Project

General

Profile

Issue #261

Split tunnel and CHILD_SA

Added by Kris Jobs almost 7 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Category:
charon
Affected version:
5.0.1
Resolution:
No feedback

Description

Version: 5.0.2

ipsec pool --statusattr
 type  description           pool        identity              value
    3  INTERNAL_IP4_DNS      ippoolspt                         106.187.34.20
    3  INTERNAL_IP4_DNS      ippoolspt                         106.187.35.20
    3  INTERNAL_IP4_DNS      ippoolspt                         106.187.36.20
28672  UNITY_BANNER          ippoolspt                        "Split" 
28675  UNITY_SPLITDNS_NAME   ippoolspt                        "twitter.com" 
28676  UNITY_SPLIT_INCLUDE   ippoolspt                         106.187.34.20/255.255.255.255
28676  UNITY_SPLIT_INCLUDE   ippoolspt                         106.187.35.20/255.255.255.255
28676  UNITY_SPLIT_INCLUDE   ippoolspt                         106.187.36.20/255.255.255.255
28676  UNITY_SPLIT_INCLUDE   ippoolspt                         199.0.0.0/255.0.0.0

config:

conn spt
        type=tunnel
        auto=start
        installpolicy=yes
        leftfirewall=yes
        forceencaps=yes
        rekey=no
        left=%defaultroute
        leftsourceip=10.18.16.1
        leftsubnet=0.0.0.0/0
        rightsourceip=%ippoolspt
        reauth=no
        dpdaction=clear

VPN can be connected on iOS, it expected only tunnel 199.0.0.0/8 through VPN. When VPN established, I can ping 199.59.148.82, but after a while(about 30s), ping to 199.59.148.82 got timeout, the VPN still established.

I can see the CHILD_SA recreated a lot in log:

Dec  8 21:17:01 12[IKE] CHILD_SA spt{2} established with SPIs c53996e0_i 0dbef4ec_o and TS 0.0.0.0/0 === 10.18.16.2/32 
Dec  8 21:17:11 14[NET] received packet: from 22.221.177.137[4500] to 106.187.9.209[4500]
Dec  8 21:17:11 14[ENC] parsed QUICK_MODE request 3699407523 [ HASH SA No ID ID ]
Dec  8 21:17:11 14[IKE] received 3600s lifetime, configured 0s
Dec  8 21:17:11 14[ENC] generating QUICK_MODE response 3699407523 [ HASH SA No ID ID ]
Dec  8 21:17:11 14[NET] sending packet: from 106.187.9.209[4500] to 22.221.177.137[4500]
Dec  8 21:17:11 07[NET] received packet: from 22.221.177.137[4500] to 106.187.9.209[4500]
Dec  8 21:17:11 07[ENC] parsed QUICK_MODE request 3699407523 [ HASH ]
Dec  8 21:17:11 07[IKE] CHILD_SA spt{3} established with SPIs c3da7fd3_i 0136e987_o and TS 0.0.0.0/0 === 10.18.16.2/32 
Dec  8 21:18:21 10[NET] received packet: from 22.221.177.137[4500] to 106.187.9.209[4500]
Dec  8 21:18:21 10[ENC] parsed QUICK_MODE request 2938282930 [ HASH SA No ID ID ]
Dec  8 21:18:21 10[IKE] received 3600s lifetime, configured 0s
Dec  8 21:18:21 10[ENC] generating QUICK_MODE response 2938282930 [ HASH SA No ID ID ]
Dec  8 21:18:21 10[NET] sending packet: from 106.187.9.209[4500] to 22.221.177.137[4500]
Dec  8 21:18:21 12[NET] received packet: from 22.221.177.137[4500] to 106.187.9.209[4500]
Dec  8 21:18:21 12[ENC] parsed QUICK_MODE request 2938282930 [ HASH ]
Dec  8 21:18:21 12[IKE] CHILD_SA spt{4} established with SPIs cbbaac60_i 0ae45228_o and TS 0.0.0.0/0 === 10.18.16.2/32

This seems a weird bug, I tried this same split tunnel scenario in racoon, it works fine with iOS, but Strongswan doesn't.

log.txt (13.4 KB) log.txt Kris Jobs, 14.12.2012 19:59

Related issues

Related to Issue #921: UNITY_SPLITDNS_NAME omits first domain with multiple domains, appends p to end of last or only domainClosed03.04.2015

History

#1 Updated by Tobias Brunner almost 7 years ago

  • Category set to charon
  • Status changed from New to Feedback
  • Assignee set to Tobias Brunner

Since you use at least 5.0.1, you should definitely try the unity plugin instead of assigning the UNITY_SPLIT_INCLUDE attributes via the attr or attr-sql plugins.

With the unity plugin you can assign the subnets with

leftsubnet=106.187.34.20/32,106.187.35.20/32,106.187.36.20/32,199.0.0.0/8

I'm not sure, though, if this fixes your exact problem. It seems the iOS client gets stuck in some kind of loop where it recreates the IPsec SA over and over again. A more complete log (with the initial SA setup) might help if it doesn't fix the issue. You could also try to get the iOS device's log via iPhone Configuration Utility.

#2 Updated by Kris Jobs almost 7 years ago

Hi, using the leftsubnet doesn't fix the issue, log attached. I found another problem is the split dns, it pushed to iOS like:

SPLITDNS-NAME[1] = twitter.comp.

which should be twitter.com. ?

#3 Updated by Tobias Brunner almost 7 years ago

SPLITDNS-NAME[1] = twitter.comp.

In my quick tests the value is sent correctly. Could be that it is an issue on the client. Unfortunately, the source code of that part of configd seems to be closed source (all VPN*.[ch] files on opensource.apple.com just contain a short header). So I can't verify this.

Did you delete the UNITY_SPLIT_INCLUDE attributes defined in the database before you tried with the unity plugin?

#4 Updated by Kris Jobs almost 7 years ago

Yes, UNITY_SPLIT_INCLUDE deleted, only UNITY_SPLITDNS_NAME UNITY_BANNER INTERNAL_IP4_DNS are there.

#5 Updated by Tobias Brunner almost 7 years ago

Hm, ok. Did you already try the release candidate for 5.0.2? If that doesn't help...

I tried this same split tunnel scenario in racoon, it works fine with iOS, but Strongswan doesn't.

It would be great if you could increase the log levels of both racoon and charon so that they both log raw payload data (for charon increase the log level of the enc log group to 3, see LoggerConfiguration) and then rerun your test and post the two logs (if possible the client logs of the two test runs too). This will allow us to compare the contents of the UNITY_SPLIT_INCLUDE payload (and if necessary other payloads), which might enable us to pinpoint the reason for this issue.

#6 Updated by Tobias Brunner over 6 years ago

  • Tracker changed from Bug to Issue
  • Status changed from Feedback to Closed
  • Resolution set to No feedback

I recently had a discussion on serverfault.com that showed that UNITY_SPLITDNS_NAME (28675) works as expected.

Not sure about the other issues, but I'll close this for now. If there is still a problem please open a new ticket.

#7 Updated by Tobias Brunner over 4 years ago

  • Related to Issue #921: UNITY_SPLITDNS_NAME omits first domain with multiple domains, appends p to end of last or only domain added

Also available in: Atom PDF