[strongSwan] Cisco iOS VPN questions

Klaus Darilion klaus.mailinglists at pernau.at
Sat Nov 26 15:09:14 CET 2011

Trying to answer myself...

On 26.11.2011 12:13, Klaus Darilion wrote:
> Hi!
> Thanks for the nice tutorial at
> http://wiki.strongswan.org/projects/strongswan/wiki/IOS_%28Apple%29. I
> followed it and it works, but with some problems:
> I have configured it identical to the WIKI page except:
>           rightsubnet=
>           rightsourceip=
> The subnet is natted to the public IP address
> Question 1: Connection setup works only on the first time. When I
> disable the VPN on iPhone and enable it again it fails to connect. If I
> restart strongSwan it works again. (Strangly I have the same issue with
> Openwan in L2TP mode but not with strongSwan in L2TP mode).
> This is a known problem? Any ideas how to fix it?

It seems that it is a known problem: 

I have the same problem, the connection is not properly released. I 
guess as the client reconnects from the same IP:port, somehow the old 
connection settings are used instead of creating a new one. Thus, even 
expanding the pool does not work.

I added
but after some minutes "ipsec leases" still shows the IP address as 
assigned and re-login does not work.

> Question 2: Using tcpdump (-i any) I see the packets (all on eth0):
> iPhone IP ->  any website:
> 12:07:14.177791 IP>
> NAT-IP address ->  any website:
> 12:07:14.177884 IP>
> any website ->  NAT-IP address:
> 12:07:14.208331 IP>
> I miss the de-NATed packet "any website ->  iPhone IP". Is it possible to
> see all packets or is it just a limitation of the kernel (Debian
> 2.6.32-5-686) that the packets is internally de-NATed and immediately
> encoded into the tunnel?
> Further, I wonder how the routing to works as there is no
> interface into this subnet and also no entry in the routing table.
> Question 3: The IP address of the client is hardcoded into ipsec.conf:
> rightsourceip= How can I support multiple clients, e.g.
> some kind of address pool? Can I assign fixed IP address e.g. based on
> client-certificate or XAUTH username?

Ok. Seems like rightsourceip= would make a range. Still 
trying to figure out how I can assign IP addresses based on xauth 
username or certificate.....


More information about the Users mailing list