Hi, I am having a problem with the virtual IP pool being exhausted when connecting from an iOS device. I have the fix in https://wiki.strongswan.org/issues/764 , but I am seeing the issue mentioned by one of the users on the bug.
The leak is because the modecfg defined for the iOS device connection is push, while iOS actually uses modecfg=pull. In my testing with a strongswan (or other client), i can reproduce the leak by this mismatch of config, and the leak goes away when the two configs match. However, for an actual iOS device, it seems that I have to define modecfg=push, otherwise the iOS device connection fails (or hangs). We disable xauth on the iOS device from the profile, but the iOS device still seems to need a trigger to send its modecfg request message. We cannot use xauth and using the xauth-noauth plugin also did not work in this case. Moving to ikev2 is not an option since we have devices out there already with profiles installed and doing ikev1. Is there any other way to fix this leak, by changes on the strongswan (5.x) responder? I noticed that this problem does not occur on 4.x and one reason could be that the older strongswan assigns the same IP when it replies to the modecfg request message. Would that work here? Is there any other way to fix this leak? regards, sk
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
