Re: [Swan] Reconnecting to Libreswan using an iPhone

Sun, 29 Jan 2017 17:43:37 -0800 

On Sun, 29 Jan 2017, Dynastic Space wrote:


I am connecting to a libreswan vpn server using an iphone.After about an hour 
the internet
disconnects, although the vpn icon seems connected.


It seems this might be a result of a different IKE / IPsec lifetime,
which is not negotiated. Usually, initiating clients ensure to rekey
within an hour to avoid this. It seems iOS might be using a longer
lifetime, and so it reaches the server's lifetime. As the server is
usually configured not to rekey, it causes the tunnel to end.


ipsec.conf:

config setup
  protostack=netkey
  virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.
16.0.0/12,%v4:25.0.0.0/8,%v4:!10.231.247.0/24,%v4:!10.231.246.0/24
  uniqueids=no
  plutostderrlog=/var/log/openswan.log

conn xauth-psk
    authby=secret
    pfs=no
    auto=add
    rekey=no
    left=%defaultroute
    leftsubnet=0.0.0.0/0
    rightaddresspool=10.231.247.10-10.231.247.254
    right=%any
    cisco-unity=yes
    modecfgdns1=172.31.35.239
    leftxauthserver=yes
    rightxauthclient=yes
    leftmodecfgserver=yes
    rightmodecfgclient=yes
    modecfgpull=yes
    xauthby=file
    ike-frag=yes
    ikev2=never


I would add:

        ikelifetime=8h
        salifetime=8h


I connect just fine, and am able to surf for about an hour, at which point
the vpn connection seems to be on, but no internet traffic is going through.
After about 20 minutes internet connection is renewed. This scenario is
repeatable.


I guess iOS is not using DPD/liveness probes to check on the server.
Maybe that can be configured using a mobileconfig profile?


http://pastebin.com/aUKEjcGR contains the libreswan log file detailing the 
activity during the
internet disconnect and reconnect. The log file has been greatly reduced.
Disconnection occured at ~09:12:08, and reconnection at ~09:31:45. The
obfuscated ip is aaa.bbb.ccc.ddd. The user is 'user1'.


It looks like something setup a new connection and deleted the old one?
So perhaps my above fix does not help?

You could test this on OSX where you would have some more logging to see
what is happening on their end. The iphone and OSX should behave
identically with respect to IKE / IPsec.

Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan






















					Reply via email to