[strongSwan] Strongswan with iphone

Andreas Steffen andreas.steffen at strongswan.org
Sun Oct 24 20:01:46 CEST 2010 

Hello Nicole,

it might be that the virtual IP does not get released
because the first connection is not shut down properly.
You can check the active leases using the command

  ipsec leases

As a workaround expand the pool to several addresses e.g.
by setting

      rightsourceip=172.27.xx.0/24

Regards

Andreas


On 24.10.2010 19:19, Nicole Hähnel wrote:
>   Hi,
> I am trying to setup a vpn connection from an iphone with cert.
> The first connection works, but if I try to connect a second time, I do 
> not get a virtual ip.
> 'iphone' already has an online lease, unable to assign address
> 
> Tried to use a subnet as rightsourceip, but this does not work at all.
> 
> Any experiences with that?
> 
> Thanks!
> Nicole
> 
> strongswan 4.4.1 on sles 10 sp2
> 
> config setup
>      plutodebug=none
>      charonstart=yes
>      plutostart=yes
>      charondebug=no
>      nat_traversal=yes
>      uniqueids=no
>      crlcheckinterval=0
>      strictcrlpolicy=no
> 
> conn %default
>      keyexchange=ikev2
>      mobike=no
>      compress=no
>      authby=rsasig
>      left=xxx
>      leftid=@vpngw
>      leftcert=xxx
>      leftrsasigkey=%cert
>      rightrsasigkey=%cert
>      lefthostaccess=yes
>      ike=3des-sha-modp2048
>      esp=3des-md5
> 
> conn iphone
>      auto=add
>      dpdaction=clear
>      authby=xauthrsasig
>      xauth=server
>      keyexchange=ikev1
>      pfs=no
>      leftsubnet=0.0.0.0/0
>      right=%any
>      rightsourceip=172.27.xx.xx
>      rightcert=rw
>      ike=aes128-md5-modp1024
>      esp=aes128-md5
> 
> 
> Oct 24 19:06:29 vpngw pluto[21306]: packet from 46.xx.xx.xx:500: 
> received Vendor ID payload [Dead Peer Detection]
> Oct 24 19:06:29 vpngw pluto[21306]: "iphone"[7] 46.xx.xx.xx #9: 
> responding to Main Mode from unknown peer 46.xx.xx.xx
> Oct 24 19:06:30 vpngw pluto[21306]: "iphone"[7] 46.xx.xx.xx #9: 
> NAT-Traversal: Result using RFC 3947: peer is NATed
> Oct 24 19:06:30 vpngw pluto[21306]: "iphone"[7] 46.xx.xx.xx #9: ignoring 
> informational payload, type IPSEC_INITIAL_CONTACT
> Oct 24 19:06:30 vpngw pluto[21306]: "iphone"[7] 46.xx.xx.xx #9: Peer ID 
> is ID_DER_ASN1_DN: 'C=DE, ST=xx, L=xx, O=xxx, OU=xx, CN=xx, E=xx'
> Oct 24 19:06:30 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx #9: deleting 
> connection "iphone" instance with peer 46.xx.xx.xx {isakmp=#0/ipsec=#0}
> Oct 24 19:06:30 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx #9: we have 
> a cert and are sending it upon request
> Oct 24 19:06:30 vpngw pluto[21306]: | NAT-T: new mapping 
> 46.xx.xx.xx:500/4500)
> Oct 24 19:06:30 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9: 
> sent MR3, ISAKMP SA established
> Oct 24 19:06:30 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9: 
> sending XAUTH request
> Oct 24 19:06:43 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9: 
> parsing XAUTH reply
> Oct 24 19:06:43 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9: 
> extended authentication was successful
> Oct 24 19:06:43 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9: 
> sending XAUTH status
> Oct 24 19:06:43 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9: 
> parsing XAUTH ack
> Oct 24 19:06:43 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9: 
> received XAUTH ack, established
> Oct 24 19:06:43 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9: 
> parsing ModeCfg request
> Oct 24 19:06:43 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9: 
> unknown attribute type (28683)
> Oct 24 19:06:43 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9: 
> peer requested virtual IP %any
> Oct 24 19:06:43 vpngw pluto[21306]: 'iphone' already has an online 
> lease, unable to assign address
> Oct 24 19:06:43 vpngw pluto[21306]: acquiring address from pool 'iphone' 
> failed
> Oct 24 19:06:43 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9: 
> sending ModeCfg reply
> Oct 24 19:06:43 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9: 
> sent ModeCfg reply, established
> Oct 24 19:07:00 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9: 
> received Delete SA payload: deleting ISAKMP State #9
> Oct 24 19:07:00 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500: 
> deleting connection "iphone" instance with peer 46.xx.xx.xx 
> {isakmp=#0/ipsec=#0}
> Oct 24 19:07:00 vpngw pluto[21306]: ERROR: asynchronous network error 
> report on eth1 for message to 46.xx.xx.xx port 4500, complainant 
> 46.xx.xx.xx: Connection refused [errno 111, origin ICMP type 3 code 3 
> (not authenticated)]

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list