[strongSwan] Strongswan with iphone

Nicole Hähnel ml at nicole-haehnel.de
Sun Oct 24 19:19:02 CEST 2010


  Hi,
I am trying to setup a vpn connection from an iphone with cert.
The first connection works, but if I try to connect a second time, I do 
not get a virtual ip.
'iphone' already has an online lease, unable to assign address

Tried to use a subnet as rightsourceip, but this does not work at all.

Any experiences with that?

Thanks!
Nicole

strongswan 4.4.1 on sles 10 sp2

config setup
     plutodebug=none
     charonstart=yes
     plutostart=yes
     charondebug=no
     nat_traversal=yes
     uniqueids=no
     crlcheckinterval=0
     strictcrlpolicy=no

conn %default
     keyexchange=ikev2
     mobike=no
     compress=no
     authby=rsasig
     left=xxx
     leftid=@vpngw
     leftcert=xxx
     leftrsasigkey=%cert
     rightrsasigkey=%cert
     lefthostaccess=yes
     ike=3des-sha-modp2048
     esp=3des-md5

conn iphone
     auto=add
     dpdaction=clear
     authby=xauthrsasig
     xauth=server
     keyexchange=ikev1
     pfs=no
     leftsubnet=0.0.0.0/0
     right=%any
     rightsourceip=172.27.xx.xx
     rightcert=rw
     ike=aes128-md5-modp1024
     esp=aes128-md5


Oct 24 19:06:29 vpngw pluto[21306]: packet from 46.xx.xx.xx:500: 
received Vendor ID payload [Dead Peer Detection]
Oct 24 19:06:29 vpngw pluto[21306]: "iphone"[7] 46.xx.xx.xx #9: 
responding to Main Mode from unknown peer 46.xx.xx.xx
Oct 24 19:06:30 vpngw pluto[21306]: "iphone"[7] 46.xx.xx.xx #9: 
NAT-Traversal: Result using RFC 3947: peer is NATed
Oct 24 19:06:30 vpngw pluto[21306]: "iphone"[7] 46.xx.xx.xx #9: ignoring 
informational payload, type IPSEC_INITIAL_CONTACT
Oct 24 19:06:30 vpngw pluto[21306]: "iphone"[7] 46.xx.xx.xx #9: Peer ID 
is ID_DER_ASN1_DN: 'C=DE, ST=xx, L=xx, O=xxx, OU=xx, CN=xx, E=xx'
Oct 24 19:06:30 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx #9: deleting 
connection "iphone" instance with peer 46.xx.xx.xx {isakmp=#0/ipsec=#0}
Oct 24 19:06:30 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx #9: we have 
a cert and are sending it upon request
Oct 24 19:06:30 vpngw pluto[21306]: | NAT-T: new mapping 
46.xx.xx.xx:500/4500)
Oct 24 19:06:30 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9: 
sent MR3, ISAKMP SA established
Oct 24 19:06:30 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9: 
sending XAUTH request
Oct 24 19:06:43 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9: 
parsing XAUTH reply
Oct 24 19:06:43 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9: 
extended authentication was successful
Oct 24 19:06:43 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9: 
sending XAUTH status
Oct 24 19:06:43 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9: 
parsing XAUTH ack
Oct 24 19:06:43 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9: 
received XAUTH ack, established
Oct 24 19:06:43 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9: 
parsing ModeCfg request
Oct 24 19:06:43 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9: 
unknown attribute type (28683)
Oct 24 19:06:43 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9: 
peer requested virtual IP %any
Oct 24 19:06:43 vpngw pluto[21306]: 'iphone' already has an online 
lease, unable to assign address
Oct 24 19:06:43 vpngw pluto[21306]: acquiring address from pool 'iphone' 
failed
Oct 24 19:06:43 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9: 
sending ModeCfg reply
Oct 24 19:06:43 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9: 
sent ModeCfg reply, established
Oct 24 19:07:00 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9: 
received Delete SA payload: deleting ISAKMP State #9
Oct 24 19:07:00 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500: 
deleting connection "iphone" instance with peer 46.xx.xx.xx 
{isakmp=#0/ipsec=#0}
Oct 24 19:07:00 vpngw pluto[21306]: ERROR: asynchronous network error 
report on eth1 for message to 46.xx.xx.xx port 4500, complainant 
46.xx.xx.xx: Connection refused [errno 111, origin ICMP type 3 code 3 
(not authenticated)]




More information about the Users mailing list