[strongSwan] iphone/ipad get connection but no internet

holli at holli.at holli at holli.at
Sun Nov 27 23:54:24 CET 2011


hello,

i'm new to strongswan and try to use it for my ipad and iphone to access my lan (i have openvpn running on my windows boxes (client) and the openvpn server on the same box as the ipsec but with ipsec i can connect but only this box where ipsec is on - so it looks like the config from the wiki http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple) works for connecting but not for accessing any other box on my lan than the box where ipsec is on.

iphone ---> xx.dyndns.org (router IP: 192.168.1.254) --> port 500/4500 are routed to 192.168.1.51 where strongswan is running on

my config looks like this:

ipsec.conf:

config setup
        # plutodebug=all
        # crlcheckinterval=600
        # strictcrlpolicy=yes
        # cachecrls=yes
        nat_traversal=yes
        # charonstart=yes
        plutostart=yes

# Add connections here.

conn ios
        keyexchange=ikev1
        authby=xauthrsasig
        xauth=server
        left=%defaultroute
        leftsubnet=0.0.0.0/0
        # left=hohaso.dyndns.org
        leftfirewall=yes
        leftcert=serverCert.pem
        right=%any
        # rightsubnet=10.8.0.0/24
        # rightsourceip=10.8.0.5
        rightsubnet=192.168.1.0/24
        rightsourceip=192.168.1.11
        rightcert=clientCert.pem
        pfs=no
        auto=add

i tried here to use the lan ip's as well but some result not difference for 10 or 192 network

strongswan.conf

charon {

        # number of worker threads in charon
        threads = 16

        # plugins to load in charon
        load = aes des sha1 md5 sha2 hmac gmp random pubkey xcbc x509 stroke

        # plugins {

        #       sql {
                        # loglevel to log into sql database
        #               loglevel = -1

                        # URI to the database
                        # database = sqlite:///path/to/file.db
                        # database = mysql://user:password@localhost/database
        #       }
        # }

        # ...
}

pluto {

        # plugins to load in pluto
        # load = aes des sha1 md5 sha2 hmac gmp random pubkey
        dns1 = 192.168.1.254
}

libstrongswan {

        #  set to no, the DH exponent size is optimized
        #  dh_exponent_ansi_x9_42 = no
}

so within the log file all looks ok i guess?

Nov 27 23:52:02 holli-nas-2 pluto[31618]: | NAT-T: new mapping 46.207.255.74:22256/5848)
Nov 27 23:52:02 holli-nas-2 pluto[31618]: "ios"[2] 46.207.255.74:5848 #3: sent MR3, ISAKMP SA established
Nov 27 23:52:02 holli-nas-2 pluto[31618]: "ios"[2] 46.207.255.74:5848 #3: sending XAUTH request
Nov 27 23:52:02 holli-nas-2 pluto[31618]: "ios"[2] 46.207.255.74:5848 #3: parsing XAUTH reply
Nov 27 23:52:02 holli-nas-2 pluto[31618]: "ios"[2] 46.207.255.74:5848 #3: extended authentication was successful
Nov 27 23:52:02 holli-nas-2 pluto[31618]: "ios"[2] 46.207.255.74:5848 #3: sending XAUTH status
Nov 27 23:52:02 holli-nas-2 pluto[31618]: "ios"[2] 46.207.255.74:5848 #3: parsing XAUTH ack
Nov 27 23:52:02 holli-nas-2 pluto[31618]: "ios"[2] 46.207.255.74:5848 #3: received XAUTH ack, established
Nov 27 23:52:02 holli-nas-2 pluto[31618]: "ios"[2] 46.207.255.74:5848 #3: parsing ModeCfg request
Nov 27 23:52:02 holli-nas-2 pluto[31618]: "ios"[2] 46.207.255.74:5848 #3: unknown attribute type (28683)
Nov 27 23:52:02 holli-nas-2 pluto[31618]: "ios"[2] 46.207.255.74:5848 #3: peer requested virtual IP %any
Nov 27 23:52:02 holli-nas-2 pluto[31618]: reassigning offline lease to 'holli'
Nov 27 23:52:02 holli-nas-2 pluto[31618]: "ios"[2] 46.207.255.74:5848 #3: assigning virtual IP 10.8.0.5 to peer
Nov 27 23:52:02 holli-nas-2 pluto[31618]: "ios"[2] 46.207.255.74:5848 #3: sending ModeCfg reply
Nov 27 23:52:02 holli-nas-2 pluto[31618]: "ios"[2] 46.207.255.74:5848 #3: sent ModeCfg reply, established
Nov 27 23:52:02 holli-nas-2 pluto[31618]: "ios"[2] 46.207.255.74:5848 #4: responding to Quick Mode
Nov 27 23:52:03 holli-nas-2 pluto[31618]: "ios"[2] 46.207.255.74:5848 #4: IPsec SA established {ESP=>0x0174e0da <0xccf7980d NATOA=0.0.0.0}

and on the iphone i get a welcome with success but i can only access the box where ipsec is on so what is the trick to access all boxes on the lan and have also access to the internet?

thanks
holli










More information about the Users mailing list