Project

General

Profile

Bug #11539

Mobile IPsec "split_include" value of 0.0.0.0/0 causes some clients to fail

Added by Jim Pingle about 2 months ago. Updated about 1 month ago.

Status:
Feedback
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
02/25/2021
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.5.0
Affected Architecture:
Release Notes:
Default

Description

Currently for mobile IPsec the code sets up subnet and split_include entries for IPv4/IPv6 pools based on the GUI setting for networks to send to clients.

When split_include has a value of 0.0.0.0/0, some clients will fail to connect. A forum user reported this for the built-in Android IKEv2 client but there may be others.

So we either need to figure out some better logic about what to put in each of subnet and split_include separately or at the very least, do not add 0.0.0.0/0 or ::/0 to split_include.

Also warrants some more research in strongSwan to ensure both of those fields are being used appropriately.

11539-split-fix.diff (1.18 KB) 11539-split-fix.diff Jim Pingle, 03/04/2021 02:57 PM

History

#1 Updated by Jim Pingle about 1 month ago

I can't find a client that can reproduce this so I can't confirm a fix. Attached is a patch which will omit 0.0.0.0/0 and ::/0 from the split_include line, or omit the line entirely if that is the only value.

Needs some testing before committing.

#2 Updated by Jim Pingle about 1 month ago

  • Status changed from New to Feedback

Also available in: Atom PDF