VPN Disconnecting Intermittently on Apple devices

[watkinsmd]

OS / Environment

macOS Sierra 10.12.3/iOS X devices
Router: Apple Time Capsule (5th generation). UDP ports 500 and 4500 open (see below)

Ansible version

2.2.0.0

Version of components from requirements.txt

setuptools>=11.3
ansible>=2.1,<2.2.1
dopy==0.3.5
boto>=2.5
boto3
azure==2.0.0rc5
msrest==0.4.1
apache-libcloud
six
pyopenssl
jinja2==2.8

Summary of the problem

Algo is up and running but the VPN keeps disconnecting intermittently. It will eventually reconnect after a few minutes. It will also reconnect if I turn off wi-fi and reconnect, or if I switch from my regular network to the 5 GHz network and vice versa. If there is another post on this matter please send the link so I can troubleshoot accordingly--I couldn't find one.

Steps to reproduce the behavior

Use devices while connected to VPN. They will eventually drop and reconnect. According to the Amazon AWS documentation on VPNs, this could be due to ports not being open. http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Introduction.html

I opened UDP ports 500 and 4500 and the issue is still occurring on all my devices (MacBook Pro, iPad, iPhone)

The way of deployment (cloud or local)

Cloud (Amazon EC2); connecting to Oregon region

Expected behavior

No disconnects

Actual behavior

Intermittent disconnection of VPN.

Full log

[dguido]

Yeah you don't need those ports open

[ghudgins]

also getting DC's from AWS...connecting to nova

...I also tried different server types since originally I thought it was a byproduct of the free tier but even on a paid tier with a dedicated CPU it happens. Was thinking of trying Amazon Lightsail instead of EC2 but haven't gotten to it yet.

[deansaxe]

I'm experiencing the same issue on iOS 10.3 across multiple devices. The VPN is hosted in AWS US-WEST2 (OR).

[eliabieri]

I use iOS 10.3.2 Beta 1 and I got the same problems.

[kiratp]

Seeing the same thing on Azure with iOS 10.3 as the client

[biffalo]

EDIT:
That did not fix the issue. Got disconnected again :(

_On windows 10

go to network connections (right click start menu and go to network connections) < right click your algo connection < properties < security < advanced < uncheck mobility or set number super high.

also did "reg add HKLM\System\CurrentControlSet\Services\Rasman\Parameters /v NegotiateDH2048_AES256 /t REG_DWORD /d 1 /f
".

Haven't had any discos since. If it continues it might be related to MTU somehow. May need to be adjusted server side, but haven't had time to dive in further._

[sregister]

@biffalo Cool, I'll try that out.

I've also been having issues on windows 10. Since I imagine there are many things which would be causing this so it might be hard to track down. I read online that some people switched their VPN network from being a public network in windows to a private network (which enables network device discovery on windows clients). I think I might try it but I'm concerned about potential security issues.

[biffalo]

@sregister Changing firewall location won't fix it. Firewall just says what ports can be open closed for programs etc. Network discovery on your vpn shouldn't really hurt security wise since you'd only be discover-able by other clients on your algo vpn ;)

[kiratp]

This smells like an issue related to timeouts and keep-alive windows.

[ananonuser]

If helpful:
Using El Capitan (10.11.5), I have NOT experienced the disconnects, running for > 1 hour.
Using iOS 10.2 and the same server (AWS N. California), I do experience the disconnects.

[magicwave]

Also experienced DCs across iOS devices on EC2 AWS US-WEST2 (OR). Same configuration set up on Digital Ocean droplet has had no problems so far after one night/day.

[kiratp]

I changed the dead peer detection to High in the mobileconfig and haven't noticed and issue:

<key>DeadPeerDetectionRate</key>
<string>High</string> 

The weird thing is when I turn on the screen after some idle time, the status bar only shows LTE. After a few secs, Wifi + VPN shows up. When I go to VPN settings however, the time connected doesn't appear to have reset to 0.

[frictionlessDevelopments]

I was facing disconnection problems before on a own local ubuntu server.
Switching DPD Rate on the configuration profile to High has resolved my disconnection problems across all my Apple devices.

iOS 10.3.1
macOS 10.12.4

[ananonuser]

@kiratp's modification does maintain a steady connection on my iOS device that was previously disconnecting.

Unfortunately, it also came with a significant (negative) impact to battery life.

[kiratp]

@ananonuser - My solution is a workaround since it just ups the keep alives and reconnects. We need to figure out why disconnects are happening in the first place

DPD at High is per minute while medium is every 10 mins. 10x the power :)

https://developer.apple.com/reference/networkextension/nevpnprotocolikev2/nevpnikev2deadpeerdetectionrate

[sohanmurthy]

I seem to be experiencing a related issue on macOS 10.12.4. I have two access points in my house and when I move from one to the other, the VPN disconnects. At the new access point, it will fail to reconnect after several attempts. If I wait several minutes before attempting again, it will successfully reconnect at the new access point. Enabling VPN on demand to automatically connect on wifi doesn't seem to help. Is there are limit on number of reconnects before it blocks you out for several minutes?

