[strongSwan] IPSec / IKEv2, IP-(Re)assignment problem
Sven Anders
anders at anduras.de
Thu May 16 16:16:02 CEST 2019
Hello!
We are using strongswan to connect iPhones and iPads via IPSec with IKEv2.
The authentication and connection works fine.
We configured two IP pools: a dynamic and a static pool.
The static pool entries look like:
192.168.220.1=john.doe at domainname.com
The (first) assignment of the static or dynamic IPs worked as expected.
Now we are experiencing a IP (re)assigning problem and hope you can help.
If a mobile device, which is connected with the correctly assigned static
IP address, leaves the reception area of the Wifi or LTE cell, the
device tries to reconnect and receives now a dynamic IP.
This only happens, if the time between disconnection and reconnect is
shorter than ~30 seconds.
You can emulate this by disabling and re-enabling the "mobile data" on the
iPhone.
We expected, that the devices will get the same IP after reconnection.
We tried to play with the retransmission values
(https://wiki.strongswan.org/projects/strongswan/wiki/Retransmission)
and tried to play the the DPD-Values (as far as they apply to IKEv2).
Can you help?
Regards
Sven
----------------------------------------------------------------------
Here are the full configs:
ipsec.conf:
config setup
uniqueids=never
conn rw-base
fragmentation=yes
dpdtimeout=90s
dpddelay=30s
dpdaction=clear
conn rw-config
also=rw-base
reauth=no
rekey=no
ike=aes256-sha2_256-prfsha256-modp1024-modp2048,aes256gcm16-prfsha384-modp3072!
esp=aes256-sha2_256-prfsha256,aes256-sha1,aes256gcm16-modp3072!
leftsubnet=10.0.0.0/8 # Split tunnel config
leftid="vpn.domainname.net"
leftcert=vpn.domainname.net.pem
leftsendcert=always
left=217.6.20.66
lefthostaccess=yes
rightdns=10.1.3.10, 10.1.3.11
rightsourceip=%static, %dynamic
conn ikev2-pubkey
also=rw-config
keyexchange=ikev2
auto=route
strongswan.conf:
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
# Do not install routes or virtual IPs.
install_routes = no
install_virtual_ip = no
# Test values
retransmit_jitter = 0
retransmit_limit = 0
retransmit_timeout = 4.0
retransmit_tries = 1
# Benchmark crypto algorithms and order them by efficiency.
crypto_test { bench = yes }
# Configure additional plugins.
plugins {
attr-sql { database = sqlite:///var/lib/ipsec/ippool.sqlite3 }
attr {
# Split tunnel
dns = 10.1.3.10, 10.1.3.11
25 = domain.local
}
}
}
}
The pools were created with:
ipsec pool --add dynamic --start 192.168.3.20 --end 192.168.3.254 --timeout 4h
ipsec pool --add static --addresses static.ippool --timeout 0
--
Sven Anders <anders at anduras.de> () UTF-8 Ribbon Campaign
/\ Support plain text e-mail
ANDURAS intranet security AG
Messestrasse 3 - 94036 Passau - Germany
Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 50-55
Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety.
- Benjamin Franklin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: anders.vcf
Type: text/x-vcard
Size: 339 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190516/f27bd4a6/attachment.vcf>
More information about the Users
mailing list