[strongSwan] Cisco iOS VPN questions
Klaus Darilion
klaus.mailinglists at pernau.at
Sat Nov 26 12:13:18 CET 2011
Hi!
Thanks for the nice tutorial at
http://wiki.strongswan.org/projects/strongswan/wiki/IOS_%28Apple%29. I
followed it and it works, but with some problems:
I have configured it identical to the WIKI page except:
rightsubnet=192.168.102.0/24
rightsourceip=192.168.102.2
The subnet 192.168.102.0/24 is natted to the public IP address
88.198.163.203.
Question 1: Connection setup works only on the first time. When I
disable the VPN on iPhone and enable it again it fails to connect. If I
restart strongSwan it works again. (Strangly I have the same issue with
Openwan in L2TP mode but not with strongSwan in L2TP mode).
This is a known problem? Any ideas how to fix it?
Question 2: Using tcpdump (-i any) I see the packets (all on eth0):
iPhone IP -> any website:
12:07:14.177791 IP 192.168.102.2.62574 > 194.232.104.77.80:
NAT-IP address -> any website:
12:07:14.177884 IP 88.198.163.203.62574 > 194.232.104.77.80:
any website -> NAT-IP address:
12:07:14.208331 IP 194.232.104.77.80 > 88.198.163.203.62574:
I miss the de-NATed packet "any website -> iPhone IP". Is it possible to
see all packets or is it just a limitation of the kernel (Debian
2.6.32-5-686) that the packets is internally de-NATed and immediately
encoded into the tunnel?
Further, I wonder how the routing to 192.168.102.2 works as there is no
interface into this subnet and also no entry in the routing table.
Question 3: The IP address of the client is hardcoded into ipsec.conf:
rightsourceip=192.168.102.2. How can I support multiple clients, e.g.
some kind of address pool? Can I assign fixed IP address e.g. based on
client-certificate or XAUTH username?
Thanks
Klaus
More information about the Users
mailing list