Home / server / Questions / 970258
Accepted
sunknudsen
Asked: 2019-06-06 08:52:07 +0800 CST

Using strongSwan as VPN server to supervised (always-on) iOS VPN clients. Two associations to the server are established by iOS clients. Why?

  • 772

I’m using rightsourceip=%dhcp on the server so two clients cannot have the same leftid.

Prior to using rightsourceip=%dhcp, I used uniqueids=never and 10.0.2.0/24 to allow multiple clients with the same leftid, but that doesn’t appear to work with rightsourceip=%dhcp (am I doing something wrong?).

Looks like supervised (always-on) iOS VPN clients establish two associations, one over LTE and one over Wi-Fi... which breaks connectivity to the VPN server. Guess the server doesn’t know to which association the packets have to be sent... and perhaps iOS isn’t listening on both interfaces once Wi-Fi is up.

How can I fix this? Also, what does rekeying disabled mean?

Security Associations (5 up, 0 connecting):
       ikev2[7]: ESTABLISHED 65 seconds ago, 159.203.26.109[my-vpn.com]...207.46.13.62[[email protected]]
       ikev2[7]: IKEv2 SPIs: 0a53e7fec5e65e2b_i 2d03da3fce35f91c_r*, rekeying disabled
       ikev2[7]: IKE proposal: AES_GCM_16_256/PRF_HMAC_SHA2_384/MODP_3072
       ikev2{7}:  INSTALLED, TUNNEL, reqid 5, ESP in UDP SPIs: c468b92b_i 00006960_o
       ikev2{7}:  AES_GCM_16_256, 8795 bytes_i (22 pkts, 0s ago), 4983 bytes_o (19 pkts, 41s ago), rekeying disabled
       ikev2{7}:   0.0.0.0/0 === 10.0.2.13/32
       ikev2[6]: ESTABLISHED 65 seconds ago, 159.203.26.109[my-vpn.com]...157.55.39.61[[email protected]]
       ikev2[6]: IKEv2 SPIs: e2a7434252a49075_i fe57e34b97ba086e_r*, rekeying disabled
       ikev2[6]: IKE proposal: AES_GCM_16_256/PRF_HMAC_SHA2_384/MODP_3072
       ikev2{6}:  INSTALLED, TUNNEL, reqid 5, ESP in UDP SPIs: cdc9dd9c_i 0ec723e6_o
       ikev2{6}:  AES_GCM_16_256, 8170 bytes_i (122 pkts, 0s ago), 0 bytes_o, rekeying disabled
       ikev2{6}:   0.0.0.0/0 === 10.0.2.13/32
ios

1 Answers

  1. Best Answer

    If a peer creates multiple IKE_SAs with the same identity, and it isn't prevented via uniqueness policy, this requires multiple virtual IPs per client to work properly (as you noted, the server can only send packets addressed to the virtual IP through one of the two tunnels).

    So assigning static leases with backends like DHCP or RADIUS could be tricky as they usually have a 1:1 mapping of identity to IP address. Depending on the DHCP/RADIUS server implementation it might be possible to let them assign multiple IPs to the same identity (e.g. by configuring multiple static leases, or by considering other parameters besides the identity, refer to the respective documentation). Otherwise, you have to change the backend server's configuration (and in case of DHCP the plugin's) so dynamic leases are assigned to the clients.

    Also, what does rekeying disabled mean?

    That active rekeying is disabled in the configuration (e.g. via rekey=no). The IKE daemon will still respond to rekeying requests from the clients.

    • 1