[strongSwan] Cisco iOS VPN questions

Klaus Darilion klaus.mailinglists at pernau.at
Sat Nov 26 15:09:14 CET 2011 

Trying to answer myself...

On 26.11.2011 12:13, Klaus Darilion wrote:
> Hi!
>
> Thanks for the nice tutorial at
> http://wiki.strongswan.org/projects/strongswan/wiki/IOS_%28Apple%29. I
> followed it and it works, but with some problems:
>
> I have configured it identical to the WIKI page except:
>           rightsubnet=192.168.102.0/24
>           rightsourceip=192.168.102.2
>
> The subnet 192.168.102.0/24 is natted to the public IP address
> 88.198.163.203.
>
> Question 1: Connection setup works only on the first time. When I
> disable the VPN on iPhone and enable it again it fails to connect. If I
> restart strongSwan it works again. (Strangly I have the same issue with
> Openwan in L2TP mode but not with strongSwan in L2TP mode).
>
> This is a known problem? Any ideas how to fix it?

It seems that it is a known problem: 
https://lists.strongswan.org/pipermail/users/2010-October/005462.html

I have the same problem, the connection is not properly released. I 
guess as the client reconnects from the same IP:port, somehow the old 
connection settings are used instead of creating a new one. Thus, even 
expanding the pool does not work.

I added
         dpdaction=clear
         dpddelay=60
         dpdtimeout=60
but after some minutes "ipsec leases" still shows the IP address as 
assigned and re-login does not work.

> Question 2: Using tcpdump (-i any) I see the packets (all on eth0):
>
> iPhone IP ->  any website:
> 12:07:14.177791 IP 192.168.102.2.62574>  194.232.104.77.80:
>
> NAT-IP address ->  any website:
> 12:07:14.177884 IP 88.198.163.203.62574>  194.232.104.77.80:
>
> any website ->  NAT-IP address:
> 12:07:14.208331 IP 194.232.104.77.80>  88.198.163.203.62574:
>
> I miss the de-NATed packet "any website ->  iPhone IP". Is it possible to
> see all packets or is it just a limitation of the kernel (Debian
> 2.6.32-5-686) that the packets is internally de-NATed and immediately
> encoded into the tunnel?
>
> Further, I wonder how the routing to 192.168.102.2 works as there is no
> interface into this subnet and also no entry in the routing table.
>
> Question 3: The IP address of the client is hardcoded into ipsec.conf:
> rightsourceip=192.168.102.2. How can I support multiple clients, e.g.
> some kind of address pool? Can I assign fixed IP address e.g. based on
> client-certificate or XAUTH username?

Ok. Seems like rightsourceip=192.168.102.0/24 would make a range. Still 
trying to figure out how I can assign IP addresses based on xauth 
username or certificate.....

Thanks
Klaus

More information about the Users mailing list