<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    Miroslav,<br>
    <br>
    thank you for responding, I believe the second device connecting is
    getting the same IP address as the first;<br>
    <br>
    Here's a log I spit out of updown scripts, both devices get
    10.255.0.1/32, the intent it to have 10.255.0.0/16 as a pool of
    addresses for the connecting devices.<br>
    <br>
    up-client C=US, O=strongSwan,
    CN=IDE-B1DA-3355-4C89-BA98-A580BD513292 bytes in '0'  out '0' 
    packets in '0'  out '0' <br>
    up-client eth0 0 10.255.0.1/32  10.199.65.236  -m policy --pol ipsec
    --proto esp --reqid 7 --dir in<br>
    down-client C=US, O=strongSwan,
    CN=IDE-B1DA-3355-4C89-BA98-A580BD513292 bytes in '1478'  out '5161' 
    packets in '17'  out '14' <br>
    up-client C=US, O=strongSwan,
    CN=IDE-0DF5-9A4B-47B0-829E-245DDF715C4E bytes in '0'  out '0' 
    packets in '0'  out '0' <br>
    up-client eth0 0 10.255.0.1/32  10.199.65.236  -m policy --pol ipsec
    --proto esp --reqid 8 --dir in<br>
    down-client C=US, O=strongSwan,
    CN=IDE-0DF5-9A4B-47B0-829E-245DDF715C4E bytes in '3937'  out '9212' 
    packets in '28'  out '23' <br>
    up-client C=US, O=strongSwan,
    CN=IDE-B1DA-3355-4C89-BA98-A580BD513292 bytes in '0'  out '0' 
    packets in '0'  out '0' <br>
    up-client eth0 0 10.255.0.1/32  10.199.65.236  -m policy --pol ipsec
    --proto esp --reqid 9 --dir in<br>
    <br>
    and the route<br>
    ip route list table 220<br>
    10.255.0.1 via 10.199.65.193 dev eth0  proto static <br>
    <br>
    statusall only shows the first device to connect<br>
    Status of IKE charon daemon (strongSwan 5.3.0, Linux
    3.2.0-54-virtual, x86_64):<br>
      uptime: 18 minutes, since Apr 24 15:04:24 2015<br>
      malloc: sbrk 2555904, mmap 0, used 473168, free 2082736<br>
      worker threads: 11 of 16 idle, 5/0/0/0 working, job queue:
    0/0/0/0, scheduled: 23<br>
      loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509
    revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
    sshkey pem fips-prf gmp xcbc cmac hmac curl attr kernel-netlink
    resolve socket-default stroke updown xauth-generic<br>
    Virtual IP pools (size/online/offline):<br>
      10.255.0.0/16: 65534/1/0<br>
    Listening IP addresses:<br>
      10.199.65.236<br>
      10.0.0.116<br>
      10.0.1.10<br>
      10.0.1.12<br>
      10.0.0.242<br>
      10.0.0.120<br>
      10.0.0.122<br>
      10.0.0.238<br>
    Connections:<br>
             ios:  %any,0.0.0.0/0,::/0...%any  IKEv1<br>
             ios:   local:  [C=US, ST=California, L=New York, O=Internet
    Widgits Pty Ltd, OU=ActMobile, CN=ipsec.corp.actmobile.com,
    <a class="moz-txt-link-abbreviated" href="mailto:E=support@actmobile.com">E=support@actmobile.com</a>] uses public key authentication<br>
             ios:    cert:  "C=US, ST=California, L=New York, O=Internet
    Widgits Pty Ltd, OU=ActMobile, CN=ipsec.corp.actmobile.com,
    <a class="moz-txt-link-abbreviated" href="mailto:E=support@actmobile.com">E=support@actmobile.com</a>"<br>
             ios:   remote: uses public key authentication<br>
             ios:   remote: uses XAuth authentication: any<br>
             ios:   child:  0.0.0.0/0 === dynamic TUNNEL<br>
    Security Associations (1 up, 0 connecting):<br>
             ios[12]: ESTABLISHED 2 minutes ago, 10.199.65.236[C=US,
    ST=California, L=New York, O=Internet Widgits Pty Ltd, OU=ActMobile,
    CN=ipsec.corp.actmobile.com,
    <a class="moz-txt-link-abbreviated" href="mailto:E=support@actmobile.com">E=support@actmobile.com</a>]...166.170.42.208[C=US, O=strongSwan,
    CN=IDE-B1DA-3355-4C89-BA98-A580BD513292]<br>
             ios[12]: Remote XAuth identity: actmobile<br>
             ios[12]: IKEv1 SPIs: 387433cc7c4e0cf7_i
    b7f0e6ff754ca158_r*, public key reauthentication in 2 hours<br>
             ios[12]: IKE proposal:
    AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536<br>
             ios{11}:  INSTALLED, TUNNEL, reqid 11, ESP in UDP SPIs:
    cca21352_i 0ef3c1ab_o<br>
             ios{11}:  AES_CBC_128/HMAC_SHA1_96, 1534 bytes_i (18 pkts,
    104s ago), 5393 bytes_o (15 pkts, 104s ago), rekeying in 23 hours<br>
             ios{11}:   0.0.0.0/0 === 10.255.0.1/32 <br>
    <br>
    Here's the conn from ipsec.conf, do I really need to setup a dhcp
    service instead?<br>
    <br>
    conn
    ios                                                                                    
    <br>
       
