[strongSwan] Trouble switching networks - iOS

Jody Whitesides jody at jodywhitesides.com
Fri May 11 02:35:51 CEST 2018 

I have a VPN set up on a server where it also serves websites and email. I’m having trouble with switching from WiFi to Cellular with an iPhone. If the connection was made for the VPN on WiFi I can access websites & email local to the VPN. Then if I have to switch to cellular, I can no longer access the websites & email on the server. It takes a good deal of time before the VPN will allow the iPhone to "see" local websites and connect to the email server.

Here’s my config:

conn %default
        ike             =aes256-sha1-modp1024,3des-sha1-modp1024!
        esp             =aes256-sha1,3des-sha1!
        fragmentation   =yes
        auto            =add
        dpdaction       =clear
        dpddelay        =60s
        lifetime        =24h
        ikelifetime     =1440m
        keylife         =60m
        rekeymargin     =3m
        keyingtries     =1
        rekey           =no
        aggressive      =no
        left            =%any
        leftid          =138.68.251.157
        leftcert        =/etc/ipsec.d/certs/jwVPNCert.pem
        leftsendcert    =always
        leftsubnet      =0.0.0.0/0
        right           =%any
        rightid         =%any
        rightauth       =eap-mschapv2
        rightdns        =172.98.193.42,198.199.84.126,45.63.54.250
        rightsourceip   =192.168.2.0/24

conn ios
        keyexchange     =ikev1
        dpdtimeout      =5s
        mobike          =yes
        leftallowany    =yes
        leftfirewall    =yes
        leftauth        =pubkey
        rightallowany   =yes
        rightauth       =pubkey
        rightauth2      =xauth
        rightfirewall   =yes
        rightcert       =/etc/ipsec.d/certs/JodyVpnCert.pem

Can anyone explain why switching between networks is killing the access to the local websites & email on the server for the iPhone?

I’ve been adding lines like the lifetime, ikelifetime, key life, rekey, keyingtries, but none of it seems to make a difference in getting it to kick in a new connection to allow the phone to see the local content.

Thank you,

Jody
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180510/fdc5d13b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2354 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180510/fdc5d13b/attachment-0001.bin>

More information about the Users mailing list