-
-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IKEv2 security association continually re-established when using iOS 10, strongSwan 5.3.5 #430
Comments
This issue has also been reported to Apple under Radar 31649808. |
Thanks for such a detailed finding! I was under the impression that Ubuntu 16.04 uses strongSwan 5.1.2 and that Ubuntu 17.04 upgraded to 5.5.1. I think this issue only affects Ubuntu 16.10? |
Also, it does appear that increasing the |
Ah yes, Ubuntu 16.04 uses 5.3.5 now.
It looks like we'll have to test the workaround of modifying the dpddelay. We may investigate changing the base install to Ubuntu 17.04 in the near future. |
The patch above keeps iphone connected in the sleep mode |
@evanchaney Is disabling dpd entirely a good solution for you? |
That does mitigate some of the re-association churn, yes. However, disabling DPD checks may have other adverse effects. With the dead-peer-detection delay set above the child security association lifetime my everyday device has delivered longer battery life and IKE security association initializations are down. However, my phone continues to start new IKE SAs when it doesn’t seem like it should need to. In the first hour of starting a new Algo VPN instance it initiated about 1 new IKE SA per minute even though the server was not terminating the existing SA. As a result, the server issued 62 of its 255 virtual IPs in the first hour. (I also had 2 other devices associated.) Without performing dead-peer checks the server might run out of private IPs to assign to clients. The issue could be further complicated if the user uses the same VPN identity across multiple devices. It appears iOS 10 may send an INITIAL_CONTACT notification in each IKE_INIT_SA request indicating any previous IKE SAs from that identity should be closed. When using a laptop and a phone concurrently with the same identity each device’s session would continually be reset. I haven’t yet confirmed or isolated the cause of these new observations, but if they are bugs or behaviors of iOS’ IKEv2 client turning off DPD checks rather than just raising the interval could have adverse effects like IP depletion. I’ll continue trying to isolate and identify the behaviors I’m seeing. |
Would it make sense to enable dead peer detection, but only on zesty?
I can submit a PR for this if we can do this. |
We don't support Zesty yet. In progress #449 |
Since this has been re-opened I'll add a few more observations on using strongSwan 5.5.1 with iOS 10. I spent some time trying many different permutations of Also, when a device is struggling to reconnect I see no logging output from |
OS / Environment
Ansible version
Version of components from
requirements.txt
Summary of the problem
strongSwan 5.3.5 when used with iOS 10 results in continual
re-establishment of the IKEv2 security association between the iOS
device and charon daemon. Re-association happens anywhere from
several times per minute to several times per hour.
When used on an everyday device with many services setup (email,
calendaring, background app refreshing) an apparent effect is
significantly decreased battery life on the iOS device (2x difference
observed between the IKEv2 VPN configuration and a non-IKEv2 VPN
configuration). No effect has been observed on the ability to retrieve
data over the VPN, however.
In one instance 51 re-associations were observed over 18 minutes.
Steps to reproduce the behavior
append=yes
instrongswan.conf, adjust AppArmor profile to allow access to
/var/log/charon.log, reload AppArmor profile and restart
strongswan).
new device (no restore from backup).
notifications and receives no response. After several retries the
IKEv2 server terminates the IKE security association requiring the
iOS device to re-establish it and the child SA. Observe the issue
repeats continuously.
The way of deployment (cloud or local)
Expected behavior
server. IKEv2 server retains the IKE SA between the server and
client.
Actual behavior
server re-attempts the DPD check 5 times then deletes the IKE SA
between iOS device and IKEv2 server.
Possible resolutions
It is not clear if the root cause lies in iOS or strongSwan:
https://wiki.strongswan.org/issues/2126
However, strongSwan states the issue is resolved in strongSwan 5.5.1.
Modifying Algo to install strongSwan from source rather than APT would
allow for installation of a specific (newer) version of strongSwan.
Alternatively, modifying Algo to allow the choice of Ubuntu image
used would make it possible for the installer to get a newer version of
the strongSwan package by using a non-LTS version of Ubuntu (17.04).
It may be possible to work around the issue by configuring the charon
keepalive/DPD rate to occur at a higher rate than iOS so iOS
is always the DPD initiator. This has not yet been explored.
charon.logs
The text was updated successfully, but these errors were encountered: