[strongSwan-dev] Is this a leak in virtual IPs, in ike_sa.c clear_virtual_ips

[SM K]

Hi,

I am having a problem with the virtual IP pool being exhausted when
connecting from an iOS device. I have the fix in
https://wiki.strongswan.org/issues/764 , but I am seeing the issue
mentioned by one of the users on the bug.

The leak is because the modecfg defined for the iOS device connection is
push, while iOS actually uses modecfg=pull. However, for an actual iOS
device, it seems that I have to define modecfg=push, otherwise the iOS
device connection fails (or hangs). We disable xauth on the iOS device from
the profile, but the iOS device still seems to need a trigger to send its
modecfg request message. We cannot use xauth and using the xauth-noauth
plugin also did not work in this case.

Moving to ikev2 is not an option since we have devices out there already
with profiles installed and doing ikev1.

While debugging this problem, I noticed that the build_reply function in
mode_config.c clears the ike_sa's virtual IPs before allotting new ones.
The function clear_virtual_ips is called on the ike_sa to do so. But this
function frees the VIP but does not release them back to the pool. Is this
a bug?

I fixed the clear_virtual_ips to release vips to the pool, just like how it
is done when the ike_sa is destroyed. This fixed my leak when an iOS device
connects.

Is this a proper fix? And does clear_virtual_ips function need to be fixed
to release the vips back to the pool?

regards,
sk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150402/f44d606b/attachment.html>