Streisand: macOS/iOS loses L2TP VPN on network changes

Created on 13 Feb 2017  路  7Comments  路  Source: StreisandEffect/streisand

(Comment from @nopdotcom: this bug has changed from "should we use Connect On Demand" to "keep the VPN up no matter what". I'm keeping it as the same bug because there's useful information here.)


I'm also using Algo, which generates a configuration for macOS and iOS devices that permits Connect on demand (see screenshot). In effect, it forces the VPN to always remain connected. Is this possible with Streisand? If not, how do we make it happen?

It's important that the VPN remain connected. Currently, if Streisand disconnects, traffic goes over non-VPN internet until the user manually reconnects.

screen shot 2017-02-13 at 17 55 11

arel2tp kinclient kinfeature

All 7 comments

Maybe can try Shimo Application, also include the connect on demand function with L2tp, Cisco Anyconnect or Openvpn

It seems to be an advanced configuration in mobileconfig file. When you use Algo, did it generate an .mobileconfig file for you to install on Mac or iPhone?

136 [Provide .mobileconfig files to autoconfigure iOS devices]

@kehao95 Yes, Algo generates .mobileconfig files, and it sets up the "Connect on demand" option. It would be great for Streisand to do this too (I see you linked to #136 where this is discussed).

Here is the mobileconig file generated by my Algo setup (with keys redacted) as an example of how it should be done: algo.mobileconfig.zip

Actually, I also were waiting for this feature. But the same thing can be accomplised with ocserv and Anyconnect app for iOS, Android and Mac. With a long enough cookie timeout, it will always reconnect. I tested it with a seperate ocserv installation. It works.

Currently, Streisand uses the default cookie-timeout = 300. I would suggest changing it to something longer, as f.eks 30000 to guarantee automatic reconnecting. As it is now, if you are driving through a tunnel for more than 5 min, it will not reconnect and you will be unprotected

We have this stanza in the config:

                        <key>IPv4</key>
                        <dict>
                                <key>OverridePrimary</key>
                                <integer>1</integer>
                        </dict>

I鈥檓 not sure why that doesn鈥檛 include IPv6. In any case, this should mean that all traffic is routed through the VPN. AlwaysOn seems to primarily be a feature for app-by-app tunneling.

I'm pretty sure L2TP is fine; go to System Preferences:Network:Your VPN Name:Advanced:Options. There's a checkbox there for "Send all traffic over VPN connection", and it's turned on for our mobileconfigs. In minimal testing, IPv6 does not leak.

The problem is that the VPN doesn't stay up across network changes. I'm going to rename/edit this bug to make that clear.

Closing due to deprecated LibreSwan #1266

Was this page helpful?
0 / 5 - 0 ratings

Related issues

ape364 picture ape364  路  5Comments

NightMachinary picture NightMachinary  路  5Comments

tomchiverton picture tomchiverton  路  6Comments

markwyner picture markwyner  路  3Comments

Lexy2 picture Lexy2  路  5Comments