Hello! We are using strongswan to connect iPhones and iPads via IPSec with IKEv2. The authentication and connection works fine.
We configured two IP pools: a dynamic and a static pool. The static pool entries look like: 192.168.220.1=john....@domainname.com The (first) assignment of the static or dynamic IPs worked as expected. Now we are experiencing a IP (re)assigning problem and hope you can help. If a mobile device, which is connected with the correctly assigned static IP address, leaves the reception area of the Wifi or LTE cell, the device tries to reconnect and receives now a dynamic IP. This only happens, if the time between disconnection and reconnect is shorter than ~30 seconds. You can emulate this by disabling and re-enabling the "mobile data" on the iPhone. We expected, that the devices will get the same IP after reconnection. We tried to play with the retransmission values (https://wiki.strongswan.org/projects/strongswan/wiki/Retransmission) and tried to play the the DPD-Values (as far as they apply to IKEv2). Can you help? Regards Sven ---------------------------------------------------------------------- Here are the full configs: ipsec.conf: config setup uniqueids=never conn rw-base fragmentation=yes dpdtimeout=90s dpddelay=30s dpdaction=clear conn rw-config also=rw-base reauth=no rekey=no ike=aes256-sha2_256-prfsha256-modp1024-modp2048,aes256gcm16-prfsha384-modp3072! esp=aes256-sha2_256-prfsha256,aes256-sha1,aes256gcm16-modp3072! leftsubnet=10.0.0.0/8 # Split tunnel config leftid="vpn.domainname.net" leftcert=vpn.domainname.net.pem leftsendcert=always left=217.6.20.66 lefthostaccess=yes rightdns=10.1.3.10, 10.1.3.11 rightsourceip=%static, %dynamic conn ikev2-pubkey also=rw-config keyexchange=ikev2 auto=route strongswan.conf: charon { load_modular = yes plugins { include strongswan.d/charon/*.conf } # Do not install routes or virtual IPs. install_routes = no install_virtual_ip = no # Test values retransmit_jitter = 0 retransmit_limit = 0 retransmit_timeout = 4.0 retransmit_tries = 1 # Benchmark crypto algorithms and order them by efficiency. crypto_test { bench = yes } # Configure additional plugins. plugins { attr-sql { database = sqlite:///var/lib/ipsec/ippool.sqlite3 } attr { # Split tunnel dns = 10.1.3.10, 10.1.3.11 25 = domain.local } } } } The pools were created with: ipsec pool --add dynamic --start 192.168.3.20 --end 192.168.3.254 --timeout 4h ipsec pool --add static --addresses static.ippool --timeout 0 -- Sven Anders <and...@anduras.de> () UTF-8 Ribbon Campaign /\ Support plain text e-mail ANDURAS intranet security AG Messestrasse 3 - 94036 Passau - Germany Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 50-55 Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. - Benjamin Franklin
<<attachment: anders.vcf>>