Request an SRU from Ubuntu for strongSwan

[dguido]

16.04 comes with strongSwan 5.3.5 which has a bug for iOS and macOS clients that causes them to disconnect frequently. In order to workaround the bug, we have to disable dead peer detection. However, with dead peer detection disabled it consumes IPs from the virtual pool until there aren’t any left, then no one can connect.

We can address THAT issue by setting strongSwan to “replace” IPs when they reconnect. However, with "replace" set, any client with the same certificate is considered the same client. So if you gave the same certificate to 3 people, then only 1 of them can use the VPN at a time.

The best fix is to upgrade to strongSwan 5.5.1 which fixes the dead peer detection bug and properly manages the virtual IP pool. But you can’t get 5.5.1 on 16.04. It is, however, available on 17.04.

https://wiki.ubuntu.com/StableReleaseUpdates

Related to #430

[ghost]

I'm currently running a 17.04 instance with strongSwan 5.5.1. Upgrading from 16.04 seems to have fixed the issue and I haven't experienced any other bugs or abnormalities. Also, I have the local DNS resolver on. It's been up for around a day now without any issues.

[sgasean]

I also upgraded to 17.04 and it seems to work. But do we need to change disabled DPD so the bug is final resolved? If so how? Thanks

[dguido]

sgasean: Yes, you can edit the ipsec.conf and set uniqueids to never and dpdaction to clear.

I filed a bug in Ubuntu: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1687711

[ghost]

@sgasean How to upgrade to 17.04 ?

[jackivanov]

They've fixed the problem in the -proposed

[dguido]

Fix released!