[strongSwan] iOS and fun with double natting.

Doug Davis dougd at dldavis.com
Sun Dec 18 17:35:54 CET 2011 

> I tried in vqin to get it working with psk, too.
> I finally gave up as it seems to be impossible via double NAT.
> Try certificates. That is a bit more complicated to configure but at least it works well.
> 
> Cheers
> Uli


We basically land in the same place ... 

---ipsec.conf----

conn    DIPHONE
        keyexchange=ikev1
        authby=xauthrsasig
        xauth=server
        pfs=no
        leftcert=d508Cert.pem
        type=tunnel
        left=192.168.1.50
        leftnexthop=%defaultroute
        leftsubnet={my.static.ip.here}/32
        leftprotoport=udp/1701
        right=%any
        rightprotoport=udp/%any
        rightsubnetwithin=10.0.0.0/8
        rightcert=diphoneCert.pem
        auto=add




in the logs

Dec 18 10:26:28 dwall508 pluto[8628]: "DIPHONE"[1] 166.205.10.212:39904 #1: responding to Main Mode from unknown peer 166.205.10.212:39904
Dec 18 10:26:29 dwall508 pluto[8628]: "DIPHONE"[1] 166.205.10.212:39904 #1: NAT-Traversal: Result using RFC 3947: both are NATed
Dec 18 10:26:31 dwall508 pluto[8628]: "DIPHONE"[1] 166.205.10.212:39904 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Dec 18 10:26:31 dwall508 pluto[8628]: "DIPHONE"[1] 166.205.10.212:39904 #1: Peer ID is ID_DER_ASN1_DN: 'C=US, O=DNET, CN=508.dldavis.com'
Dec 18 10:26:31 dwall508 pluto[8628]: "DIPHONE"[1] 166.205.10.212:39904 #1: crl not found
Dec 18 10:26:31 dwall508 pluto[8628]: "DIPHONE"[1] 166.205.10.212:39904 #1: certificate status unknown
Dec 18 10:26:31 dwall508 pluto[8628]: "DIPHONE"[1] 166.205.10.212:39904 #1: we have a cert and are sending it upon request
Dec 18 10:26:31 dwall508 pluto[8628]: | NAT-T: new mapping 166.205.10.212:39904/39987)
Dec 18 10:26:31 dwall508 pluto[8628]: "DIPHONE"[1] 166.205.10.212:39987 #1: sent MR3, ISAKMP SA established
Dec 18 10:26:31 dwall508 pluto[8628]: "DIPHONE"[1] 166.205.10.212:39987 #1: sending XAUTH request
Dec 18 10:26:32 dwall508 pluto[8628]: "DIPHONE"[1] 166.205.10.212:39987 #1: parsing XAUTH reply
Dec 18 10:26:32 dwall508 pluto[8628]: "DIPHONE"[1] 166.205.10.212:39987 #1: extended authentication was successful
Dec 18 10:26:32 dwall508 pluto[8628]: "DIPHONE"[1] 166.205.10.212:39987 #1: sending XAUTH status
Dec 18 10:26:32 dwall508 pluto[8628]: "DIPHONE"[1] 166.205.10.212:39987 #1: parsing XAUTH ack
Dec 18 10:26:32 dwall508 pluto[8628]: "DIPHONE"[1] 166.205.10.212:39987 #1: received XAUTH ack, established
Dec 18 10:26:32 dwall508 pluto[8628]: "DIPHONE"[1] 166.205.10.212:39987 #1: received ModeCfg message when in state STATE_XAUTH_R3, and we aren't mode config client
Dec 18 10:27:02 dwall508 pluto[8628]: last message repeated 9 times
Dec 18 10:27:02 dwall508 pluto[8628]: "DIPHONE"[1] 166.205.10.212:39987 #1: received Delete SA payload: deleting ISAKMP State #1
Dec 18 10:27:02 dwall508 pluto[8628]: "DIPHONE"[1] 166.205.10.212:39987: deleting connection "DIPHONE" instance with peer 166.205.10.212 {isakmp=#0/ipsec=#0}
Dec 18 10:27:02 dwall508 pluto[8628]: ERROR: asynchronous network error report on eth0 for message to 166.205.10.212 port 39987, complainant 166.205.10.212: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]



I found the iphone configuration utility will let you see into the console on the idevice so I have more information (it appears to be running racoon) 

Dec 18 10:26:03 Doug-iPhone configd[14] <Notice>: IPSec connecting to server [my.static.ip.was.here]
Dec 18 10:26:03 Doug-iPhone configd[14] <Notice>: SCNC: start, triggered by Preferences, type IPSec, status 0
Dec 18 10:26:03 Doug-iPhone configd[14] <Notice>: IPSec Phase1 starting.
Dec 18 10:26:03 Doug-iPhone racoon[246] <Notice>: IPSec connecting to server [my.static.ip.was.here]
Dec 18 10:26:03 Doug-iPhone racoon[246] <Notice>: IPSec Phase1 started (Initiated by me).
Dec 18 10:26:04 Doug-iPhone kernel[0] <Debug>: launchd[246] Builtin profile: racoon (sandbox)
Dec 18 10:26:09 Doug-iPhone racoon[246] <Notice>: IPSec Phase1 established (Initiated by me).
Dec 18 10:26:09 Doug-iPhone racoon[246] <Notice>: IPSec Extended Authentication requested.
Dec 18 10:26:09 Doug-iPhone configd[14] <Notice>: IPSec requesting Extended Authentication.
Dec 18 10:26:09 Doug-iPhone configd[14] <Notice>: IPSec sending Extended Authentication.
Dec 18 10:26:09 Doug-iPhone racoon[246] <Notice>: IPSec Extended Authentication sent.
Dec 18 10:26:10 Doug-iPhone racoon[246] <Notice>: IPSec Extended Authentication Passed.
Dec 18 10:26:10 Doug-iPhone racoon[246] <Notice>: IPSec Network Configuration requested.
Dec 18 10:26:39 Doug-iPhone configd[14] <Notice>: IPSec disconnecting from server [my.static.ip.was.here]

More information about the Users mailing list