[Swan] Reconnecting to Libreswan using an iPhone

Paul Wouters paul at nohats.ca
Mon Jan 30 01:42:11 UTC 2017 

On Sun, 29 Jan 2017, Dynastic Space wrote:

> I am connecting to a libreswan vpn server using an iphone.After about an hour the internet
> disconnects, although the vpn icon seems connected.

It seems this might be a result of a different IKE / IPsec lifetime,
which is not negotiated. Usually, initiating clients ensure to rekey
within an hour to avoid this. It seems iOS might be using a longer
lifetime, and so it reaches the server's lifetime. As the server is
usually configured not to rekey, it causes the tunnel to end.

> ipsec.conf:
> 
> config setup
>   protostack=netkey
>   virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.
> 16.0.0/12,%v4:25.0.0.0/8,%v4:!10.231.247.0/24,%v4:!10.231.246.0/24
>   uniqueids=no
>   plutostderrlog=/var/log/openswan.log
> 
> conn xauth-psk
>     authby=secret
>     pfs=no
>     auto=add
>     rekey=no
>     left=%defaultroute
>     leftsubnet=0.0.0.0/0
>     rightaddresspool=10.231.247.10-10.231.247.254
>     right=%any
>     cisco-unity=yes
>     modecfgdns1=172.31.35.239
>     leftxauthserver=yes
>     rightxauthclient=yes
>     leftmodecfgserver=yes
>     rightmodecfgclient=yes
>     modecfgpull=yes
>     xauthby=file
>     ike-frag=yes
>     ikev2=never

I would add:

 	ikelifetime=8h
 	salifetime=8h

> I connect just fine, and am able to surf for about an hour, at which point
> the vpn connection seems to be on, but no internet traffic is going through.
> After about 20 minutes internet connection is renewed. This scenario is
> repeatable.

I guess iOS is not using DPD/liveness probes to check on the server.
Maybe that can be configured using a mobileconfig profile?

> http://pastebin.com/aUKEjcGR contains the libreswan log file detailing the activity during the
> internet disconnect and reconnect. The log file has been greatly reduced.
> Disconnection occured at ~09:12:08, and reconnection at ~09:31:45. The
> obfuscated ip is aaa.bbb.ccc.ddd. The user is 'user1'.

It looks like something setup a new connection and deleted the old one?
So perhaps my above fix does not help?

You could test this on OSX where you would have some more logging to see
what is happening on their end. The iphone and OSX should behave
identically with respect to IKE / IPsec.

Paul

More information about the Swan mailing list