[strongSwan] Strongswan with iphone
Nicole Hähnel
ml at nicole-haehnel.de
Mon Oct 25 08:11:44 CEST 2010
Hi,
yes, the virtual ip is still in use.
But if I expand the pool, I get a communication error on the iphone:
Oct 25 08:07:30 vpngw pluto[20257]: "iphone"[2] 88.xx.xx.xx:4500 #3:
sent MR3, ISAKMP SA established
Oct 25 08:07:30 vpngw pluto[20257]: "iphone"[2] 88.xx.xx.xx:4500 #3:
sending XAUTH request
Oct 25 08:07:33 vpngw pluto[20257]: packet from 88.xx.xx.xx:4500: Main
Mode message is part of an unknown exchange
Oct 25 08:07:36 vpngw pluto[20257]: packet from 88.xx.xx.xx:4500: Main
Mode message is part of an unknown exchange
Oct 25 08:07:39 vpngw pluto[20257]: packet from 88.xx.xx.xx:4500: Main
Mode message is part of an unknown exchange
Oct 25 08:07:51 vpngw pluto[20257]: packet from 88.xx.xx.xx:4500: Main
Mode message is part of an unknown exchange
Thanks!
Nicole
Am 24.10.2010 20:01, schrieb Andreas Steffen:
> Hello Nicole,
>
> it might be that the virtual IP does not get released
> because the first connection is not shut down properly.
> You can check the active leases using the command
>
> ipsec leases
>
> As a workaround expand the pool to several addresses e.g.
> by setting
>
> rightsourceip=172.27.xx.0/24
>
> Regards
>
> Andreas
>
>
> On 24.10.2010 19:19, Nicole Hähnel wrote:
>> Hi,
>> I am trying to setup a vpn connection from an iphone with cert.
>> The first connection works, but if I try to connect a second time, I do
>> not get a virtual ip.
>> 'iphone' already has an online lease, unable to assign address
>>
>> Tried to use a subnet as rightsourceip, but this does not work at all.
>>
>> Any experiences with that?
>>
>> Thanks!
>> Nicole
>>
>> strongswan 4.4.1 on sles 10 sp2
>>
>> config setup
>> plutodebug=none
>> charonstart=yes
>> plutostart=yes
>> charondebug=no
>> nat_traversal=yes
>> uniqueids=no
>> crlcheckinterval=0
>> strictcrlpolicy=no
>>
>> conn %default
>> keyexchange=ikev2
>> mobike=no
>> compress=no
>> authby=rsasig
>> left=xxx
>> leftid=@vpngw
>> leftcert=xxx
>> leftrsasigkey=%cert
>> rightrsasigkey=%cert
>> lefthostaccess=yes
>> ike=3des-sha-modp2048
>> esp=3des-md5
>>
>> conn iphone
>> auto=add
>> dpdaction=clear
>> authby=xauthrsasig
>> xauth=server
>> keyexchange=ikev1
>> pfs=no
>> leftsubnet=0.0.0.0/0
>> right=%any
>> rightsourceip=172.27.xx.xx
>> rightcert=rw
>> ike=aes128-md5-modp1024
>> esp=aes128-md5
>>
>>
>> Oct 24 19:06:29 vpngw pluto[21306]: packet from 46.xx.xx.xx:500:
>> received Vendor ID payload [Dead Peer Detection]
>> Oct 24 19:06:29 vpngw pluto[21306]: "iphone"[7] 46.xx.xx.xx #9:
>> responding to Main Mode from unknown peer 46.xx.xx.xx
>> Oct 24 19:06:30 vpngw pluto[21306]: "iphone"[7] 46.xx.xx.xx #9:
>> NAT-Traversal: Result using RFC 3947: peer is NATed
>> Oct 24 19:06:30 vpngw pluto[21306]: "iphone"[7] 46.xx.xx.xx #9: ignoring
>> informational payload, type IPSEC_INITIAL_CONTACT
>> Oct 24 19:06:30 vpngw pluto[21306]: "iphone"[7] 46.xx.xx.xx #9: Peer ID
>> is ID_DER_ASN1_DN: 'C=DE, ST=xx, L=xx, O=xxx, OU=xx, CN=xx, E=xx'
>> Oct 24 19:06:30 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx #9: deleting
>> connection "iphone" instance with peer 46.xx.xx.xx {isakmp=#0/ipsec=#0}
>> Oct 24 19:06:30 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx #9: we have
>> a cert and are sending it upon request
>> Oct 24 19:06:30 vpngw pluto[21306]: | NAT-T: new mapping
>> 46.xx.xx.xx:500/4500)
>> Oct 24 19:06:30 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9:
>> sent MR3, ISAKMP SA established
>> Oct 24 19:06:30 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9:
>> sending XAUTH request
>> Oct 24 19:06:43 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9:
>> parsing XAUTH reply
>> Oct 24 19:06:43 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9:
>> extended authentication was successful
>> Oct 24 19:06:43 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9:
>> sending XAUTH status
>> Oct 24 19:06:43 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9:
>> parsing XAUTH ack
>> Oct 24 19:06:43 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9:
>> received XAUTH ack, established
>> Oct 24 19:06:43 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9:
>> parsing ModeCfg request
>> Oct 24 19:06:43 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9:
>> unknown attribute type (28683)
>> Oct 24 19:06:43 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9:
>> peer requested virtual IP %any
>> Oct 24 19:06:43 vpngw pluto[21306]: 'iphone' already has an online
>> lease, unable to assign address
>> Oct 24 19:06:43 vpngw pluto[21306]: acquiring address from pool 'iphone'
>> failed
>> Oct 24 19:06:43 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9:
>> sending ModeCfg reply
>> Oct 24 19:06:43 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9:
>> sent ModeCfg reply, established
>> Oct 24 19:07:00 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500 #9:
>> received Delete SA payload: deleting ISAKMP State #9
>> Oct 24 19:07:00 vpngw pluto[21306]: "iphone"[8] 46.xx.xx.xx:4500:
>> deleting connection "iphone" instance with peer 46.xx.xx.xx
>> {isakmp=#0/ipsec=#0}
>> Oct 24 19:07:00 vpngw pluto[21306]: ERROR: asynchronous network error
>> report on eth1 for message to 46.xx.xx.xx port 4500, complainant
>> 46.xx.xx.xx: Connection refused [errno 111, origin ICMP type 3 code 3
>> (not authenticated)]
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
More information about the Users
mailing list