Updated SRU template, matching that we intend to fix the issue now and not as initially requested backport the full newer strongswan.
** Description changed: + [Impact] + + * iOS10+/MacOS10+ devices fail at dead peer detection and re-establish + the connection over and over + + * Backport of upstream fix. + + + [Test Case] + + * Set up strongswan (the reporter did so via algo, but other preferred + setups are good as well) and prepare iOS10+ devices to dial in. + + * check for the reconnects to start based on broken dead peer detection + + + [Regression Potential] + + * Due to the fact that this is a backport there could be dependencies to + the newer code. The change isn't too bug and it looks safe, as well as + compiling and regression testing fine - but if we want to look out for + regressions that certainly is the biggest potential one. + * From the behavior change itself it should be safe, to quote from + upstream "If a responder is natted it will usually be a static NAT + (unless it's a mediated connection) in which case adding these notifies + makes not much sense (if the initiator's NAT mapping had changed the + responder wouldn't be able to reach it anyway). + + [Other Info] + + * I can do general regression check, but for the actual issue + verification I lack the apple devices and have to rely on the reporters + (fortunately two active on the bug now, and confirmed on the ppa + already) + + + --- + + Original bug asked to backport the full newer release, but given SRU + policy and that it seems to be fixable with much smaller change we + decided for a backported patch - keeping original content below: + + --- + strongSwan is effectively incompatible with iOS 10+ and macOS 10.11+ devices. Dead peer detection does not work for these devices and they continually re-establish security associations (SAs) as a result. Please see the issues described in further detail below: strongSwan confirmed the issue and patched it in 5.5.1: https://wiki.strongswan.org/issues/2126 strongSwan recommends a workaround that breaks other functionality: https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients#IKEv2-on-iOS-9-and-iOS-10 Ubuntu 17.04 has packaged strongSwan 5.5.1 which fixes this issue. I would recommend an SRU for strongSwan 5.3.5 to 5.5.1 in Ubuntu 16.04. [Impact] Ubuntu users are running into this bug in normal usage: https://github.com/trailofbits/algo/issues/430 [Test Case] In order to test this issue: 1. Deploy an Ubuntu 16.04 server with strongSwan via Algo (https://github.com/trailofbits/algo) 2. Connect an iOS client 3. Wait a few minutes for the reconnects to start based on broken dead peer detection In order to test the fix for this issue: 1. Deploy an Ubuntu 17.04 server with strongSwan via Algo (modify config.cfg to select 17.04) 2. Connect an iOS client 3. Wait the same time period as before and notice that the connection does not drop [Regression Potential] strongSwan and IPSEC software in general change at a very slow rate. In our tests with Algo, the exact same ipsec.conf and related configuration work for strongSwan 5.5.1 that worked for 5.3.5. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1687711 Title: strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1687711/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
