[strongSwan] Cisco iOS VPN questions

Klaus Darilion klaus.mailinglists at pernau.at
Sat Nov 26 12:13:18 CET 2011


Thanks for the nice tutorial at 
http://wiki.strongswan.org/projects/strongswan/wiki/IOS_%28Apple%29. I 
followed it and it works, but with some problems:

I have configured it identical to the WIKI page except:

The subnet is natted to the public IP address

Question 1: Connection setup works only on the first time. When I 
disable the VPN on iPhone and enable it again it fails to connect. If I 
restart strongSwan it works again. (Strangly I have the same issue with 
Openwan in L2TP mode but not with strongSwan in L2TP mode).

This is a known problem? Any ideas how to fix it?

Question 2: Using tcpdump (-i any) I see the packets (all on eth0):

iPhone IP -> any website:
12:07:14.177791 IP >

NAT-IP address -> any website:
12:07:14.177884 IP >

any website -> NAT-IP address:
12:07:14.208331 IP >

I miss the de-NATed packet "any website -> iPhone IP". Is it possible to 
see all packets or is it just a limitation of the kernel (Debian 
2.6.32-5-686) that the packets is internally de-NATed and immediately 
encoded into the tunnel?

Further, I wonder how the routing to works as there is no 
interface into this subnet and also no entry in the routing table.

Question 3: The IP address of the client is hardcoded into ipsec.conf: 
rightsourceip= How can I support multiple clients, e.g. 
some kind of address pool? Can I assign fixed IP address e.g. based on 
client-certificate or XAUTH username?


More information about the Users mailing list