[strongSwan] Strongswan with iphone

Nicole Hähnel ml at nicole-haehnel.de
Mon Oct 25 08:11:44 CEST 2010


Hi,

yes, the virtual ip is still in use.
But if I expand the pool, I get a communication error on the iphone:

Oct 25 08:07:30 vpngw pluto[20257]: "iphone"[2] 88.xx.xx.xx:4500 #3: 
sent MR3, ISAKMP SA established
Oct 25 08:07:30 vpngw pluto[20257]: "iphone"[2] 88.xx.xx.xx:4500 #3: 
sending XAUTH request
Oct 25 08:07:33 vpngw pluto[20257]: packet from 88.xx.xx.xx:4500: Main 
Mode message is part of an unknown exchange
Oct 25 08:07:36 vpngw pluto[20257]: packet from 88.xx.xx.xx:4500: Main 
Mode message is part of an unknown exchange
Oct 25 08:07:39 vpngw pluto[20257]: packet from 88.xx.xx.xx:4500: Main 
Mode message is part of an unknown exchange
Oct 25 08:07:51 vpngw pluto[20257]: packet from 88.xx.xx.xx:4500: Main 
Mode message is part of an unknown exchange

Thanks!
Nicole

Am 24.10.2010 20:01, schrieb Andreas Steffen:
> Hello Nicole,
>
> it might be that the virtual IP does not get released
> because the first connection is not shut down properly.
> You can check the active leases using the command
>
>    ipsec leases
>
> As a workaround expand the pool to several addresses e.g.
> by setting
>
>        rightsourceip=172.27.xx.0/24
>
> Regards
>
> Andreas
>
>
> On 24.10.2010 19:19, Nicole Hähnel wrote:
>>    Hi,
>> I am trying to setup a vpn connection from an iphone with cert.
>> The first connection works, but if I try to connect a second time, I do
>> not get a virtual ip.
>> 'iphone' already has an online lease, unable to assign address
>>
>> Tried to use a subnet as rightsourceip, but this does not work at all.
>>
>> Any experiences with that?
>>
>> Thanks!
>> Nicole
>>
>> strongswan 4.4.1 on sles 10 sp2
>>
>> config setup
>>       plutodebug=none
>>       charonstart=yes
>>       plutostart=yes
>>       charondebug=no
>>       nat_traversal=yes
>>       uniqueids=no
>>       crlcheckinterval=0
>>       strictcrlpolicy=no
>>
>> conn %default
>>       keyexchange=ikev2
>>       mobike=no
>>       compress=no
>>       authby=rsasig
>>       left=xxx
>>       leftid=@vpngw
>>       leftcert=xxx
>>       leftrsasigkey=%cert
>>       rightrsasigkey=%cert
>>       lefthostaccess=yes
>>       ike=3des-sha-modp2048
>>       esp=3des-md5
>>
>> conn iphone
>>       auto=add
>>       dpdaction=clear
>>       authby=xauthrsasig
>>       xauth=server
>>       keyexchange=ikev1
>>       pfs=no
>>       leftsubnet=0.0.0.0/0
>>       right=%any
>>       rightsourceip=172.27.xx.xx
>>       rightcert=rw
>>       ike=aes128-md5-modp1024
>>       esp=aes128-md5
>>
>>
>> Oct 24 19:06:29 vpngw pluto[21306]: packet from 46.xx.xx.xx:500:
>> received Vendor ID payload [Dead Peer Detection]
>> Oct 24 19:06:29 vpngw pluto[21306]: "iphone"[7] 46.xx.xx.xx #9:
>> responding to Main Mode from unknown peer 46.xx.xx.xx
>> Oct 24 19:06:30 vpngw pluto[21306]: "iphone"[7] 46.xx.xx.xx #9:
>> NAT-Traversal: Result using RFC 3947: peer is NATed
>> Oct 24 19:06:30 vpngw pluto[21306]: "iphone"[7] 46.xx.xx.xx #9: ignoring
>> informational payload, type IPSEC_INITIAL_CONTACT
>> Oct 24 19:06:30 vpngw pluto[21306]: "iphone"[7] 46.xx.xx.xx #9: Peer ID
>> is ID_DER_ASN1_DN: 'C=DE, ST=xx, L=xx, O=xxx, OU=xx, CN=xx, E=xx'
>> Oct 24 19:06:30 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx #9: deleting
>> connection "iphone" instance with peer 46.xx.xx.xx {isakmp=#0/ipsec=#0}
>> Oct 24 19:06:30 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx #9: we have
>> a cert and are sending it upon request
>> Oct 24 19:06:30 vpngw pluto[21306]: | NAT-T: new mapping
>> 46.xx.xx.xx:500/4500)
>> Oct 24 19:06:30 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9:
>> sent MR3, ISAKMP SA established
>> Oct 24 19:06:30 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9:
>> sending XAUTH request
>> Oct 24 19:06:43 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9:
>> parsing XAUTH reply
>> Oct 24 19:06:43 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9:
>> extended authentication was successful
>> Oct 24 19:06:43 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9:
>> sending XAUTH status
>> Oct 24 19:06:43 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9:
>> parsing XAUTH ack
>> Oct 24 19:06:43 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9:
>> received XAUTH ack, established
>> Oct 24 19:06:43 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9:
>> parsing ModeCfg request
>> Oct 24 19:06:43 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9:
>> unknown attribute type (28683)
>> Oct 24 19:06:43 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9:
>> peer requested virtual IP %any
>> Oct 24 19:06:43 vpngw pluto[21306]: 'iphone' already has an online
>> lease, unable to assign address
>> Oct 24 19:06:43 vpngw pluto[21306]: acquiring address from pool 'iphone'
>> failed
>> Oct 24 19:06:43 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9:
>> sending ModeCfg reply
>> Oct 24 19:06:43 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9:
>> sent ModeCfg reply, established
>> Oct 24 19:07:00 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9:
>> received Delete SA payload: deleting ISAKMP State #9
>> Oct 24 19:07:00 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500:
>> deleting connection "iphone" instance with peer 46.xx.xx.xx
>> {isakmp=#0/ipsec=#0}
>> Oct 24 19:07:00 vpngw pluto[21306]: ERROR: asynchronous network error
>> report on eth1 for message to 46.xx.xx.xx port 4500, complainant
>> 46.xx.xx.xx: Connection refused [errno 111, origin ICMP type 3 code 3
>> (not authenticated)]
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>





More information about the Users mailing list