[strongSwan] Apple cisco connect issue

Hafeez Rehman hafeezr at hotmail.com
Thu Jun 9 18:03:07 CEST 2011





Hi,

I am using strongSwan on openwrt 10.03.1-rc4.

I am tryting to connect using using iphone and snow leopard using built in cisco client, but I get the same error. 

iphone and osx is behind nat, but the router is connected directly to the internet.

I am able to connect using ipsec/l2tp on both the devices. I am also able to connect using cisco client using windows os.

I followed the direction on the following page which allowed me to connect using cisco client using windows.

http://wiki.strongswan.org/projects/strongswan/wiki/IOS_%28Apple%29

root at OpenWrt:~# ipsec version
Linux strongSwan U4.3.7/K2.6.32.25
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.


config setup
        nat_traversal=yes
        charonstart=no
        plutostart=yes

conn L2TP
        authby=psk
        pfs=no
        rekey=no
        type=tunnel
        esp=aes128-sha1
        ike=aes128-sha-modp1024
        left=%defaultroute
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any
        rightsubnetwithin=0.0.0.0/0
        auto=add

conn cisco
        keyexchange=ikev1
        authby=xauthrsasig
        xauth=server
        left=%defaultroute
        leftsubnet=0.0.0.0/0
        leftfirewall=yes
        leftcert=serverCert.pem
        right=%any
        rightsubnet=192.168.168.0/24
        rightsourceip=192.168.168.2
        rightcert=clientCert.pem
        pfs=no
        auto=add



Jun  9 09:44:21 OpenWrt authpriv.warn pluto[1538]: packet from 208.54.35.143:6720: received Vendor ID payload [RFC 3947]
Jun  9 09:44:21 OpenWrt authpriv.warn pluto[1538]: packet from 208.54.35.143:6720: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
Jun  9 09:44:21 OpenWrt authpriv.warn pluto[1538]: packet from 208.54.35.143:6720: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Jun  9 09:44:21 OpenWrt authpriv.warn pluto[1538]: packet from 208.54.35.143:6720: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Jun  9 09:44:21 OpenWrt authpriv.warn pluto[1538]: packet from 208.54.35.143:6720: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Jun  9 09:44:21 OpenWrt authpriv.warn pluto[1538]: packet from 208.54.35.143:6720: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Jun  9 09:44:21 OpenWrt authpriv.warn pluto[1538]: packet from 208.54.35.143:6720: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Jun  9 09:44:21 OpenWrt authpriv.warn pluto[1538]: packet from 208.54.35.143:6720: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Jun  9 09:44:21 OpenWrt authpriv.warn pluto[1538]: packet from 208.54.35.143:6720: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Jun  9 09:44:21 OpenWrt authpriv.warn pluto[1538]: packet from 208.54.35.143:6720: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jun  9 09:44:21 OpenWrt authpriv.warn pluto[1538]: packet from 208.54.35.143:6720: received Vendor ID payload [XAUTH]
Jun  9 09:44:21 OpenWrt authpriv.warn pluto[1538]: "cisco"[2] 208.54.35.143:6720 #2: NAT-Traversal: Result using RFC 3947: peer is NATed
Jun  9 09:44:25 OpenWrt authpriv.warn pluto[1538]: "cisco"[2] 208.54.35.143:6720 #2: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Jun  9 09:44:25 OpenWrt authpriv.warn pluto[1538]: "cisco"[2] 208.54.35.143:6720 #2: Peer ID is ID_DER_ASN1_DN: 'C=US, O=strongSwan, CN=client'
Jun  9 09:44:25 OpenWrt authpriv.warn pluto[1538]: "cisco"[2] 208.54.35.143:6720 #2: crl not found
Jun  9 09:44:25 OpenWrt authpriv.warn pluto[1538]: "cisco"[2] 208.54.35.143:6720 #2: certificate status unknown
Jun  9 09:44:25 OpenWrt authpriv.warn pluto[1538]: "cisco"[2] 208.54.35.143:6720 #2: we have a cert and are sending it upon request
Jun  9 09:44:26 OpenWrt authpriv.debug pluto[1538]: | NAT-T: new mapping 208.54.35.143:6720/32850)
Jun  9 09:44:26 OpenWrt authpriv.warn pluto[1538]: "cisco"[2] 208.54.35.143:32850 #2: sent MR3, ISAKMP SA established
Jun  9 09:44:26 OpenWrt authpriv.warn pluto[1538]: "cisco"[2] 208.54.35.143:32850 #2: sending XAUTH request
Jun  9 09:44:26 OpenWrt authpriv.warn pluto[1538]: packet from 208.54.35.143:32850: Informational Exchange is for an unknown (expired?) SA

 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110609/03fa1eff/attachment.html>


More information about the Users mailing list