[prev in list] [next in list] [prev in thread] [next in thread] 

List:       libreswan
Subject:    Re: [Swan] Reconnecting to Libreswan using an iPhone
From:       Paul Wouters <paul () nohats ! ca>
Date:       2017-01-30 1:42:11
Message-ID: alpine.LRH.2.20.1701292035230.5826 () bofh ! nohats ! ca
[Download RAW message or body]

On Sun, 29 Jan 2017, Dynastic Space wrote:

> I am connecting to a libreswan vpn server using an iphone.After about an hour the internet
> disconnects, although the vpn icon seems connected.

It seems this might be a result of a different IKE / IPsec lifetime,
which is not negotiated. Usually, initiating clients ensure to rekey
within an hour to avoid this. It seems iOS might be using a longer
lifetime, and so it reaches the server's lifetime. As the server is
usually configured not to rekey, it causes the tunnel to end.

> ipsec.conf:
> 
> config setup
>   protostack=netkey
>   virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.
> 16.0.0/12,%v4:25.0.0.0/8,%v4:!10.231.247.0/24,%v4:!10.231.246.0/24
>   uniqueids=no
>   plutostderrlog=/var/log/openswan.log
> 
> conn xauth-psk
>     authby=secret
>     pfs=no
>     auto=add
>     rekey=no
>     left=%defaultroute
>     leftsubnet=0.0.0.0/0
>     rightaddresspool=10.231.247.10-10.231.247.254
>     right=%any
>     cisco-unity=yes
>     modecfgdns1=172.31.35.239
>     leftxauthserver=yes
>     rightxauthclient=yes
>     leftmodecfgserver=yes
>     rightmodecfgclient=yes
>     modecfgpull=yes
>     xauthby=file
>     ike-frag=yes
>     ikev2=never

I would add:

 	ikelifetime=8h
 	salifetime=8h

> I connect just fine, and am able to surf for about an hour, at which point
> the vpn connection seems to be on, but no internet traffic is going through.
> After about 20 minutes internet connection is renewed. This scenario is
> repeatable.

I guess iOS is not using DPD/liveness probes to check on the server.
Maybe that can be configured using a mobileconfig profile?

> http://pastebin.com/aUKEjcGR contains the libreswan log file detailing the activity during the
> internet disconnect and reconnect. The log file has been greatly reduced.
> Disconnection occured at ~09:12:08, and reconnection at ~09:31:45. The
> obfuscated ip is aaa.bbb.ccc.ddd. The user is 'user1'.

It looks like something setup a new connection and deleted the old one?
So perhaps my above fix does not help?

You could test this on OSX where you would have some more logging to see
what is happening on their end. The iphone and OSX should behave
identically with respect to IKE / IPsec.

Paul
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

[prev in list] [next in list] [prev in thread] [next in thread]