group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #13495
[Bug 1687711] Re: strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+
This bug was fixed in the package strongswan - 5.3.5-1ubuntu4.2
---------------
strongswan (5.3.5-1ubuntu4.2) yakkety; urgency=medium
* d/p/ikev2-Only-add-NAT-D-notifies-to-DPDs-as-initiator.patch: fix issue
related to DPD vs iOS10 (LP: #1687711)
-- Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx> Mon, 15 May
2017 07:48:30 +0200
** Changed in: strongswan (Ubuntu Yakkety)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1687711
Title:
strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+
Status in strongswan package in Ubuntu:
Fix Released
Status in strongswan source package in Xenial:
Fix Released
Status in strongswan source package in Yakkety:
Fix Released
Bug description:
[Impact]
* iOS10+/MacOS10+ devices fail at dead peer detection and re-establish
the connection over and over
* Backport of upstream fix.
[Test Case]
* Set up strongswan (the reporter did so via algo, but other preferred
setups are good as well) and prepare iOS10+ devices to dial in.
* check for the reconnects to start based on broken dead peer
detection
[Regression Potential]
* Due to the fact that this is a backport there could be dependencies to
the newer code. The change isn't too bug and it looks safe, as well as
compiling and regression testing fine - but if we want to look out for
regressions that certainly is the biggest potential one.
* From the behavior change itself it should be safe, to quote from
upstream "If a responder is natted it will usually be a static NAT
(unless it's a mediated connection) in which case adding these notifies
makes not much sense (if the initiator's NAT mapping had changed the
responder wouldn't be able to reach it anyway).
[Other Info]
* I can do general regression check, but for the actual issue
verification I lack the apple devices and have to rely on the reporters
(fortunately two active on the bug now, and confirmed on the ppa
already)
---
Original bug asked to backport the full newer release, but given SRU
policy and that it seems to be fixable with much smaller change we
decided for a backported patch - keeping original content below:
---
strongSwan is effectively incompatible with iOS 10+ and macOS 10.11+
devices. Dead peer detection does not work for these devices and they
continually re-establish security associations (SAs) as a result.
Please see the issues described in further detail below:
strongSwan confirmed the issue and patched it in 5.5.1:
https://wiki.strongswan.org/issues/2126
strongSwan recommends a workaround that breaks other functionality:
https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients#IKEv2-on-iOS-9-and-iOS-10
Ubuntu 17.04 has packaged strongSwan 5.5.1 which fixes this issue. I
would recommend an SRU for strongSwan 5.3.5 to 5.5.1 in Ubuntu 16.04.
[Impact]
Ubuntu users are running into this bug in normal usage:
https://github.com/trailofbits/algo/issues/430
[Test Case]
In order to test this issue:
1. Deploy an Ubuntu 16.04 server with strongSwan via Algo (https://github.com/trailofbits/algo)
2. Connect an iOS client
3. Wait a few minutes for the reconnects to start based on broken dead peer detection
In order to test the fix for this issue:
1. Deploy an Ubuntu 17.04 server with strongSwan via Algo (modify config.cfg to select 17.04)
2. Connect an iOS client
3. Wait the same time period as before and notice that the connection does not drop
[Regression Potential]
strongSwan and IPSEC software in general change at a very slow rate. In our tests with Algo, the exact same ipsec.conf and related configuration work for strongSwan 5.5.1 that worked for 5.3.5.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1687711/+subscriptions