    keyexchange=ikev1                                                                       
                                                                           
    <br>
       
    authby=xauthrsasig                                                                      
    <br>
       
    xauth=server                                                                            
    <br>
       
    left=%any                                                                               
    <br>
       
    leftsubnet=0.0.0.0/0                                                                    
    <br>
        leftsourceip =
    %modeconfig                                                              
    <br>
        leftallowany =
    yes                                                                      
                                                                          
    <br>
       
    lefthostaccess=yes                                                                      
    <br>
       
    leftupdown=/opt/actmobile/accelerator/actmobile_ipsec_updown                         
    <br>
       
    leftcert=serverCert.pem                                                              
    <br>
       
    right=%any                                                                           
    <br>
       
    rightsourceip=10.255.0.0/16                                                          
    <br>
                                                                                             
    <br>
       
    rightfirewall=yes                                                                    
    <br>
       
    righthostaccess=yes                                                                  
                                                                                 
    <br>
       
    auto=start                                                                           
    <br>
       
    rekey=yes                                                                            
    <br>
       
    fragmentation=yes                                                                    
    <br>
       
    lifetime=24h                                                                         
    <br>
       
    dpddelay=0                                                                           
    <br>
        dpdtimeout=24h<br>
    <br>
    <div class="moz-cite-prefix">On 4/24/15 12:51 AM, Miroslav Svoboda
      wrote:<br>
    </div>
    <blockquote
      cite="mid:0115beb0-fc28-4267-a1f0-928711fa7dd5@googlegroups.com"
      type="cite">
      <div dir="ltr">Please can you provide:
        <div>- log with default loglevel set to 2, showing start of both
          iPhones connection</div>
        <div>- output of command "strongswan statusall" at the time both
          iphone are connected</div>
        <div>- route table and iptables rules (tables filter, nat,
          mangle)</div>
        <div><br>
        </div>
        <div>I believe this question would be next time better fit for
          users list and even might get answered quicker there.</div>
        <div><br>
        </div>
        <div>Miroslav</div>
        <br>
        On Thursday, April 23, 2015 at 4:40:15 PM UTC+2, Andrew Foss
        wrote:
        <blockquote class="gmail_quote" style="margin: 0;margin-left:
          0.8ex;border-left: 1px #ccc solid;padding-left: 1ex;">I am
          bringing up an ipsec server for our ios users and suspect my
          "left" <br>
          parameters aren't quite right, but so far my changes have made
          it not <br>
          work at all and I am not fully understanding the descriptions.
          I am <br>
          running 5.3.0, our ifupdown scripts open iptables rules to
          allow access <br>
          to dns and the servers.
          <br>
          <br>
          What is see is first device on a network connects and works
          fine. Second <br>
          device connects and neither works, second device gets
          disconnected, as <br>
          if the routing/nat handling is sending packets down the wrong
          tunnel.
          <br>
          <br>
          Here's my config, I suspect leftsubnet should be 0/0, these
          are just <br>
          devices connecting for themselves, not another vpn gateway
