Project

General

Profile

Issue #2621

Android: VPN connection stops working, strongSwan shows Connected

Added by Daniel Serodio over 2 years ago. Updated about 2 years ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
android
Affected version:
Resolution:

Description

I leave my strongSwan VPN connected, and often my phone's internet connection stops working, but the Wifi connection icon in the notification bar doesn't show problems (ie, no exclamation point), and strongSwan shows "Connected". Forcing strongSwan to reconnect fixes my connectivity problems.

This is frustrating because I can't rely on my phone's connectivity while strongSwan is connected.

I'm runnning strongSwan 1.9.6 on OnePlus 3T, Android 8.0.0 (OxygenOS 5.0.1).

Log file attached.

strongSwan_1.9.6_Log_File.txt (42.2 KB) strongSwan_1.9.6_Log_File.txt Log file Daniel Serodio, 10.04.2018 00:30

History

#1 Updated by Tobias Brunner over 2 years ago

  • Category set to android
  • Status changed from New to Feedback

The log shows some intermittent connectivity issues (failures to send packets, no connectivity, MOBIKE updates), but it ends with a successful rekeying and DPDs. So the connection should be fine here.

One problem with such scenarios are often be too low DPD interval on the server. In your case it seems to send DPDs quite frequently if there is no other traffic, e.g. one at 17:45:13 and the next already at 17:45:49). If the client is not reachable for a while the server might close the connection without the client noticing. The Android client does not send DPDs, to save battery power, so it would only learn this when trying to e.g. rekey the SAs (CHILD_SAs are rekeyed once an hour) or do a MOBIKE update (which is not the case if the IP doesn't change when the connectivity is restored or the device wakes up).

My recommendation is to increase the DPD interval on the server to e.g. several hours so abandoned SAs (for which the client was not able to send a proper DELETE) are eventually closed but allowing the client to be offline for a while.

#2 Updated by Indrek k about 2 years ago

Tobias Brunner wrote:

My recommendation is to increase the DPD interval on the server to e.g. several hours so abandoned SAs (for which the client was not able to send a proper DELETE) are eventually closed but allowing the client to be offline for a while.

I had also this issue once in a 24h or so and so far 1h DPD has helped. Maybe the Strongswan server setup instructions should point that out that if the server is targeted towards mobile devices the DPD should be higher?

Also available in: Atom PDF