[strongSwan] Cisco iOS VPN questions

Klaus Darilion klaus.mailinglists at pernau.at
Sat Nov 26 15:18:08 CET 2011 

On 26.11.2011 15:09, Klaus Darilion wrote:
> Trying to answer myself...
>
> On 26.11.2011 12:13, Klaus Darilion wrote:
>> Hi!
>>
>> Thanks for the nice tutorial at
>> http://wiki.strongswan.org/projects/strongswan/wiki/IOS_%28Apple%29. I
>> followed it and it works, but with some problems:
>>
>> I have configured it identical to the WIKI page except:
>>            rightsubnet=192.168.102.0/24
>>            rightsourceip=192.168.102.2
>>
>> The subnet 192.168.102.0/24 is natted to the public IP address
>> 88.198.163.203.
>>
>> Question 1: Connection setup works only on the first time. When I
>> disable the VPN on iPhone and enable it again it fails to connect. If I
>> restart strongSwan it works again. (Strangly I have the same issue with
>> Openwan in L2TP mode but not with strongSwan in L2TP mode).
>>
>> This is a known problem? Any ideas how to fix it?
>
> It seems that it is a known problem:
> https://lists.strongswan.org/pipermail/users/2010-October/005462.html
>
> I have the same problem, the connection is not properly released. I
> guess as the client reconnects from the same IP:port, somehow the old
> connection settings are used instead of creating a new one. Thus, even
> expanding the pool does not work.
>
> I added
>           dpdaction=clear
>           dpddelay=60
>           dpdtimeout=60
> but after some minutes "ipsec leases" still shows the IP address as
> assigned and re-login does not work.

Weird. It seems that the connection is actually shut down:

Turning on VPN on the iPhone:
# ipsec status
000 "RoadWarrior-CiscoIPsec": 0.0.0.0/0===88.198.53.113[C=CH, 
O=pernau.at strongSwan VPN, 
CN=pernau.at]---88.198.53.97...%any[%any]===%RoadWarrior-CiscoIPsec; 
unrouted; eroute owner: #0
000 "RoadWarrior-CiscoIPsec":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "RoadWarrior-CiscoIPsec"[2]: 0.0.0.0/0===88.198.53.113:4500[C=CH, 
O=pernau.at strongSwan VPN, 
CN=pernau.at]---88.198.53.97...84.112.137.170:4500[C=US, O=pernau.at 
strongSwan VPN, CN=client klaus]===192.168.102.3/32; erouted; eroute 
owner: #2
000 "RoadWarrior-CiscoIPsec"[2]:   newest ISAKMP SA: #1; newest IPsec 
SA: #2;
000
000 #2: "RoadWarrior-CiscoIPsec"[2] 84.112.137.170:4500 STATE_QUICK_R2 
(IPsec SA established); EVENT_SA_REPLACE in 3320s; newest IPSEC; eroute 
owner
000 #2: "RoadWarrior-CiscoIPsec"[2] 84.112.137.170:4500 
esp.2a25998 at 84.112.137.170 (0 bytes) esp.7c44720b at 88.198.53.113 (0 
bytes); tunnel
000 #1: "RoadWarrior-CiscoIPsec"[2] 84.112.137.170:4500 
STATE_MODE_CFG_R1 (sent ModeCfg reply, established); EVENT_SA_REPLACE in 
3319s; newest ISAKMP
000


Turning off VPN on the iPhone:

# ipsec status
000 "RoadWarrior-CiscoIPsec": 0.0.0.0/0===88.198.53.113[C=CH, 
O=pernau.at strongSwan VPN, 
CN=pernau.at]---88.198.53.97...%any[%any]===%RoadWarrior-CiscoIPsec; 
unrouted; eroute owner: #0
000 "RoadWarrior-CiscoIPsec":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000


Thus it seems, that the connection is closed. Anyway the IP address is 
not released and re-connect does not work :-(

regards
Klaus

More information about the Users mailing list