[strongSwan-dev] virtual IP leak when using iOS devices (related to bug# 764)

[SM K]

Hi,

I am having a problem with the virtual IP pool being exhausted when
connecting from an iOS device. I have the fix in
https://wiki.strongswan.org/issues/764 , but I am seeing the issue
mentioned by one of the users on the bug.

The leak is because the modecfg defined for the iOS device connection is
push, while iOS actually uses modecfg=pull. In my testing with a strongswan
(or other client), i can reproduce the leak by this mismatch of config, and
the leak goes away when the two configs match.

However, for an actual iOS device, it seems that I have to define
modecfg=push, otherwise the iOS device connection fails (or hangs). We
disable xauth on the iOS device from the profile, but the iOS device still
seems to need a trigger to send its modecfg request message. We cannot use
xauth and using the xauth-noauth plugin also did not work in this case.

Moving to ikev2 is not an option since we have devices out there already
with profiles installed and doing ikev1.

Is there any other way to fix this leak, by changes on the strongswan (5.x)
responder? I noticed that this problem does not occur on 4.x and one reason
could be that the older strongswan assigns the same IP when it replies to
the modecfg request message. Would that work here?
Is there any other way to fix this leak?

regards,
sk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150401/c887b1a5/attachment.html>