Hi, I am having a problem with the virtual IP pool being exhausted when connecting from an iOS device. I have the fix in https://wiki.strongswan.org/issues/764 , but I am seeing the issue mentioned by one of the users on the bug.
The leak is because the modecfg defined for the iOS device connection is push, while iOS actually uses modecfg=pull. However, for an actual iOS device, it seems that I have to define modecfg=push, otherwise the iOS device connection fails (or hangs). We disable xauth on the iOS device from the profile, but the iOS device still seems to need a trigger to send its modecfg request message. We cannot use xauth and using the xauth-noauth plugin also did not work in this case. Moving to ikev2 is not an option since we have devices out there already with profiles installed and doing ikev1. While debugging this problem, I noticed that the build_reply function in mode_config.c clears the ike_sa's virtual IPs before allotting new ones. The function clear_virtual_ips is called on the ike_sa to do so. But this function frees the VIP but does not release them back to the pool. Is this a bug? I fixed the clear_virtual_ips to release vips to the pool, just like how it is done when the ike_sa is destroyed. This fixed my leak when an iOS device connects. Is this a proper fix? And does clear_virtual_ips function need to be fixed to release the vips back to the pool? regards, sk
_______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
