Project

General

Profile

Issue #804

Split tunnelling not work at MacOSX and iOS

Added by Alexander Ostapchuk almost 6 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
libcharon
Affected version:
dr|rc|master
Resolution:
No change required

Description

Split tunnelling not work at MacOSX and iOS in the 5.2.2rc1

Patch from revision 02df52fd do not work on the native MacOSX clients (10.9.5 and 10.10.1) an iOS clients.

At the strongswan server is set

leftsubnet=192.168.24.0/24,192.168.26.0/24

After successful authentication and after sending two subnets (UNITY_SPLIT_INCLUDE) I'm get on server side:

Dec 28 17:06:46 router charon: 03[CFG] looking for a child config for 192.168.24.0/24 === 192.158.2.1/32
Dec 28 17:06:46 router charon: 03[CFG] proposing traffic selectors for us:
Dec 28 17:06:46 router charon: 03[CFG]  192.168.24.0/24
Dec 28 17:06:46 router charon: 03[CFG]  192.168.26.0/24
Dec 28 17:06:46 router charon: 03[CFG] proposing traffic selectors for other:
Dec 28 17:06:46 router charon: 03[CFG]  192.168.2.1/32
Dec 28 17:06:46 router charon: 03[CFG]   candidate "IPSEC-APPLE-RA" with prio 5+5
Dec 28 17:06:46 router charon: 03[CFG] found matching child config "IPSEC-APPLE-RA" with prio 10
Dec 28 17:06:46 router charon: 03[CFG] selecting traffic selectors for other:
Dec 28 17:06:46 router charon: 03[CFG]  config: 192.168.2.1/32, received: 192.168.2.1/32 => match: 192.168.2.1/32
Dec 28 17:06:46 router charon: 03[CFG] selecting traffic selectors for us:
Dec 28 17:06:46 router charon: 03[CFG]  config: 192.168.24.0/24, received: 192.168.24.0/24 => match: 192.168.24.0/24
Dec 28 17:06:46 router charon: 03[CFG]  config: 192.168.26.0/24, received: 192.168.24.0/24 => no match

Dec 28 17:06:46 router charon: 08[IKE]    0: 1F E2 91 96 05 DA 29 F7 15 B8 14 F2 77 A1 15 BB  ......).....w...
Dec 28 17:06:46 router charon: 08[IKE] CHILD_SA IPSEC-APPLE-RA{5} established with SPIs c4981663_i 0fc93659_o and TS 192.168.24.0/24 === 192.168.2.1/32

On the MacOSX I was see

setkey -D
 <client_ip> <server_ip>
    esp mode=tunnel spi=3307424858(0xc5234c5a) reqid=17057(0x000042a1)
    E: aes-cbc  45f74bb8 3ce5f275 31344522 298612c9
    A: hmac-sha1  d849c152 b192fc5a a7a1b661 a188c161 d1a23ea6
    seq=0x00000000 replay=4 flags=0x00001002 state=mature
    created: Dec 28 16:09:36 2014    current: Dec 28 16:18:59 2014
    diff: 563(s)    hard: 3600(s)    soft: 2880(s)
    last:                         hard: 0(s)    soft: 0(s)
    current: 0(bytes)    hard: 0(bytes)    soft: 0(bytes)
    allocated: 0    hard: 0    soft: 0
    sadb_seq=1 pid=9920 refcnt=2
 <server_ip> <client_ip>
    esp mode=tunnel spi=100623561(0x05ff64c9) reqid=17058(0x000042a2)
    E: aes-cbc  efea0c4a c449ff5f a8a66f80 c075a526
    A: hmac-sha1  72ce7622 8d0abf4c 56ef2715 7a6a1532 8cc76c2f
    seq=0x00000000 replay=4 flags=0x00001002 state=mature
    created: Dec 28 16:09:36 2014    current: Dec 28 16:18:59 2014
    diff: 563(s)    hard: 3600(s)    soft: 2880(s)
    last:                         hard: 0(s)    soft: 0(s)
    current: 0(bytes)    hard: 0(bytes)    soft: 0(bytes)
    allocated: 0    hard: 0    soft: 0
    sadb_seq=0 pid=9920 refcnt=2

