[strongSwan-dev] Is this a leak in virtual IPs, in ike_sa.c clear_virtual_ips

SM K sacho.polo at gmail.com
Wed Apr 8 10:04:00 CEST 2015 

Hi Martin,

It seems that the xauth-noauth plugin works when the iOS device is
configured to use xauth. It did not work for us when the profile installed
on the iOS device has XAuth disabled. Is this the expected behavior?

We have many iOS devices that have xauth disabled in the profile, via an
MDM and we will have to update these devices to enable xauth, if we have to
use the xauth-noauth plugin. These iOS devices also sometimes connect to a
4.6.x strongswan. Does the the xauth-noauth plugin will work on 4.6.x
version of strongswan?

When xauth is disabled on the iOS devices, and because the xauth-noauth
plugin did not work, the only way we can get the iOS devices to
successfully connect to strongswan responder seems to be by defining
modecfg=push.

regards,
sk



On Tue, Apr 7, 2015 at 12:28 AM, Martin Willi <martin at strongswan.org> wrote:

> Hi,
>
> > for an actual iOS device, it seems that I have to define modecfg=push,
> > otherwise the iOS device connection fails (or hangs). We disable xauth
> > on the iOS device from the profile, but the iOS device still seems to
> > need a trigger to send its modecfg request message.
>
> Sending a Mode Config push to satisfy the clients XAuth request is
> certainly not advisable. The messages are very similar, but the purpose
> is completely different. You really should use Mode Config pull for
> Apple devices.
>
> > As regards to the xauth-noauth plugin, when we tested with it, we still
> ran
> > into the same problem. We do turn off xauth in the iOS profile installed
> on
> > the phone, but iOS has a bug in 8.x version of their software and they do
> > not honor it. There is a bug against apple for this, but I am not sure if
> > this has been fixed. But we still ran into the same problem with the
> > modecfg when we used the plugin.
>
> As Tobias suggested, you should use xauth-noauth plugin. It has been
> written exactly for these issues. It allows your client to expect that
> XAuth authentication, and you won't need that abused Push Mode for that.
>
> After XAuth has completed, the client triggers Mode Config in Pull mode,
> and strongSwan should be configured to accept that. This is the much
> cleaner approach than abusing Push mode to satisfy the XAuth exchange
> required by the client. If xauth-noauth does not work, I recommend to
> investigate on that.
>
> Regards
> Martin
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150408/38df441e/attachment.html>

More information about the Dev mailing list