          connecting a <br>
          network. Any pointers?
          <br>
          <br>
          conn ios
          <br>
               keyexchange=ikev1
          <br>
               #esp=null-sha1!
          <br>
               authby=xauthrsasig
          <br>
               xauth=server
          <br>
               left=%defaultroute
          <br>
               leftsubnet=<a moz-do-not-send="true"
            href="http://0.0.0.0/0" target="_blank" rel="nofollow"
            onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F0.0.0.0%2F0\46sa\75D\46sntz\0751\46usg\75AFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return
            true;"
            onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F0.0.0.0%2F0\46sa\75D\46sntz\0751\46usg\75AFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return
            true;">0.0.0.0/0</a>
          <br>
               #leftsubnet=<a moz-do-not-send="true"
            href="http://10.66.0.0/16" target="_blank" rel="nofollow"
            onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.66.0.0%2F16\46sa\75D\46sntz\0751\46usg\75AFQjCNEMJumeZ0UqAnw7BMyrz8ElApXIhg';return
            true;"
            onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.66.0.0%2F16\46sa\75D\46sntz\0751\46usg\75AFQjCNEMJumeZ0UqAnw7BMyrz8ElApXIhg';return
            true;">10.66.0.0/16</a>
          <br>
               #leftfirewall=yes
          <br>
               leftupdown=/opt/actmobile/<wbr>accelerator/actmobile_ipsec_<wbr>updown
          <br>
               leftcert=serverCert.pem
          <br>
               right=%any
          <br>
               rightsourceip=<a moz-do-not-send="true"
            href="http://10.0.0.0/16" target="_blank" rel="nofollow"
            onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.0.0.0%2F16\46sa\75D\46sntz\0751\46usg\75AFQjCNFYf0sJ06fFYbxnJsEZFQ2eBWv5ng';return
            true;"
            onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.0.0.0%2F16\46sa\75D\46sntz\0751\46usg\75AFQjCNFYf0sJ06fFYbxnJsEZFQ2eBWv5ng';return
            true;">10.0.0.0/16</a>
          <br>
               #rightsourceip=<a moz-do-not-send="true"
            href="http://10.100.255.0/28" target="_blank" rel="nofollow"
            onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.100.255.0%2F28\46sa\75D\46sntz\0751\46usg\75AFQjCNHiOlcWLxoVFW9PFirg_-1XKvs26A';return
            true;"
            onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.100.255.0%2F28\46sa\75D\46sntz\0751\46usg\75AFQjCNHiOlcWLxoVFW9PFirg_-1XKvs26A';return
            true;">10.100.255.0/<wbr>28</a>
          <br>
               #rightcert=clientCert.pem
          <br>
               #pfs=no
          <br>
               auto=start
          <br>
               rekey=yes
          <br>
               fragmentation=yes
          <br>
               lifetime=24h
          <br>
               dpddelay=0
          <br>
               dpdtimeout=24h
          <br>
          actmobile@accel:~-u
          <br>
          <br>
          thanks,
          <br>
          andrew
          <br>
          ______________________________<wbr>_________________
          <br>
          Dev mailing list
          <br>
          <a moz-do-not-send="true"
            href="mailto:Dev@lists.strongswan.org" target="_blank"
            rel="nofollow"
            onmousedown="this.href='mailto:Dev@lists.strongswan.org';return
            true;"
            onclick="this.href='mailto:Dev@lists.strongswan.org';return
            true;">Dev@lists.strongswan.org</a>
          <br>
          <a moz-do-not-send="true"
            href="https://lists.strongswan.org/mailman/listinfo/dev"
            target="_blank" rel="nofollow"
            onmousedown="this.href='https://www.google.com/url?q\75https%3A%2F%2Flists.strongswan.org%2Fmailman%2Flistinfo%2Fdev\46sa\75D\46sntz\0751\46usg\75AFQjCNEpF7nDtcPxmX4p2hKudljFb7L7xg';return
            true;"
            onclick="this.href='https://www.google.com/url?q\75https%3A%2F%2Flists.strongswan.org%2Fmailman%2Flistinfo%2Fdev\46sa\75D\46sntz\0751\46usg\75AFQjCNEpF7nDtcPxmX4p2hKudljFb7L7xg';return
            true;">https://lists.strongswan.org/<wbr>mailman/listinfo/dev</a>
          <br>
        </blockquote>
      </div>
    </blockquote>
    <br>
  </body>
</html>