Project

General

Profile

Actions

Bug #11539

closed

Mobile IPsec ``split_include`` value of ``0.0.0.0/0`` causes some clients to fail

Added by Jim Pingle about 3 years ago. Updated about 1 month ago.

Status:
Rejected
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
-
Start date:
02/25/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.5.0
Affected Architecture:

Description

Currently for mobile IPsec the code sets up subnet and split_include entries for IPv4/IPv6 pools based on the GUI setting for networks to send to clients.

When split_include has a value of 0.0.0.0/0, some clients will fail to connect. A forum user reported this for the built-in Android IKEv2 client but there may be others.

So we either need to figure out some better logic about what to put in each of subnet and split_include separately or at the very least, do not add 0.0.0.0/0 or ::/0 to split_include.

Also warrants some more research in strongSwan to ensure both of those fields are being used appropriately.


Files

11539-split-fix.diff (1.18 KB) 11539-split-fix.diff Jim Pingle, 03/04/2021 02:57 PM
Actions #1

Updated by Jim Pingle about 3 years ago

I can't find a client that can reproduce this so I can't confirm a fix. Attached is a patch which will omit 0.0.0.0/0 and ::/0 from the split_include line, or omit the line entirely if that is the only value.

Needs some testing before committing.

Actions #2

Updated by Jim Pingle about 3 years ago

  • Status changed from New to Feedback
Actions #3

Updated by Jim Pingle almost 3 years ago

  • Plus Target Version set to 21.05
Actions #4

Updated by Jim Pingle almost 3 years ago

  • Plus Target Version changed from 21.05 to 21.09

Nothing committed here yet and only one data point on if it's beneficial. Bumping this one up for the moment. I'd like to find a way to reproduce this and check that it doesn't break existing setups first.

Actions #5

Updated by Jim Pingle over 2 years ago

  • Plus Target Version changed from 21.09 to 22.01

There are other changes in 21.09 which may fix this, but leaving it open and moving target for now in case it needs additional work. Can remove target and close it if it works OK on 21.09.

Actions #6

Updated by Jim Pingle over 2 years ago

  • Plus Target Version changed from 22.01 to 22.05
Actions #7

Updated by Jim Pingle almost 2 years ago

  • Plus Target Version changed from 22.05 to 22.09

Still no meaningful feedback here, can keep waiting until someone who can replicate the original problem can confirm if the suggested change helps.

Actions #8

Updated by Marcos M almost 2 years ago

Tested on 22.05 - I couldn't reproduce the original issue using the native (OxygenOS) android 11 IKEv2 MSCHAPv2 client.

Actions #9

Updated by Jim Pingle over 1 year ago

  • Plus Target Version changed from 22.09 to 22.11
Actions #10

Updated by Jim Pingle over 1 year ago

  • Plus Target Version changed from 22.11 to 23.01
Actions #11

Updated by Jim Pingle over 1 year ago

  • Status changed from Feedback to Ready To Test
  • Plus Target Version changed from 23.01 to 23.05

Still no feedback on the proposed fix

Actions #12

Updated by Jim Pingle over 1 year ago

  • Subject changed from Mobile IPsec "split_include" value of 0.0.0.0/0 causes some clients to fail to Mobile IPsec ``split_include`` value of ``0.0.0.0/0`` causes some clients to fail

Updating subject for release notes.

Actions #13

Updated by Jim Pingle 10 months ago

  • Plus Target Version changed from 23.05 to 23.09
Actions #14

Updated by Jim Pingle 7 months ago

  • Plus Target Version changed from 23.09 to 24.01

Still waiting on an affected user to test and offer feedback.

Actions #15

Updated by Jim Pingle 6 months ago

  • Plus Target Version changed from 24.01 to 24.03
Actions #16

Updated by Jim Pingle about 1 month ago

  • Status changed from Ready To Test to Rejected
  • Target version deleted (CE-Next)
  • Plus Target Version deleted (24.03)

The original reporter(s) of this issue have long since disappeared and nobody else seems to be able to reproduce the problem or offer feedback on the proposed change.

Closing this out for now but we can reopen this if anyone can offer meaningful feedback or specific instructions to reproduce the problem.

Actions

Also available in: Atom PDF