Fix 963 #1377
Closed
Fix 963 #1377
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Update algo * Update algo
…ts#655) We're already doing it this way for CA_password, and ansible's to_uuid is problematic as it uses uuid v5 under the hood (trailofbits#654)
* add new Frankfurt zones to algo script and ansible docs * backfill ansible docs for recently added GCP zones in London and Sydney
…bits#711) * docs/client-linux.md housekeeping * add fedora-workstation instructions to client-linx.md * add deploy-from-fedora-workstation doc * change client-linux.md to internal link * add deploy-from-fedora-workstation links * correct markup * correct typo
* Update to deploy-to-ubuntu.md A fresh install (Off CD / ISO) doesn't include python-pip or python virtualenv module. The fixes above take care of the additional requirements, as well as updating pip. * Update deploy-to-ubuntu.md Fix Typo
`server_name` should be `gce_server_name` for Google Compute Engine
…ts#736) * Update script to restart the dnsmasq service using systemctl(systemd) command instead of service(Upstart) * Use instead of legacy REF: https://github.com/koalaman/shellcheck/wiki/SC2006 * Replace non-standard egrep(deprecated) for grep -E. REF: https://github.com/koalaman/shellcheck/wiki/SC2196
zesty is no longer available disable ubuntu 17 at all
* Add cleanup step for SSH key. * Two space tabs are hard to see.
build-essential and python-dev are required when compiling pycrypt. Added the necessary packages to the apt-get install line.
* Simplify Apple Profile Configuration Template * enable lstrip_blocks * remove ldashes
…ilofbits-master
Sync branch
Sync branch
|
tc1977 seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
…ilofbits-master
Changes Child_SA lifetime to 2 hours, and IKE_SA lifetime to 12 hrs (Apple default is actually 12h for both).
Switching to inline rekeying from reauthentication, and lengthening child_SA and IKE_SA lifetimes.
Not sure why I had it at 120 for this. I'm running fine with both IKE lifetime and CHILD_SA lifetimes at 1440 (Apple default).
|
So, I tried to rebase this and remove the commits by 'tc1977' (no idea why that happened), and it obviously didn't work. Help? |
Changes Child_SA lifetime to 2 hours, and IKE_SA lifetime to 12 hrs (Apple default is actually 12h for both).
Switching to inline rekeying from reauthentication, and lengthening child_SA and IKE_SA lifetimes.
Not sure why I had it at 120 for this. I'm running fine with both IKE lifetime and CHILD_SA lifetimes at 1440 (Apple default).
|
I was able to use force-push to sync my fork with upstream, but have no idea how to preserve these commits (and change the author). So I made a clean branch. See #1379. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Much pain and debugging of #963 over the last several months led me to conclude that the "Connecting..." loop is mainly one of outgoing policies not being deleted properly by strongSwan. It seems to happen most frequently when the client switches between Wi-Fi/LTE, often when there's a poor connection with either. The best way to resolve this may be to make the connection itself longer-lived, by changing settings on both the server and iOS/macOS side.
/etc/ipsec.confchanged tolifetime=3h,ikelifetime=12h./etc/strongswan.d/charon.confchanged toclose_ike_on_child_failure = yes,half_open_timeout = 5,inactivity_close_ike = yes, and (NAT)keep_alive = 25,reuse_ikesa = yes.Motivation and Context
Makes strongSwan connections longer-lived, introduces
charon.confinstallation for future modifications if needed. Read the saga of #963 if you like.How Has This Been Tested?
Ran Algo server since late November with the current configuration. No "unable to install policy...same policy for reqid xxx exists" errors. Today: cloud installed this branch from a Mac onto AWS, no installation errors, mobileconfigs appropriately modified,
/etc/ipsec.confand/etc/strongswan.d/charon.confalso appropriately installed. mobileconfig installed onto iPhone running 12.1.4, no issues, websites load successfully.Types of changes
Checklist: