<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Miroslav,<br>
<br>
thank you for responding, I believe the second device connecting is
getting the same IP address as the first;<br>
<br>
Here's a log I spit out of updown scripts, both devices get
10.255.0.1/32, the intent it to have 10.255.0.0/16 as a pool of
addresses for the connecting devices.<br>
<br>
up-client C=US, O=strongSwan,
CN=IDE-B1DA-3355-4C89-BA98-A580BD513292 bytes in '0'Â out '0'Â
packets in '0'Â out '0' <br>
up-client eth0 0 10.255.0.1/32Â 10.199.65.236Â -m policy --pol ipsec
--proto esp --reqid 7 --dir in<br>
down-client C=US, O=strongSwan,
CN=IDE-B1DA-3355-4C89-BA98-A580BD513292 bytes in '1478'Â out '5161'Â
packets in '17'Â out '14' <br>
up-client C=US, O=strongSwan,
CN=IDE-0DF5-9A4B-47B0-829E-245DDF715C4E bytes in '0'Â out '0'Â
packets in '0'Â out '0' <br>
up-client eth0 0 10.255.0.1/32Â 10.199.65.236Â -m policy --pol ipsec
--proto esp --reqid 8 --dir in<br>
down-client C=US, O=strongSwan,
CN=IDE-0DF5-9A4B-47B0-829E-245DDF715C4E bytes in '3937'Â out '9212'Â
packets in '28'Â out '23' <br>
up-client C=US, O=strongSwan,
CN=IDE-B1DA-3355-4C89-BA98-A580BD513292 bytes in '0'Â out '0'Â
packets in '0'Â out '0' <br>
up-client eth0 0 10.255.0.1/32Â 10.199.65.236Â -m policy --pol ipsec
--proto esp --reqid 9 --dir in<br>
<br>
and the route<br>
ip route list table 220<br>
10.255.0.1 via 10.199.65.193 dev eth0Â proto static <br>
<br>
statusall only shows the first device to connect<br>
Status of IKE charon daemon (strongSwan 5.3.0, Linux
3.2.0-54-virtual, x86_64):<br>
 uptime: 18 minutes, since Apr 24 15:04:24 2015<br>
 malloc: sbrk 2555904, mmap 0, used 473168, free 2082736<br>
 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue:
0/0/0/0, scheduled: 23<br>
 loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
sshkey pem fips-prf gmp xcbc cmac hmac curl attr kernel-netlink
resolve socket-default stroke updown xauth-generic<br>
Virtual IP pools (size/online/offline):<br>
 10.255.0.0/16: 65534/1/0<br>
Listening IP addresses:<br>
 10.199.65.236<br>
 10.0.0.116<br>
 10.0.1.10<br>
 10.0.1.12<br>
 10.0.0.242<br>
 10.0.0.120<br>
 10.0.0.122<br>
 10.0.0.238<br>
Connections:<br>
        ios: %any,0.0.0.0/0,::/0...%any IKEv1<br>
        ios:  local: [C=US, ST=California, L=New York, O=Internet
Widgits Pty Ltd, OU=ActMobile, CN=ipsec.corp.actmobile.com,
<a class="moz-txt-link-abbreviated" href="mailto:E=support@actmobile.com">E=support@actmobile.com</a>] uses public key authentication<br>
        ios:   cert: "C=US, ST=California, L=New York, O=Internet
Widgits Pty Ltd, OU=ActMobile, CN=ipsec.corp.actmobile.com,
<a class="moz-txt-link-abbreviated" href="mailto:E=support@actmobile.com">E=support@actmobile.com</a>"<br>
        ios:  remote: uses public key authentication<br>
        ios:  remote: uses XAuth authentication: any<br>
        ios:  child: 0.0.0.0/0 === dynamic TUNNEL<br>
Security Associations (1 up, 0 connecting):<br>
        ios[12]: ESTABLISHED 2 minutes ago, 10.199.65.236[C=US,
ST=California, L=New York, O=Internet Widgits Pty Ltd, OU=ActMobile,
CN=ipsec.corp.actmobile.com,
<a class="moz-txt-link-abbreviated" href="mailto:E=support@actmobile.com">E=support@actmobile.com</a>]...166.170.42.208[C=US, O=strongSwan,
CN=IDE-B1DA-3355-4C89-BA98-A580BD513292]<br>
        ios[12]: Remote XAuth identity: actmobile<br>
        ios[12]: IKEv1 SPIs: 387433cc7c4e0cf7_i
b7f0e6ff754ca158_r*, public key reauthentication in 2 hours<br>
        ios[12]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536<br>
        ios{11}: INSTALLED, TUNNEL, reqid 11, ESP in UDP SPIs:
cca21352_i 0ef3c1ab_o<br>
        ios{11}: AES_CBC_128/HMAC_SHA1_96, 1534 bytes_i (18 pkts,
104s ago), 5393 bytes_o (15 pkts, 104s ago), rekeying in 23 hours<br>
        ios{11}:  0.0.0.0/0 === 10.255.0.1/32 <br>
<br>
Here's the conn from ipsec.conf, do I really need to setup a dhcp
service instead?<br>
<br>
conn
ios                                                                                   Â
<br>
  Â
keyexchange=ikev1Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â
                                                                      Â
<br>
  Â
authby=xauthrsasig                                                                     Â
<br>
  Â
xauth=server                                                                           Â
<br>
  Â
left=%any                                                                              Â
<br>
  Â
leftsubnet=0.0.0.0/0Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â
<br>
   leftsourceip =
%modeconfig                                                             Â
<br>
   leftallowany =
yes                                                                     Â
                                                                     Â
<br>
  Â
lefthostaccess=yes                                                                     Â
<br>
  Â
leftupdown=/opt/actmobile/accelerator/actmobile_ipsec_updown                        Â
<br>
  Â
leftcert=serverCert.pem                                                             Â
<br>
  Â
right=%any                                                                          Â
<br>
  Â
rightsourceip=10.255.0.0/16Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â
<br>
                                                                                        Â
<br>
  Â
rightfirewall=yes                                                                   Â
<br>
  Â
righthostaccess=yes                                                                 Â
                                                                            Â
<br>
  Â
auto=start                                                                          Â
<br>
  Â
rekey=yes                                                                           Â
<br>
  Â
fragmentation=yes                                                                   Â
<br>
  Â
lifetime=24h                                                                        Â
<br>
  Â
dpddelay=0Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â
<br>
   dpdtimeout=24h<br>
<br>
<div class="moz-cite-prefix">On 4/24/15 12:51 AM, Miroslav Svoboda
wrote:<br>
</div>
<blockquote
cite="mid:0115beb0-fc28-4267-a1f0-928711fa7dd5@googlegroups.com"
type="cite">
<div dir="ltr">Please can you provide:
<div>- log with default loglevel set to 2, showing start of both
iPhones connection</div>
<div>- output of command "strongswan statusall" at the time both
iphone are connected</div>
<div>- route table and iptables rules (tables filter, nat,
mangle)</div>
<div><br>
</div>
<div>I believe this question would be next time better fit for
users list and even might get answered quicker there.</div>
<div><br>
</div>
<div>Miroslav</div>
<br>
On Thursday, April 23, 2015 at 4:40:15 PM UTC+2, Andrew Foss
wrote:
<blockquote class="gmail_quote" style="margin: 0;margin-left:
0.8ex;border-left: 1px #ccc solid;padding-left: 1ex;">I am
bringing up an ipsec server for our ios users and suspect my
"left" <br>
parameters aren't quite right, but so far my changes have made
it not <br>
work at all and I am not fully understanding the descriptions.
I am <br>
running 5.3.0, our ifupdown scripts open iptables rules to
allow access <br>
to dns and the servers.
<br>
<br>
What is see is first device on a network connects and works
fine. Second <br>
device connects and neither works, second device gets
disconnected, as <br>
if the routing/nat handling is sending packets down the wrong
tunnel.
<br>
<br>
Here's my config, I suspect leftsubnet should be 0/0, these
are just <br>
devices connecting for themselves, not another vpn gateway
connecting a <br>
network. Any pointers?
<br>
<br>
conn ios
<br>
   keyexchange=ikev1
<br>
   #esp=null-sha1!
<br>
   authby=xauthrsasig
<br>
   xauth=server
<br>
   left=%defaultroute
<br>
   leftsubnet=<a moz-do-not-send="true"
href="http://0.0.0.0/0" target="_blank" rel="nofollow"
onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F0.0.0.0%2F0\46sa\75D\46sntz\0751\46usg\75AFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return
true;"
onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F0.0.0.0%2F0\46sa\75D\46sntz\0751\46usg\75AFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return
true;">0.0.0.0/0</a>
<br>
   #leftsubnet=<a moz-do-not-send="true"
href="http://10.66.0.0/16" target="_blank" rel="nofollow"
onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.66.0.0%2F16\46sa\75D\46sntz\0751\46usg\75AFQjCNEMJumeZ0UqAnw7BMyrz8ElApXIhg';return
true;"
onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.66.0.0%2F16\46sa\75D\46sntz\0751\46usg\75AFQjCNEMJumeZ0UqAnw7BMyrz8ElApXIhg';return
true;">10.66.0.0/16</a>
<br>
   #leftfirewall=yes
<br>
   leftupdown=/opt/actmobile/<wbr>accelerator/actmobile_ipsec_<wbr>updown
<br>
   leftcert=serverCert.pem
<br>
   right=%any
<br>
   rightsourceip=<a moz-do-not-send="true"
href="http://10.0.0.0/16" target="_blank" rel="nofollow"
onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.0.0.0%2F16\46sa\75D\46sntz\0751\46usg\75AFQjCNFYf0sJ06fFYbxnJsEZFQ2eBWv5ng';return
true;"
onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.0.0.0%2F16\46sa\75D\46sntz\0751\46usg\75AFQjCNFYf0sJ06fFYbxnJsEZFQ2eBWv5ng';return
true;">10.0.0.0/16</a>
<br>
   #rightsourceip=<a moz-do-not-send="true"
href="http://10.100.255.0/28" target="_blank" rel="nofollow"
onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.100.255.0%2F28\46sa\75D\46sntz\0751\46usg\75AFQjCNHiOlcWLxoVFW9PFirg_-1XKvs26A';return
true;"
onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.100.255.0%2F28\46sa\75D\46sntz\0751\46usg\75AFQjCNHiOlcWLxoVFW9PFirg_-1XKvs26A';return
true;">10.100.255.0/<wbr>28</a>
<br>
   #rightcert=clientCert.pem
<br>
   #pfs=no
<br>
   auto=start
<br>
   rekey=yes
<br>
   fragmentation=yes
<br>
   lifetime=24h
<br>
   dpddelay=0
<br>
   dpdtimeout=24h
<br>
actmobile@accel:~-u
<br>
<br>
thanks,
<br>
andrew
<br>
______________________________<wbr>_________________
<br>
Dev mailing list
<br>
<a moz-do-not-send="true"
href="mailto:Dev@lists.strongswan.org" target="_blank"
rel="nofollow"
onmousedown="this.href='mailto:Dev@lists.strongswan.org';return
true;"
onclick="this.href='mailto:Dev@lists.strongswan.org';return
true;">Dev@lists.strongswan.org</a>
<br>
<a moz-do-not-send="true"
href="https://lists.strongswan.org/mailman/listinfo/dev"
target="_blank" rel="nofollow"
onmousedown="this.href='https://www.google.com/url?q\75https%3A%2F%2Flists.strongswan.org%2Fmailman%2Flistinfo%2Fdev\46sa\75D\46sntz\0751\46usg\75AFQjCNEpF7nDtcPxmX4p2hKudljFb7L7xg';return
true;"
onclick="this.href='https://www.google.com/url?q\75https%3A%2F%2Flists.strongswan.org%2Fmailman%2Flistinfo%2Fdev\46sa\75D\46sntz\0751\46usg\75AFQjCNEpF7nDtcPxmX4p2hKudljFb7L7xg';return
true;">https://lists.strongswan.org/<wbr>mailman/listinfo/dev</a>
<br>
</blockquote>
</div>
</blockquote>
<br>
</body>
</html>