[strongSwan-dev] Is this a leak in virtual IPs, in ike_sa.c clear_virtual_ips
tobias at strongswan.org
Fri Apr 3 10:50:51 CEST 2015
> I am having a problem with the virtual IP pool being exhausted when
> connecting from an iOS device. I have the fix in
> https://wiki.strongswan.org/issues/764 , but I am seeing the issue
> mentioned by one of the users on the bug.
> The leak is because the modecfg defined for the iOS device connection is
> push, while iOS actually uses modecfg=pull. However, for an actual iOS
> device, it seems that I have to define modecfg=push, otherwise the iOS
> device connection fails (or hangs).
As discussed in the follow up comments in #764 , this looks like a
client bug (the client clearly does ModeCfg in pull mode, and the Apple
docs  also don't mention a change to push mode if XAuthEnabled is set
to 0 in the configuration profile).
Also, you should consider an upgrade to 5.3.0 for iOS devices as you
will run into  otherwise. And the fix for that issue (together with
other changes in 5.3.0) might actually help in this case (see below).
> We cannot use xauth and using the
> xauth-noauth plugin also did not work in this case.
Why not? It was specifically added for iOS devices.
> While debugging this problem, I noticed that the build_reply function in
> mode_config.c clears the ike_sa's virtual IPs before allotting new ones.
> The function clear_virtual_ips is called on the ike_sa to do so. But
> this function frees the VIP but does not release them back to the pool.
> Is this a bug?
Not really, it is caused by an incorrect config and client behavior
(push mode "needed", while the client then still does pull mode). With
5.3.0 existing VIPs on the IKE_SA are reassigned during ModeCfg, as this
is required during reauthentication. So this might help here too, as
the VIP acquired in push mode will be reassigned in the pull mode
exchange that immediately follows.
More information about the Dev