search

kerberjg / docker-vpn-ikev2-roadwarrior

Docker container with a Strongswan IKEv2 VPN server (for a mobile-optimized Road Warrior setup)
MIT License
1 stars 0 forks source link

[macos] Disconnects every 24 minutes #1

Open kerberjg opened 4 years ago

kerberjg commented 4 years ago

When connected to the VPN on macOS 10.15.1 (on demand mode), the connection drops randomly every 24 minutes (precisely) followed by a brief session (under 2 minutes, TODO: investigate) and another disconnect.

Relevant logs

Strongswan

2020-02-03T21:36:16.580498894Z 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
,2020-02-03T21:36:16.653532895Z 07[ENC] generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
,2020-02-03T21:36:16.642162485Z 07[IKE] CHILD_SA rw{5688} established with SPIs c1d1633f_i 073c2bb9_o and TS 0.0.0.0/0 ::/0 === 10.8.0.1/32
,2020-02-03T21:36:16.640766356Z 07[CFG] selected proposal: ESP:CHACHA20_POLY1305/NO_EXT_SEQ
,2020-02-03T21:36:16.640247812Z 07[IKE] no virtual IP found for %any6 requested by 'REDACTED(client's local IP)'
,2020-02-03T21:36:16.639979920Z 07[IKE] peer requested virtual IP %any6
,2020-02-03T21:36:16.639568948Z 07[CFG] reassigning offline lease to 'REDACTED(client's local IP)'
,2020-02-03T21:36:16.639784683Z 07[IKE] assigning virtual IP 10.8.0.1 to peer 'REDACTED(client's local IP)'
,2020-02-03T21:36:16.639315663Z 07[IKE] peer requested virtual IP %any
,2020-02-03T21:36:16.638997326Z 07[IKE] IKE_SA rw[4816] established between 172.17.0.2[vpn.mekomi.cloud]...217.210.50.162[192.168.1.6]
,2020-02-03T21:36:16.638574633Z 07[IKE] authentication of 'REDACTED($HOST_FQDN)' (myself) with pre-shared key
,2020-02-03T21:36:16.638131331Z 07[IKE] peer supports MOBIKE
,2020-02-03T21:36:16.637732973Z 07[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
,2020-02-03T21:36:16.637336669Z 07[IKE] authentication of '192.168.1.6' with pre-shared key successful
,2020-02-03T21:36:16.636872177Z 07[CFG] selected peer config 'rw'
,2020-02-03T21:36:16.636479461Z 07[CFG] looking for peer configs matching REDACTED(host's local IP)[REDACTED($HOST_FQDN)]...REDACTED(client's remote IP)[REDACTED(client's local IP)]
,2020-02-03T21:36:16.636161554Z 07[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
,2020-02-03T21:36:16.635752236Z 07[ENC] unknown attribute type INTERNAL_DNS_DOMAIN
,2020-02-03T21:36:16.634414305Z 07[NET] received packet: from REDACTED(client's remote IP)[4500] to REDACTED(host's local IP)[4500] (368 bytes)
,2020-02-03T21:36:16.581640025Z 15[NET] sending packet: from REDACTED(host's local IP)[500] to REDACTED(client's remote IP)[500] (252 bytes)
,2020-02-03T21:36:16.581540859Z 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
,2020-02-03T21:36:16.581172017Z 15[IKE] remote host is behind NAT
,2020-02-03T21:36:16.580509173Z 15[IKE] REDACTED(client's remote IP) is initiating an IKE_SA
,2020-02-03T21:36:16.580514392Z 15[CFG] selected proposal: IKE:CHACHA20_POLY1305/PRF_HMAC_SHA2_256/ECP_256
,2020-02-03T21:36:16.581151729Z 15[IKE] local host is behind NAT, sending keep alives

