<div dir="ltr">Hello Tobias,<div><br></div><div>Thank you for you reply. I completely understand that this is an iOS bug and strongswan was doing the right thing. However because we cannot change the client (iOS), we have to handle this in strongswan. I took the fix you mentioned in [3] and ported it to our code base and it fixed the problem. We will try to move to 5.3.0 as soon as we can.</div><div><br></div><div>As regards to the xauth-noauth plugin, when we tested with it, we still ran into the same problem. We do turn off xauth in the iOS profile installed on the phone, but iOS has a bug in 8.x version of their software and they do not honor it. There is a bug against apple for this, but I am not sure if this has been fixed. But we still ran into the same problem with the modecfg when we used the plugin.</div><div><br></div><div>It looks it is expcted that clear_virtual_ips does not release the vips to the pool and is not a bug. Thanx for the clarification.</div><div><br></div><div>regards,</div><div>sk</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Apr 3, 2015 at 1:50 AM, Tobias Brunner <span dir="ltr"><<a href="mailto:tobias@strongswan.org" target="_blank">tobias@strongswan.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">Hi,<br>
<br>
> I am having a problem with the virtual IP pool being exhausted when<br>
> connecting from an iOS device. I have the fix in<br>
> <a href="https://wiki.strongswan.org/issues/764" target="_blank">https://wiki.strongswan.org/issues/764</a> , but I am seeing the issue<br>
> mentioned by one of the users on the bug.<br>
><br>
> The leak is because the modecfg defined for the iOS device connection is<br>
> push, while iOS actually uses modecfg=pull. However, for an actual iOS<br>
> device, it seems that I have to define modecfg=push, otherwise the iOS<br>
> device connection fails (or hangs).<br>
<br>
</span>As discussed in the follow up comments in #764 [1], this looks like a<br>
client bug (the client clearly does ModeCfg in pull mode, and the Apple<br>
docs [2] also don't mention a change to push mode if XAuthEnabled is set<br>
to 0 in the configuration profile).<br>
<br>
Also, you should consider an upgrade to 5.3.0 for iOS devices as you<br>
will run into [3] otherwise. And the fix for that issue (together with<br>
other changes in 5.3.0) might actually help in this case (see below).<br>
<span class=""><br>
> We cannot use xauth and using the<br>
> xauth-noauth plugin also did not work in this case.<br>
<br>
</span>Why not? It was specifically added for iOS devices.<br>
<span class=""><br>
> While debugging this problem, I noticed that the build_reply function in<br>
> mode_config.c clears the ike_sa's virtual IPs before allotting new ones.<br>
> The function clear_virtual_ips is called on the ike_sa to do so. But<br>
> this function frees the VIP but does not release them back to the pool.<br>
> Is this a bug?<br>
<br>
</span>Not really, it is caused by an incorrect config and client behavior<br>
(push mode "needed", while the client then still does pull mode). With<br>
5.3.0 existing VIPs on the IKE_SA are reassigned during ModeCfg, as this<br>
is required during reauthentication. So this might help here too, as<br>
the VIP acquired in push mode will be reassigned in the pull mode<br>
exchange that immediately follows.<br>
<br>
Regards,<br>
Tobias<br>
<br>
[1] <a href="https://wiki.strongswan.org/issues/764#note-12" target="_blank">https://wiki.strongswan.org/issues/764#note-12</a><br>
[2]<br>
<a href="https://developer.apple.com/library/prerelease/mac/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html#//apple_ref/doc/uid/TP40010206-CH1-SW29" target="_blank">https://developer.apple.com/library/prerelease/mac/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html#//apple_ref/doc/uid/TP40010206-CH1-SW29</a><br>
[3] <a href="https://wiki.strongswan.org/issues/807" target="_blank">https://wiki.strongswan.org/issues/807</a><br>
<br>
</blockquote></div><br></div>