[kiratp]

I think I found the reason for disconnects - on GCP at least:
https://cloud.google.com/compute/docs/networks-and-firewalls

Note: All instances are configured with a "hidden" firewall rule that drops TCP connections after 10 minutes of inactivity. If this timeout causes connectivity errors to or from your instance, you should configure TCP keep-alives to prevent connections from being dropped. See the tips and troubleshooting page for details.

the Apple DeadPeer Detection setting at medium is 10 mins...

More on keep-alive - maybe we can solve this on the server side: https://cloud.google.com/compute/docs/troubleshooting#communicatewithinternet

[jauderho]

I see that #437 disables DPD and am asking if that's the right approach long term? Or are we just doing this until we move to a newer rev of strongSwan?

[dguido]

We're not upgrading the base image of Ubuntu to 17.04 yet. We're also not compiling strongSwan from source since that's not the way to do things with Ansible. As a result, we disabled DPD which was the strongSwan recommended solution for 5.3.5. This may have resolved the root cause of this issue. I'm going to close this ticket for now while we work on things like getting Windows clients and GCE servers to the same position.

[expaand]

I built my VPN server using the archive/master.zip of July 9, 2017. It is running on AWS, as per the documentation. I built it from a Mac. However, I am experiencing the "random" disconnects mentioned in this ticket on all my Apple platforms: Mac, IOS-ipad, IOS-iphone. I am wondering in light of @dguido 's comment, that maybe this ticket should be reopened.

UPDATE 2 August 2018

I have since migrated from AWS to Digital Ocean. What a difference!!!!

1. Costs are like 1/2 of what AWS was costing!
2. Disconnects have gone away! Now part of this could be that I have it automatically reconnect via an option (not sure if that was on before), but I now have reliable VPN service at about $6 / month.

I couldn't be happier with this system!

[zuk]

The disconnects are definitely still happening with the latest master build and IKEv2 on macOS. They usually happen around the 10 minute mark. Messing around with DeadPeerDetectionRate doesn't seem to make much of a difference. Setting it to High just causes it to disconnect every minute or so, and with None it disconnects randomly after 15+ minutes.

[expaand]

I continue to experience random disconnects on all Apple devices: MacOS, IOS (ipad and iphone). Using VPN build of July 9, 2017 on AWS. This is really a hassle! Is there any solution? Thanks! Sometimes the Mac stays up for a day or two, but usually disconnects much sooner.

[Dotnaught]

Likewise, the VPN won't remain connected for me. OS X 10.12.6. Tried DeadPeerDetectionRate on None. Didn't help.

[expaand]

I continue to experience random disconnects on all Apple devices (MacOS, IOS ipad and phone). It would be nice if this ticket could be reopened. And then:

1. resolve the problem

• OR -

2. explain that it cannot be resolved, with a reason.

Otherwise, I am left continually having to connect, which is definitely a hassle.

I love the project! But we need to come to some sort of fix, agreement, or explanation.

Thankyou.

[useradd-deploy]

While your problem of random disconnects may differ from mine (#727) of not being able to connect multiple macOS and iOS devices simultaneously, you might consider whether you're also dealing with a router issue. Do you experience random disconnects when your devices are connecting through routers on other networks?

[cwpenner]

I'm definitely still having these exact same disconnect issues on my iPhone and iPad with Algo running on an Amazon Lightsail US-WEST2 instance. The result is my iPhone and iPad lose all internet access until they reconnect successfully, so I end up disabling the VPN and trying to enable it again a couple hours later, which usually works, but it's annoying to have to do so. I'm hoping this ticket can be reopened and the issues further researched

[cprkrn]

Same issue, but mine has never successfully connected, just pings back and forth between "connecting".

[DAgcy]

Guys! I found the solution!

1. create a new cert for the additional domain
   certbot certonly --rsa-key-size 4096 --standalone --agree-tos --no-eff-email --email xxx@xxxxxxx.com -d new-sub-domain.xxxx.com

2. copy new files to strongswan
   cp /etc/letsencrypt/live/new-sub-domain.xxxx.com/fullchain.pem /etc/strongswan/ipsec.d/certs/fullchain_new_subdomain.pem
   cp /etc/letsencrypt/live/new-sub-domain.xxxx.com/privkey_new_subdomain.pem /etc/strongswan/ipsec.d/private/privkey_new_subdomain.pem
   cp /etc/letsencrypt/live/new-sub-domain.xxxx.com/chain.pem /etc/strongswan/ipsec.d/cacerts/chain_new_subdomain.pem

3. Edit vi /etc/strongswan/ipsec.conf
   Add new conn like current BUT
   edit lines
   leftid
   leftcert
   put there new subdomain

4. edit vi /etc/strongswan/ipsec.secrets
   add new line
   : RSA "privkey_new_subdomain.pem"
   usernew : EAP "Password123"

5. systemctl restart strongswan

[TC1977]

If I understand correctly, you're saying that using a Let's Encrypt certificate and a new subdomain will solve iOS connection dropping problems?

[apawloski]

This still occurs as of version 1.1 on a DO droplet. I've noticed this on hotel wifis. Haven't been on a trusted network to verify there.

[TC1977]

That might be more of a hotel (or other public space) Wi-Fi problem, as I've noticed my MacBook Pro has problems connecting on hotel Wi-Fi since 10.14. I've added https://captive.apple.com/hotspot-detect to my bookmarks, which seems to help. Wireguard also seems to work better than IPsec.