setkey -DP
192.168.24.0/24[any] 192.168.2.1[any] any
    in ipsec
    esp/tunnel/<server_ip>-<client_ip>/unique#16922
    spid=924 seq=3 pid=8598
    refcnt=2
192.168.26.0/24[any] 192.168.2.1[any] any
    in ipsec
    esp/tunnel/<server_ip>-<client_ip>/unique#16924
    spid=926 seq=2 pid=8598
    refcnt=2
192.168.2.1[any] 192.168.24.0/24[any] any
    out ipsec
    esp/tunnel/<client_ip>-<server_ip>/unique#16921
    spid=923 seq=1 pid=8598
    refcnt=2
192.168.2.1[any] 192.168.26.0/24[any] any
    out ipsec
    esp/tunnel/<client_ip>-<server_ip>/unique#16923
    spid=925 seq=0 pid=8598
    refcnt=2

It seems that StrongSwan trying to create a separate SA for each TS, while MacOS uses only one SA to all TS - it is checked at a connection with Cisco ASA.
But MacOSX not send 0.0.0.0/0 as TS, but send only first subnet from UNITY_SPLIT_INCLUDE.

The same situation I was see at server side when connect from iOS (8.1.1) device.

Dec 28 18:05:05 router charon: 04[IKE] IKE_SA IPSEC-RA[4] established between 192.168.1.1[192.168.1.1]...192.168.1.118[192.168.1.118]
Dec 28 18:05:05 router charon: 01[CFG] reassigning offline lease to 'xauthuser'
Dec 28 18:05:05 router charon: 01[CFG] proposing traffic selectors for us:
Dec 28 18:05:05 router charon: 01[CFG]  192.168.10.0/24
Dec 28 18:05:05 router charon: 01[CFG]  192.168.11.0/24
Dec 28 18:05:05 router charon: 01[CFG] sending UNITY_SPLIT_INCLUDE: 192.168.10.0/24 192.168.11.0/24
Dec 28 18:05:06 router charon: 04[CFG] looking for a child config for 192.168.10.0/24 === 192.168.2.1/32
Dec 28 18:05:06 router charon: 04[CFG] proposing traffic selectors for us:
Dec 28 18:05:06 router charon: 04[CFG]  192.168.10.0/24
Dec 28 18:05:06 router charon: 04[CFG]  192.168.11.0/24
Dec 28 18:05:06 router charon: 04[CFG] proposing traffic selectors for other:
Dec 28 18:05:06 router charon: 04[CFG]  192.168.2.1/32
Dec 28 18:05:06 router charon: 04[CFG]   candidate "IPSEC-RA" with prio 5+5
Dec 28 18:05:06 router charon: 04[CFG] found matching child config "IPSEC-RA" with prio 10
Dec 28 18:05:06 router charon: 04[CFG] selecting traffic selectors for other:
Dec 28 18:05:06 router charon: 04[CFG]  config: 192.168.2.1/32, received: 192.168.2.1/32 => match: 192.168.2.1/32
Dec 28 18:05:06 router charon: 04[CFG] selecting traffic selectors for us:
Dec 28 18:05:06 router charon: 04[CFG]  config: 192.168.10.0/24, received: 192.168.10.0/24 => match: 192.168.10.0/24
Dec 28 18:05:06 router charon: 04[CFG]  config: 192.168.11.0/24, received: 192.168.10.0/24 => no match

History

#1 Updated by Len Relsson almost 6 years ago

The SA for second subnet will be established on first network packet transmitted.

Try to ping some address from second subnet.

After that you'll see another pair in SAD on MacOSX.

It works that way in my case. (MacOSX 10.10.1)

#2 Updated by Alexander Ostapchuk almost 6 years ago

Hello!

Yes, at MacOS 10.9.5 it's work too.

This issue must be closed. All work as expected.

#3 Updated by Tobias Brunner almost 6 years ago

  • Status changed from New to Closed
  • Resolution set to No change required

Also available in: Atom PDF