[strongSwan] StrongSwan - Mac OS X IPsec tunnel stops forwarding traffic

Martin Willi martin at strongswan.org
Thu Mar 5 10:54:53 CET 2015


Hi,

> StrongSwan V5.2.0 is configured to be an IPsec VPN gateway on a Linux
> machine.  A Mac laptop connects to it using the native Mac OS X
> v10.10.2 Cisco IPsec VPN client.  The connection is established and
> works well for roughly 6,516 seconds (1 hour, 48 minutes, 36 seconds;
> or ~108 minutes) at which point the tunnel stops forwarding traffic. 

As your strongSwan log is (too) verbose, your syslogger starts dropping
messages. Please reduce your log verbosity to the default level, and if
your syslogger still drops messages, directly log to a file.

Without looking further at your log, most likely you are seeing the
usual re-authentication issue with the native OS X client. Usually this
happens a little sooner, though, but have a look at the discussion at
[1].

We strictly require an XAuth exchange during ISAKMP re-authentication;
the native OS X client does not support that. We can't/won't support
just skipping XAuth, but think this is a (security) bug in the OS X
client. Unfortunately, Apple seems to think differently.

A work-around is to switch to xauth-noauth, and solely rely on the
client certificate for authentication. If that is not an option, you
should consider a different client.

Regards
Martin

[1]https://lists.strongswan.org/pipermail/users/2013-February/004254.html



More information about the Users mailing list