[strongSwan] iOS 9 & IKEv2: Strange network issues with active vpn connection over 3G

Thu Nov 5 22:42:48 CET 2015

Hello everyone,

for several years I’ve been using strongSwan to connect a few iOS devices to
our network via IKEv1. After the release of iOS 8 I’ve switched some devices
to the new IKEv2 client and never looked back. 

Now with iOS 9 it looks like newer devices, tested with iPhone 6 and iPad
Air 2, are having troubles when using IKEv2 over a cellular connection (most
notable when using 3G). When the VPN connection is established (which works
fine in every case!) and there is no network traffic for a few seconds
(5-10) the next request is unsuccessful – immediately retrying the request
works fine. In case of a failure safari states “Safari is unable to open the
website as the network connection was interrupted” (“Safari kann die Seite
nicht öffnen, da die Netzwerkverbindung unterbrochen wurde” is the original
message in german).

As the update to iOS 9 was parallel to a complete restructuring of our
network I tried to track down the problem: I’ve switched our main router,
tried an older version of strongSwan, used another non-virtualized server
hardware, etc. but nothing helped. 

Here’s what I’ve found out:

-          Only happens on newer iOS devices (iPhone 6 / iPad Air 2), was
unable to reproduce this with an iPad 2.

-          Best reproducible on 3G, works fine over Wifi connection 

-          Is independent of the HTTP Server (internal / external)

-          Is independent of the cellular provider (tested Deutsche Telekom
and o2 Germany)

-          Reducing the maximum segment size did not help 

-          Happens in full-tunnel and split-tunnel mode

-          So far, I’ve been unable to reproduce this problem with IKEv1!

-          Running a ping indicates that the first connection needs between
900-1200ms whereas the consecutive pings are around 100ms.

I think the last one could be a problem for iOS 9, running in a timeout or
something because it did not take the ~1000ms into account.

I’ve ran wireshark on one of our HTTP Servers. In case of a failure the TCP
3-Way handshake is completed but instead of sending a HTTP GET the iOS
devices sends a FIN,ACK, closing the connection – the server then responds
with RST, ACK.

Putting it all together it looks like this problem is unrelated to
strongSwan and is a bug in iOS 9 (tested iOS 9.1 and 9.2 Beta 2). Therefore
I’m wondering if anyone here experienced similar problems or has an
absolutely stable iOS 9 IKEv2 connection on 3G?! If anyone has a comment or
an idea what this is or if this could be prevented by changes on my side I’m
happy to hear them.  

For the record:

strongSwan 5.3.3

Auth. via machine certificates

Full-tunnel, eg. leftsubnet=0.0.0.0/0

Thanks in advance,

best Regards,

Marcel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151105/d6c04f1d/attachment.html>