group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1687711] Re: strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: ChristianEhrhardt <1687711@xxxxxxxxxxxxxxxxxx>
Date: Wed, 03 May 2017 15:21:06 -0000
Reply-to: Bug 1687711 <1687711@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I'm only now reading into details, but in general just taking 5.5.1 can be a backport but not easily an SRU.
We have to check if there is a way to find a minimal amount of changes to SRU them.


** Also affects: strongswan (Ubuntu Yakkety)
   Importance: Undecided
       Status: New

** Also affects: strongswan (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Changed in: strongswan (Ubuntu)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1687711

Title:
  strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+

Status in strongswan package in Ubuntu:
  Fix Released
Status in strongswan source package in Xenial:
  New
Status in strongswan source package in Yakkety:
  New

Bug description:
  strongSwan is effectively incompatible with iOS 10+ and macOS 10.11+
  devices. Dead peer detection does not work for these devices and they
  continually re-establish security associations (SAs) as a result.
  Please see the issues described in further detail below:

  strongSwan confirmed the issue and patched it in 5.5.1:
  https://wiki.strongswan.org/issues/2126

  strongSwan recommends a workaround that breaks other functionality:
  https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients#IKEv2-on-iOS-9-and-iOS-10

  Ubuntu 17.04 has packaged strongSwan 5.5.1 which fixes this issue. I
  would recommend an SRU for strongSwan 5.3.5 to 5.5.1 in Ubuntu 16.04.

  [Impact]
  Ubuntu users are running into this bug in normal usage:
  https://github.com/trailofbits/algo/issues/430

  [Test Case]
  In order to test this issue:
  1. Deploy an Ubuntu 16.04 server with strongSwan via Algo (https://github.com/trailofbits/algo)
  2. Connect an iOS client
  3. Wait a few minutes for the reconnects to start based on broken dead peer detection

  In order to test the fix for this issue:
  1. Deploy an Ubuntu 17.04 server with strongSwan via Algo (modify config.cfg to select 17.04)
  2. Connect an iOS client
  3. Wait the same time period as before and notice that the connection does not drop

  [Regression Potential]
  strongSwan and IPSEC software in general change at a very slow rate. In our tests with Algo, the exact same ipsec.conf and related configuration work for strongSwan 5.5.1 that worked for 5.3.5.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1687711/+subscriptions