IPSec connection to strongSwan stalls after 1 hour

Originator:davepeck
Number:rdar://18179160 Date Originated:29-Aug-2014 11:55 AM
Status:Open Resolved:
Product:iOS Product Version:iOS 7.1.2 (11D257)
Classification:Other Bug Reproducible:Always
 
Summary:
iOS <=7 can establish an IKEv1-based IPSec connection to a strongSwan server and use it for 60 minutes. The child SA is rekeyed successfully several minutes in advance of its (iOS-configured) 60m lifetime. When the child SA finally expires on the client, the connection is left in a bad state. DPD fails immediately if present; other control messages will fail over time otherwise.

This is fully reproducible. Moreover, it appears that iOS is responsible for the ultimate failure.

Steps to Reproduce:
1. Set up strongSwan 5.1.2. I recommend Ubuntu 14.04. I've attached some sample configs, although you'll need to customize and bring your own PKI.
2. Configure an iOS 7 device to talk to the server ("Cisco" IPSec).
3. Turn on the VPN and wait for an hour.

Expected Results:
Barring an underlying network interruption, IPSec should remain operational more or less indefinitely.

Actual Results:
After 60 minutes, control messages from the server to the device elicit no response. If DPD is on, it will close the connection. If not, the data still seems to get through for a while, but the control channel remains in a bad state and will eventually cause the whole connection to fail. Additionally, the device will not receive the SA delete messages, the [VPN] icon will remain on indefinitely and the network will not work.

Version:
iOS 7.1.2 (11D257)

Notes:
I can try to produce more of a turnkey repro case if necessary, although I believe this issue has already been reported by others, so I anticipate this being marked duplicate.

Configuration:
iPod Touch ME643LL/A

Attachments:
'strongswan.conf' and 'ipsec.conf' were successfully uploaded.

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!