macOS

TODO

Apple configuration profile used

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<!-- Read more: https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile -->
<plist version="1.0">
    <dict>
        <!-- Set the name to whatever you like, it is used in the profile list on the device -->
        <key>PayloadDisplayName</key>
        <string>REDACTED Profile</string>
        <!-- This is a reverse-DNS style unique identifier used to detect duplicate profiles -->
        <key>PayloadIdentifier</key>
        <string>REDACTED</string>
        <!-- A globally unique identifier, use uuidgen on Linux/Mac OS X to generate it -->
        <key>PayloadUUID</key>
        <string>REDACTED</string>
        <key>PayloadType</key>
        <string>Configuration</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
        <key>PayloadContent</key>
        <array>
            <dict>
                <!-- This is an extension of the identifier given above -->
                <key>PayloadIdentifier</key>
                <string>REDACTED.shared-configuration</string>
                <!-- A globally unique identifier for this payload -->
                <key>PayloadUUID</key>
                <string>REDACTED</string>
                <key>PayloadType</key>
                <string>com.apple.vpn.managed</string>
                <key>PayloadVersion</key>
                <integer>1</integer>
                <!-- This is the name of the VPN connection as seen in the VPN application later -->
                <key>UserDefinedName</key>
                <string>REDACTED</string>
                <key>VPNType</key>
                <string>IKEv2</string>
                <key>IKEv2</key>
                <dict>
                    <!-- Hostname or IP address of the VPN server -->
                    <key>RemoteAddress</key>
                    <string>REDACTED</string>
                    <!-- Remote identity, can be a FQDN, a userFQDN, an IP or (theoretically) a certificate's subject DN. Can't be empty.
                     IMPORTANT: DNs are currently not handled correctly, they are always sent as identities of type FQDN -->
                    <key>RemoteIdentifier</key>
                    <string>REDACTED</string>
                    <!-- Local IKE identity, same restrictions as above. If it is empty the client's IP address will be used -->
                    <key>LocalIdentifier</key>
                    <string></string>
                    <!-- source: https://developer.apple.com/documentation/devicemanagement/vpn/ikev2 -->
                    <key>NATKeepAliveOffloadEnable</key>
                    <integer>1</integer>
                    <key>DisableMOBIKE</key>
                    <integer>0</integer>
                    <key>DeadPeerDetectionRate</key>
                    <string>Medium</string>
                    <key>DisableRedirect</key>
                    <integer>1</integer>
                    <key>EnableFallback</key>
                    <integer>1</integer>
                    <!--
                    OnDemand references:
                    https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
                    Continue reading:
                    https://github.com/iphoting/ovpnmcgen.rb
                    -->
                    <key>OnDemandEnabled</key>
                    <integer>1</integer>
                    <key>OnDemandRules</key>
                    <array>
                        <dict>
                            <key>Action</key>
                            <string>Connect</string>
                            <key>InterfaceTypeMatch</key>
                            <string>WiFi</string>
                            <key>URLStringProbe</key>
                            <string>http://captive.apple.com/hotspot-detect.html</string>
                        </dict>
                        <dict>
                            <key>Action</key>
                            <string>Connect</string>
                            <key>InterfaceTypeMatch</key>
                            <string>Cellular</string>
                        </dict>
                        <dict>
                            <key>Action</key>
                            <string>Connect</string>
                            <key>InterfaceTypeMatch</key>
                            <string>Ethernet</string>
                        </dict>
                    </array>
                    <!-- The server is authenticated using a certificate -->
                    <key>AuthenticationMethod</key>
                    <string>SharedSecret</string>
                    <key>SharedSecret</key>
                    <string>REDACTED</string>
                    <!-- Turn off EAP -->
                    <key>ExtendedAuthEnabled</key>
                    <integer>0</integer>
                    <!-- AuthName key is required to dismiss the Enter Username screen on iOS 9, even if ExtendedAuthEnabled is false -->
                    <key>AuthName</key>
                    <string></string>
                    <!-- AuthPassword key is required to dismiss the Enter Password screen on iOS 9, even if ExtendedAuthEnabled is false -->
                    <key>AuthPassword</key>
                    <string></string>
                    <key>IKESecurityAssociationParameters</key>
                    <dict>
                        <key>EncryptionAlgorithm</key>
                        <string>ChaCha20Poly1305</string>
                        <key>IntegrityAlgorithm</key>
                        <string>SHA2-256</string>
                        <key>DiffieHellmanGroup</key>
                        <integer>19</integer>
                    </dict>
                    <key>ChildSecurityAssociationParameters</key>
                    <dict>
                        <key>EncryptionAlgorithm</key>
                        <string>ChaCha20Poly1305</string>
                        <key>IntegrityAlgorithm</key>
                        <string>SHA2-256</string>
                        <key>DiffieHellmanGroup</key>
                        <integer>19</integer>
                    </dict>
                </dict>
                <key>IPv4</key>
                <dict>
                    <key>OverridePrimary</key>
                    <integer>1</integer>
                </dict>
            </dict>
        </array>
    </dict>
</plist>
kerberjg commented 4 years ago

Experiment: Try setting DeadPeerDetectionRate to High in the Apple profile

Results

Still disconnecting

kerberjg commented 4 years ago

Experiment: Try setting DeadPeerDetectionRate to None in the Apple profile

Results

TBD