[strongSwan] Help Connecting Strongswan to iPhone
Dan Deming
dan24678 at gmail.com
Mon Mar 28 23:10:35 CEST 2011
Andreas/Martin/Uli,
Thanks for the suggestions. Unfortunately, after playing around with the
settings, I'm still unable to advance past that same error.
Martin's suggestion to check the ports I'm using did help me spot that I had
xl2tpd configured wrong, but once I got that fixed, it still showed that
same error in strongswan itself.
I actually started using openswan intially and had no luck with that, so I
figured I'd try strongswan. Maybe I'll give openswan another try now that I
am slightly less clueless about what I'm doing. Maybe what Uli said is true
and it's more compatible with double NATting?
The double NAT thing that Andreas and Uli mention sounds like a reasonable
explanation, except that when I try to VPN in from my work's wireless
instead of using 3G, it still doesn't work (not sure yet if the error is the
same or not). Of course, my work's wireless might be NAT'ed also.
I'm close to giving up on this. It's proving very difficult and if it
weren't for the few people online who claim to have gotten it working, I'd
almost say it can't be done.
If I get the time/inclination I'll try and post some more debugging details
and specifics on what all I've tried. But as of now, I ran through all the
suggestions that folks have posted so far without any luck.
Thanks for trying though and if anyone has any ideas on other stuff to try,
I'm all ears.
Actually... Andreas, when you say to try IPSec tunnel mode on my iPhone, do
you mean to use the IPSec VPN type? Cuz the instructions I'm using say to
use the L2TP mode... IPSec mode doesn't seem to work either, for what it's
worth.
On Sun, Mar 27, 2011 at 12:01 PM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:
> Hi Dan,
>
> what is missing is
>
> leftsubnet=53.74.66.108/32
>
> as you have a double NAT situation. Can you configure
> the iPhone to use IPsec Tunnel Mode so that the
> internal destination IP would be 192.168.1.10, too?
>
> Regards
>
> Andreas
>
> On 03/26/2011 09:06 PM, Dan Deming wrote:
> > Hello,
> >
> > I'm trying to get a strongswan VPN set up so I can connect my iPhone
> > to my Ubuntu Lucid Lynx desktop, but I can't seem to get it
> > working and would appreciate any help anyone can give me.
> >
> > I feel like I'm close, but networking is not one of my
> > strong suits, so the whole leftnexthop, rightprotoport
> > thing is pretty confusing to me.
> >
> > I've been generally following the directions on these 3
> > pages:
> >
> >
> http://nielspeen.com/blog/2009/04/linux-l2tpipsec-with-iphone-and-mac-osx-clients/
> > https://lists.strongswan.org/pipermail/users/2009-March/003291.html
> >
> http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients.html
> >
> > Currently, I'm getting the following error:
> >
> > cannot respond to IPsec SA request because no connection is known for
> >
> 53.74.66.108/32===192.168.1.10:17/%any...192.168.1.1[192.168.1.12]:17/%any===192.168.1.12/32
> > <
> http://53.74.66.108/32===192.168.1.10:17/%any...192.168.1.1[192.168.1.12]:17/%any===192.168.1.12/32
> >
> >
> > Here are the stats on what I'm running:
> >
> > Ubuntu Desktop:
> > * Internal IP address is 192.168.1.10
> > * Running custom compiled version of strongswan-4.3.2 with
> > --enable-nat-transport option enabled
> > * Running xl2tpd
> > * Both were set up by following
> >
> http://nielspeen.com/blog/2009/04/linux-l2tpipsec-with-iphone-and-mac-osx-clients/
> > * Firewall was off while I was trying to get this working
> >
> > Linksys E3000 router:
> > * Internal IP address is 192.168.1.1
> > * Comcast IP address is 53.74.66.108 (not my actual IP, but you get the
> > idea)
> > * NAT Enabled
> > * VPN Passthrough Enabled
> > * Ports 4500 and 1701 forwarded to 192.168.1.10
> >
> > iPhone 3GS:
> > * I guess the IP for this device is 166.121.15.14? (Again, I changed it
> > in the log below)
> >
> > Here is my ipsec.conf:
> >
> > config setup
> > nat_traversal=yes
> > charonstart=yes
> > plutostart=yes
> >
> > conn L2TP
> > authby=psk
> > pfs=no
> > rekey=no
> > type=tunnel
> > esp=aes128-sha1
> > ike=aes128-sha-modp1024
> > left=192.168.1.10
> > leftnexthop=%defaultroute
> > #leftprotoport=17/%any
> > leftprotoport=17/1701
> > right=%any
> > rightprotoport=17/%any
> > #rightsubnetwithin=10.0.0.0/8 <http://10.0.0.0/8>
> > auto=add
> >
> >
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110328/c845816d/attachment.html>
More information about the Users
mailing list