Project

General

Profile

Feature #616

StrongSwan Vpn Client on Android Disconnected?

Added by Alexandre Rico almost 6 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Category:
android
Target version:
-
Start date:
12.06.2014
Due date:
Estimated time:
Resolution:
Fixed

Description

Hello,

I try to understand how does the application work's.

1 => When I'm "Connected", if I turn down the Wifi or 3G/4G connection the application remain "Connected" until I turn it up.
2 => Same things if I turn down the ipsec server, the application try to communicate with the server and when I turn the server back up the application never tell anything and reconnect the VPN.

I want to know when my VPN is down, tell to user's that the connection is down. Is there anything i can do ? (Server side or Client side ?)

I use the 5.2.0dr4 version. Clone from : git clone git://git.strongswan.org/strongswan.git

Thanks.


Related issues

Has duplicate Feature #617: Features for StrongSwan Android VPN -> Improve the GUIRejected13.06.2014

Associated revisions

Revision 32109a53
Added by Tobias Brunner over 5 years ago

Merge branch 'android-state-updates'

The GUI reflects the state of the IKE daemon more closely by switching
back to the "connecting" state when the IKE_SA or CHILD_SA is down and
is getting reestablished.

Fixes #616.

History

#1 Updated by Tobias Brunner almost 6 years ago

  • Status changed from New to Feedback
  • Assignee set to Tobias Brunner
  • Priority changed from High to Normal

1 => When I'm "Connected", if I turn down the Wifi or 3G/4G connection the application remain "Connected" until I turn it up.
2 => Same things if I turn down the ipsec server, the application try to communicate with the server and when I turn the server back up the application never tell anything and reconnect the VPN.

I want to know when my VPN is down, tell to user's that the connection is down. Is there anything i can do ? (Server side or Client side ?)

This behavior is on purpose, for several reasons:

  1. The app strives for not letting any unencrypted packets leave the device until the connection is manually disconnected by the user. So we can't just disconnect if the server deletes the connection or is not reachable anymore, the user might not be aware of it. In this context "disconnect" especially means disabling the TUN device over which traffic is routed, the actual VPN connection (IKE/IPsec SA) may still be down temporarily.
  2. If the app is used on mobile devices networks may be switched in quick succession, which is handled quite nicely by MOBIKE, often without the user even noticing. The VPN connection may be "down" when there is momentarily no network connection but will be "up" again quickly when the down time is short. MOBIKE will just update the tunnel endpoint address in this case. If the down time is longer and the server already removed the state, retransmissions may delay the VPN setup a bit (but because of that retransmission timeouts are configured rather short in the app - it takes less than 15 seconds before the app starts reestablishing the SA, compared to 165 seconds it takes using the default values).
  3. There are currently some limitations to the MOBIKE/DPD/retransmission implementation (see also #455). For instance, if MOBIKE marks the SA as stale when there is no connection available, the current DPD code will still attempt to send packets. So if no network connection is available in time the SA will get closed and has to get reestablished - not really a problem as that could happen anyway, but it has some computational and temporal overhead we may avoid by not closing the SA preemptively. We could probably add a configuration option to prevent DPDs in such a situation, but it's one of the reasons for not enabling DPD at the moment.
  4. DPD is currently also disabled to avoid constant network traffic, when there may be no need to (could safe battery power). If the server has DPD disabled (or uses a long enough dpddelay) the SA will be there quite a long time (until e.g. a rekeying is triggered on the server in a moment the client is not reachable), so there is no need to close the SA on the client if the server is only temporarily unreachable.
  5. Another reason for not enabling DPD is that it's rather uncommon that the server is down or unreachable (for reasons other than the client having no network connection).

With that being said the GUI could probably be improved. For instance, we could show that the connection, while still active, might not be fully functional (e.g. go from "Connected" back to "Connecting...").

#2 Updated by Tobias Brunner over 5 years ago

  • Has duplicate Feature #617: Features for StrongSwan Android VPN -> Improve the GUI added

#3 Updated by Tobias Brunner over 5 years ago

  • Tracker changed from Issue to Feature
  • Subject changed from StrongSwan Vpn Client Android Disconnected ? to StrongSwan Vpn Client on Android Disconnected?
  • Status changed from Feedback to Closed
  • Resolution set to Fixed

GUI changes are introduced with the associated merge. Will be included in the next release of the app.

Also available in: Atom PDF