[strongSwan] MacOS: IKEv1 fails after wakeup

[Tobias Brunner]

Hi Harald,

> 	dpdaction	= hold

This makes not much sense for roadwarrior connections as the installed
trap policy won't allow the gateway to establish a new SA with a
disappeared client.  In particular because virtual IPs are used and the
authentication is asymmetric, that is, it's always the client that has
to initiate the connection.

Use `clear` instead to just remove the state on the server.

> 	dpddelay	= 30s

This together with dpdtimeout (which defaults to 150s) is probably too
low.  The Mac OS X client apparently expects some state to still be
available when it reconnects after waking up (maybe it does not expect
the server to use DPD and remove its state at all).  Since the client
doesn't do a Mode Config exchange when reconnecting (this looks the same
when Mac OS X clients reauthenticate) this only works if the server
still has the the previous IKE_SA available (including the previously
assigned virtual IP), which allows it to detect this new connection as
reauthentication and migrate the virtual IP to the new SA.  Since that's
not the case here you'll end up with the following error:

> Mar  7 07:37:47 srvl047 charon: 15[CFG] looking for a child config for 172.19.96.0/19 === 172.19.97.68/32
> Mar  7 07:37:47 srvl047 charon: 15[CFG] proposing traffic selectors for us:
> Mar  7 07:37:47 srvl047 charon: 15[CFG]  172.19.96.0/19
> Mar  7 07:37:47 srvl047 charon: 15[CFG] proposing traffic selectors for other:
> Mar  7 07:37:47 srvl047 charon: 15[CFG]  dynamic
> Mar  7 07:37:47 srvl047 charon: 15[IKE] no matching CHILD_SA config found

As you can see the client proposes its previous virtual IP
172.19.97.68/32 as local traffic selector, but because the server has no
knowledge about that VIP it can't replace the dynamic traffic selector
in its own configuration and there is no match.

I'd try to increase the dpdtimeout and/or dpddelay settings so that
clients may be suspended for longer periods.

Regards,
Tobias