[strongSwan] iOS 9 & IKEv2: Strange network issues with active vpn connection over 3G

Michael Stiller ms at 2scale.net
Fri Nov 6 07:06:12 CET 2015 

Hi Marcel,

i tried to establish an ike2 connection using ios9.1 and strongswan 5.3.3 but was not able to connect so far.

Could you please share your configuration (especially ios config). If i'm able to connect i can try to 
reproduce your problem.

Best regards,

Michael

> Hello everyone,
>  
> for several years I’ve been using strongSwan to connect a few iOS devices to our network via IKEv1. After the release of iOS 8 I’ve switched some devices to the new IKEv2 client and never looked back.
> Now with iOS 9 it looks like newer devices, tested with iPhone 6 and iPad Air 2, are having troubles when using IKEv2 over a cellular connection (most notable when using 3G). When the VPN connection is established (which works fine in every case!) and there is no network traffic for a few seconds (5-10) the next request is unsuccessful – immediately retrying the request works fine. In case of a failure safari states “Safari is unable to open the website as the network connection was interrupted” (“Safari kann die Seite nicht öffnen, da die Netzwerkverbindung unterbrochen wurde” is the original message in german).
>  
> As the update to iOS 9 was parallel to a complete restructuring of our network I tried to track down the problem: I’ve switched our main router, tried an older version of strongSwan, used another non-virtualized server hardware, etc. but nothing helped.
>  
> Here’s what I’ve found out:
> -          Only happens on newer iOS devices (iPhone 6 / iPad Air 2), was unable to reproduce this with an iPad 2.
> -          Best reproducible on 3G, works fine over Wifi connection
> -          Is independent of the HTTP Server (internal / external)
> -          Is independent of the cellular provider (tested Deutsche Telekom and o2 Germany)
> -          Reducing the maximum segment size did not help
> -          Happens in full-tunnel and split-tunnel mode
> -          So far, I’ve been unable to reproduce this problem with IKEv1!
> -          Running a ping indicates that the first connection needs between 900-1200ms whereas the consecutive pings are around 100ms.
>  
> I think the last one could be a problem for iOS 9, running in a timeout or something because it did not take the ~1000ms into account.
>  
> I’ve ran wireshark on one of our HTTP Servers. In case of a failure the TCP 3-Way handshake is completed but instead of sending a HTTP GET the iOS devices sends a FIN,ACK, closing the connection – the server then responds with RST, ACK.
>  
> Putting it all together it looks like this problem is unrelated to strongSwan and is a bug in iOS 9 (tested iOS 9.1 and 9.2 Beta 2). Therefore I’m wondering if anyone here experienced similar problems or has an absolutely stable iOS 9 IKEv2 connection on 3G?! If anyone has a comment or an idea what this is or if this could be prevented by changes on my side I’m happy to hear them.  
>  
> For the record:
> strongSwan 5.3.3
> Auth. via machine certificates
> Full-tunnel, eg. leftsubnet=0.0.0.0/0
>  
> Thanks in advance,
> best Regards,
> Marcel
>  
>  
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-- 
2scale GmbH, Schanzenstr. 20, 40549 Düsseldorf
Amtsgericht: 		Düsseldorf HRB 50718
Geschäftsführer: 	Georg von Zezschwitz, Dirk Vleugels
USt-IdNr.: 		DE 210936505

More information about the Users mailing list