there is a way to find a minimal amount of changes to SRU 
them.


** Also affects: strongswan (Ubuntu Yakkety)
   Importance: Undecided
   Status: New

** Also affects: strongswan (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Changed in: strongswan (Ubuntu)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1687711

Title:
  strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1687711/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1687711] Re: strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

[Defunct]

I can confirm that the `strongswan-5.5.1-1ubuntu3` source package from
17.04 compiles without issue on 16.04. There is one missing build-dep
`libsystemd-dev` however. I've experienced no functionality or stability
issues so far.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1687711

Title:
  strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1687711/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1687711] Re: strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

[dguido]

** Description changed:

  strongSwan is effectively incompatible with iOS 10+ and macOS 10.11+
  devices. Dead peer detection does not work for these devices and they
  continually re-establish security associations (SAs) as a result. Please
  see the issues described in further detail below:
  
  strongSwan confirmed the issue and patched it in 5.5.1:
  https://wiki.strongswan.org/issues/2126
  
  strongSwan recommends a workaround that breaks other functionality:
  
https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients#IKEv2-on-iOS-9-and-iOS-10
  
  Ubuntu 17.04 has packaged strongSwan 5.5.1 which fixes this issue. I
- would recommend backporting strongSwan 5.5.1 to Ubuntu 16.04.
+ would recommend an SRU for strongSwan 5.3.5 to 5.5.1 in Ubuntu 16.04.
  
  [Impact]
  Ubuntu users are running into this bug in normal usage:
  https://github.com/trailofbits/algo/issues/430
  
  [Test Case]
  In order to test this issue:
  1. Deploy an Ubuntu 16.04 server with strongSwan via Algo 
(https://github.com/trailofbits/algo)
  2. Connect an iOS client
  3. Wait a few minutes for the reconnects to start based on broken dead peer 
detection
  
  In order to test the fix for this issue:
  1. Deploy an Ubuntu 17.04 server with strongSwan via Algo (modify config.cfg 
to select 17.04)
  2. Connect an iOS client
  3. Wait the same time period as before and notice that the connection does 
not drop
  
  [Regression Potential]
  strongSwan and IPSEC software in general change at a very slow rate. In our 
tests with Algo, the exact same ipsec.conf and related configuration work for 
strongSwan 5.5.1 that worked for 5.3.5.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1687711

Title:
  strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1687711/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1687711] Re: strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

[dguido]

** Description changed:

  strongSwan is effectively incompatible with iOS 10+ and macOS 10.11+
  devices. Dead peer detection does not work for these devices and they
  continually re-establish security associations (SAs) as a result. Please
  see the issues described in further detail below:
  
  strongSwan confirmed the issue and patched it in 5.5.1:
  https://wiki.strongswan.org/issues/2126
  
  strongSwan recommends a workaround that breaks other functionality:
  
https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients#IKEv2-on-iOS-9-and-iOS-10
+ 
+ Ubuntu 17.04 has packaged strongSwan 5.5.1 which fixes this issue. I
+ would recommend backporting strongSwan 5.5.1 to Ubuntu 16.04.
  
  [Impact]
  Ubuntu users are running into this bug in normal usage:
  https://github.com/trailofbits/algo/issues/430
  
  [Test Case]
  In order to test this issue:
  1. Deploy an Ubuntu 16.04 server with strongSwan via Algo 
(https://github.com/trailofbits/algo)
  2. Connect an iOS client
  3. Wait a few minutes for the reconnects to start based on broken dead peer 
detection
  
  In order to test the fix for this issue:
  1. Deploy an Ubuntu 17.04 server with strongSwan via Algo (modify config.cfg 
to select 17.04)
  2. Connect an iOS client
  3. Wait the same time period as before and notice that the connection does 
not drop
  
- Ubuntu 17.04 has packaged strongSwan 5.5.1 which fixes this issue. I
- would recommend backporting strongSwan 5.5.1 to Ubuntu 16.04.
- 
  [Regression Potential]
  strongSwan and IPSEC software in general change at a very slow rate. In our 
tests with Algo, the exact same ipsec.conf and related configuration work for 
strongSwan 5.5.1 that worked for 5.3.5.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1687711

Title:
  strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1687711/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs