-
-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix 963 #1377
Fix 963 #1377
Conversation
* Update algo * Update algo
…ts#655) We're already doing it this way for CA_password, and ansible's to_uuid is problematic as it uses uuid v5 under the hood (trailofbits#654)
* add new Frankfurt zones to algo script and ansible docs * backfill ansible docs for recently added GCP zones in London and Sydney
…bits#711) * docs/client-linux.md housekeeping * add fedora-workstation instructions to client-linx.md * add deploy-from-fedora-workstation doc * change client-linux.md to internal link * add deploy-from-fedora-workstation links * correct markup * correct typo
* Update to deploy-to-ubuntu.md A fresh install (Off CD / ISO) doesn't include python-pip or python virtualenv module. The fixes above take care of the additional requirements, as well as updating pip. * Update deploy-to-ubuntu.md Fix Typo
`server_name` should be `gce_server_name` for Google Compute Engine
…ts#736) * Update script to restart the dnsmasq service using systemctl(systemd) command instead of service(Upstart) * Use instead of legacy REF: https://github.com/koalaman/shellcheck/wiki/SC2006 * Replace non-standard egrep(deprecated) for grep -E. REF: https://github.com/koalaman/shellcheck/wiki/SC2196
zesty is no longer available disable ubuntu 17 at all
* Add cleanup step for SSH key. * Two space tabs are hard to see.
build-essential and python-dev are required when compiling pycrypt. Added the necessary packages to the apt-get install line.
* Simplify Apple Profile Configuration Template * enable lstrip_blocks * remove ldashes
…ilofbits-master
Sync branch
Sync branch
tc1977 seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
…ilofbits-master
Changes Child_SA lifetime to 2 hours, and IKE_SA lifetime to 12 hrs (Apple default is actually 12h for both).
Switching to inline rekeying from reauthentication, and lengthening child_SA and IKE_SA lifetimes.
Not sure why I had it at 120 for this. I'm running fine with both IKE lifetime and CHILD_SA lifetimes at 1440 (Apple default).
So, I tried to rebase this and remove the commits by 'tc1977' (no idea why that happened), and it obviously didn't work. Help? |
Changes Child_SA lifetime to 2 hours, and IKE_SA lifetime to 12 hrs (Apple default is actually 12h for both).
Switching to inline rekeying from reauthentication, and lengthening child_SA and IKE_SA lifetimes.
Not sure why I had it at 120 for this. I'm running fine with both IKE lifetime and CHILD_SA lifetimes at 1440 (Apple default).
I was able to use force-push to sync my fork with upstream, but have no idea how to preserve these commits (and change the author). So I made a clean branch. See #1379. |
Description
Much pain and debugging of #963 over the last several months led me to conclude that the "Connecting..." loop is mainly one of outgoing policies not being deleted properly by strongSwan. It seems to happen most frequently when the client switches between Wi-Fi/LTE, often when there's a poor connection with either. The best way to resolve this may be to make the connection itself longer-lived, by changing settings on both the server and iOS/macOS side.
/etc/ipsec.conf
changed tolifetime=3h
,ikelifetime=12h
./etc/strongswan.d/charon.conf
changed toclose_ike_on_child_failure = yes
,half_open_timeout = 5
,inactivity_close_ike = yes
, and (NAT)keep_alive = 25
,reuse_ikesa = yes
.Motivation and Context
Makes strongSwan connections longer-lived, introduces
charon.conf
installation for future modifications if needed. Read the saga of #963 if you like.How Has This Been Tested?
Ran Algo server since late November with the current configuration. No "unable to install policy...same policy for reqid xxx exists" errors. Today: cloud installed this branch from a Mac onto AWS, no installation errors, mobileconfigs appropriately modified,
/etc/ipsec.conf
and/etc/strongswan.d/charon.conf
also appropriately installed. mobileconfig installed onto iPhone running 12.1.4, no issues, websites load successfully.Types of changes
Checklist: