<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Miroslav,<br>
<br>
thank you for responding, I believe the second device connecting is
getting the same IP address as the first;<br>
<br>
Here's a log I spit out of updown scripts, both devices get
10.255.0.1/32, the intent it to have 10.255.0.0/16 as a pool of
addresses for the connecting devices.<br>
<br>
up-client C=US, O=strongSwan,
CN=IDE-B1DA-3355-4C89-BA98-A580BD513292 bytes in '0' out '0'
packets in '0' out '0' <br>
up-client eth0 0 10.255.0.1/32 10.199.65.236 -m policy --pol ipsec
--proto esp --reqid 7 --dir in<br>
down-client C=US, O=strongSwan,
CN=IDE-B1DA-3355-4C89-BA98-A580BD513292 bytes in '1478' out '5161'
packets in '17' out '14' <br>
up-client C=US, O=strongSwan,
CN=IDE-0DF5-9A4B-47B0-829E-245DDF715C4E bytes in '0' out '0'
packets in '0' out '0' <br>
up-client eth0 0 10.255.0.1/32 10.199.65.236 -m policy --pol ipsec
--proto esp --reqid 8 --dir in<br>
down-client C=US, O=strongSwan,
CN=IDE-0DF5-9A4B-47B0-829E-245DDF715C4E bytes in '3937' out '9212'
packets in '28' out '23' <br>
up-client C=US, O=strongSwan,
CN=IDE-B1DA-3355-4C89-BA98-A580BD513292 bytes in '0' out '0'
packets in '0' out '0' <br>
up-client eth0 0 10.255.0.1/32 10.199.65.236 -m policy --pol ipsec
--proto esp --reqid 9 --dir in<br>
<br>
and the route<br>
ip route list table 220<br>
10.255.0.1 via 10.199.65.193 dev eth0 proto static <br>
<br>
statusall only shows the first device to connect<br>
Status of IKE charon daemon (strongSwan 5.3.0, Linux
3.2.0-54-virtual, x86_64):<br>
uptime: 18 minutes, since Apr 24 15:04:24 2015<br>
malloc: sbrk 2555904, mmap 0, used 473168, free 2082736<br>
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue:
0/0/0/0, scheduled: 23<br>
loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
sshkey pem fips-prf gmp xcbc cmac hmac curl attr kernel-netlink
resolve socket-default stroke updown xauth-generic<br>
Virtual IP pools (size/online/offline):<br>
10.255.0.0/16: 65534/1/0<br>
Listening IP addresses:<br>
10.199.65.236<br>
10.0.0.116<br>
10.0.1.10<br>
10.0.1.12<br>
10.0.0.242<br>
10.0.0.120<br>
10.0.0.122<br>
10.0.0.238<br>
Connections:<br>
ios: %any,0.0.0.0/0,::/0...%any IKEv1<br>
ios: local: [C=US, ST=California, L=New York, O=Internet
Widgits Pty Ltd, OU=ActMobile, CN=ipsec.corp.actmobile.com,
<a class="moz-txt-link-abbreviated" href="mailto:E=support@actmobile.com">E=support@actmobile.com</a>] uses public key authentication<br>
ios: cert: "C=US, ST=California, L=New York, O=Internet
Widgits Pty Ltd, OU=ActMobile, CN=ipsec.corp.actmobile.com,
<a class="moz-txt-link-abbreviated" href="mailto:E=support@actmobile.com">E=support@actmobile.com</a>"<br>
ios: remote: uses public key authentication<br>
ios: remote: uses XAuth authentication: any<br>
ios: child: 0.0.0.0/0 === dynamic TUNNEL<br>
Security Associations (1 up, 0 connecting):<br>
ios[12]: ESTABLISHED 2 minutes ago, 10.199.65.236[C=US,
ST=California, L=New York, O=Internet Widgits Pty Ltd, OU=ActMobile,
CN=ipsec.corp.actmobile.com,
<a class="moz-txt-link-abbreviated" href="mailto:E=support@actmobile.com">E=support@actmobile.com</a>]...166.170.42.208[C=US, O=strongSwan,
CN=IDE-B1DA-3355-4C89-BA98-A580BD513292]<br>
ios[12]: Remote XAuth identity: actmobile<br>
ios[12]: IKEv1 SPIs: 387433cc7c4e0cf7_i
b7f0e6ff754ca158_r*, public key reauthentication in 2 hours<br>
ios[12]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536<br>
ios{11}: INSTALLED, TUNNEL, reqid 11, ESP in UDP SPIs:
cca21352_i 0ef3c1ab_o<br>
ios{11}: AES_CBC_128/HMAC_SHA1_96, 1534 bytes_i (18 pkts,
104s ago), 5393 bytes_o (15 pkts, 104s ago), rekeying in 23 hours<br>
ios{11}: 0.0.0.0/0 === 10.255.0.1/32 <br>
<br>
Here's the conn from ipsec.conf, do I really need to setup a dhcp
service instead?<br>
<br>
conn
ios
<br>
keyexchange=ikev1
<br>
authby=xauthrsasig
<br>
xauth=server
<br>
left=%any
<br>
leftsubnet=0.0.0.0/0
<br>
leftsourceip =
%modeconfig
<br>
leftallowany =
yes
<br>
lefthostaccess=yes
<br>
leftupdown=/opt/actmobile/accelerator/actmobile_ipsec_updown
<br>
leftcert=serverCert.pem
<br>
right=%any
<br>
rightsourceip=10.255.0.0/16
<br>
<br>
rightfirewall=yes
<br>
righthostaccess=yes
<br>
auto=start
<br>
rekey=yes
<br>
fragmentation=yes
<br>
lifetime=24h
<br>
dpddelay=0
<br>
dpdtimeout=24h<br>
<br>
<div class="moz-cite-prefix">On 4/24/15 12:51 AM, Miroslav Svoboda
wrote:<br>
</div>
<blockquote
cite="mid:0115beb0-fc28-4267-a1f0-928711fa7dd5@googlegroups.com"
type="cite">
<div dir="ltr">Please can you provide:
<div>- log with default loglevel set to 2, showing start of both
iPhones connection</div>
<div>- output of command "strongswan statusall" at the time both
iphone are connected</div>
<div>- route table and iptables rules (tables filter, nat,
mangle)</div>
<div><br>
</div>
<div>I believe this question would be next time better fit for
users list and even might get answered quicker there.</div>
<div><br>
</div>
<div>Miroslav</div>
<br>
On Thursday, April 23, 2015 at 4:40:15 PM UTC+2, Andrew Foss
wrote:
<blockquote class="gmail_quote" style="margin: 0;margin-left:
0.8ex;border-left: 1px #ccc solid;padding-left: 1ex;">I am
bringing up an ipsec server for our ios users and suspect my
"left" <br>
parameters aren't quite right, but so far my changes have made
it not <br>
work at all and I am not fully understanding the descriptions.
