[strongSwan-dev] Is this a leak in virtual IPs, in ike_sa.c clear_virtual_ips

Martin Willi martin at strongswan.org
Tue Apr 7 09:28:14 CEST 2015


> for an actual iOS device, it seems that I have to define modecfg=push,
> otherwise the iOS device connection fails (or hangs). We disable xauth
> on the iOS device from the profile, but the iOS device still seems to
> need a trigger to send its modecfg request message.

Sending a Mode Config push to satisfy the clients XAuth request is
certainly not advisable. The messages are very similar, but the purpose
is completely different. You really should use Mode Config pull for
Apple devices.

> As regards to the xauth-noauth plugin, when we tested with it, we still ran
> into the same problem. We do turn off xauth in the iOS profile installed on
> the phone, but iOS has a bug in 8.x version of their software and they do
> not honor it. There is a bug against apple for this, but I am not sure if
> this has been fixed. But we still ran into the same problem with the
> modecfg when we used the plugin.

As Tobias suggested, you should use xauth-noauth plugin. It has been
written exactly for these issues. It allows your client to expect that
XAuth authentication, and you won't need that abused Push Mode for that.

After XAuth has completed, the client triggers Mode Config in Pull mode,
and strongSwan should be configured to accept that. This is the much
cleaner approach than abusing Push mode to satisfy the XAuth exchange
required by the client. If xauth-noauth does not work, I recommend to
investigate on that.


More information about the Dev mailing list