I am <br>
running 5.3.0, our ifupdown scripts open iptables rules to
allow access <br>
to dns and the servers.
<br>
<br>
What is see is first device on a network connects and works
fine. Second <br>
device connects and neither works, second device gets
disconnected, as <br>
if the routing/nat handling is sending packets down the wrong
tunnel.
<br>
<br>
Here's my config, I suspect leftsubnet should be 0/0, these
are just <br>
devices connecting for themselves, not another vpn gateway
connecting a <br>
network. Any pointers?
<br>
<br>
conn ios
<br>
keyexchange=ikev1
<br>
#esp=null-sha1!
<br>
authby=xauthrsasig
<br>
xauth=server
<br>
left=%defaultroute
<br>
leftsubnet=<a moz-do-not-send="true"
href="http://0.0.0.0/0" target="_blank" rel="nofollow"
onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F0.0.0.0%2F0\46sa\75D\46sntz\0751\46usg\75AFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return
true;"
onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F0.0.0.0%2F0\46sa\75D\46sntz\0751\46usg\75AFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return
true;">0.0.0.0/0</a>
<br>
#leftsubnet=<a moz-do-not-send="true"
href="http://10.66.0.0/16" target="_blank" rel="nofollow"
onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.66.0.0%2F16\46sa\75D\46sntz\0751\46usg\75AFQjCNEMJumeZ0UqAnw7BMyrz8ElApXIhg';return
true;"
onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.66.0.0%2F16\46sa\75D\46sntz\0751\46usg\75AFQjCNEMJumeZ0UqAnw7BMyrz8ElApXIhg';return
true;">10.66.0.0/16</a>
<br>
#leftfirewall=yes
<br>
leftupdown=/opt/actmobile/<wbr>accelerator/actmobile_ipsec_<wbr>updown
<br>
leftcert=serverCert.pem
<br>
right=%any
<br>
rightsourceip=<a moz-do-not-send="true"
href="http://10.0.0.0/16" target="_blank" rel="nofollow"
onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.0.0.0%2F16\46sa\75D\46sntz\0751\46usg\75AFQjCNFYf0sJ06fFYbxnJsEZFQ2eBWv5ng';return
true;"
onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.0.0.0%2F16\46sa\75D\46sntz\0751\46usg\75AFQjCNFYf0sJ06fFYbxnJsEZFQ2eBWv5ng';return
true;">10.0.0.0/16</a>
<br>
#rightsourceip=<a moz-do-not-send="true"
href="http://10.100.255.0/28" target="_blank" rel="nofollow"
onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.100.255.0%2F28\46sa\75D\46sntz\0751\46usg\75AFQjCNHiOlcWLxoVFW9PFirg_-1XKvs26A';return
true;"
onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.100.255.0%2F28\46sa\75D\46sntz\0751\46usg\75AFQjCNHiOlcWLxoVFW9PFirg_-1XKvs26A';return
true;">10.100.255.0/<wbr>28</a>
<br>
#rightcert=clientCert.pem
<br>
#pfs=no
<br>
auto=start
<br>
rekey=yes
<br>
fragmentation=yes
<br>
lifetime=24h
<br>
dpddelay=0
<br>
dpdtimeout=24h
<br>
actmobile@accel:~-u
<br>
<br>
thanks,
<br>
andrew
<br>
______________________________<wbr>_________________
<br>
Dev mailing list
<br>
<a moz-do-not-send="true"
href="mailto:Dev@lists.strongswan.org" target="_blank"
rel="nofollow"
onmousedown="this.href='mailto:Dev@lists.strongswan.org';return
true;"
onclick="this.href='mailto:Dev@lists.strongswan.org';return
true;">Dev@lists.strongswan.org</a>
<br>
<a moz-do-not-send="true"
href="https://lists.strongswan.org/mailman/listinfo/dev"
target="_blank" rel="nofollow"
onmousedown="this.href='https://www.google.com/url?q\75https%3A%2F%2Flists.strongswan.org%2Fmailman%2Flistinfo%2Fdev\46sa\75D\46sntz\0751\46usg\75AFQjCNEpF7nDtcPxmX4p2hKudljFb7L7xg';return
true;"
onclick="this.href='https://www.google.com/url?q\75https%3A%2F%2Flists.strongswan.org%2Fmailman%2Flistinfo%2Fdev\46sa\75D\46sntz\0751\46usg\75AFQjCNEpF7nDtcPxmX4p2hKudljFb7L7xg';return
true;">https://lists.strongswan.org/<wbr>mailman/listinfo/dev</a>
<br>
</blockquote>
</div>
</blockquote>
<br>
</body>
</html>