[strongSwan] iphone/ipad get connection but no internet

Ulrich Joergens uli.joergens at orange.fr
Mon Nov 28 12:51:37 CET 2011


Hello

You may need to set a route on your default gateway (192.168.1.254) to your strongswan gateway (192.168.1.51) for the ipad-network (10.8.0.0/24) so received packets can be routed to your ipda.

Cheers
Uli

> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Sun, 27 Nov 2011 23:54:24 +0100 (CET)
> From: holli at holli.at
> Subject: [strongSwan] iphone/ipad get connection but no internet
> To: users at lists.strongswan.org
> Message-ID: <20111127225425.0F2CFDBC086 at dd24106.kasserver.com>
> Content-Type: text/plain; charset="utf-8"
> 
> hello,
> 
> i'm new to strongswan and try to use it for my ipad and iphone to access my lan (i have openvpn running on my windows boxes (client) and the openvpn server on the same box as the ipsec but with ipsec i can connect but only this box where ipsec is on - so it looks like the config from the wiki http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple) works for connecting but not for accessing any other box on my lan than the box where ipsec is on.
> 
> iphone ---> xx.dyndns.org (router IP: 192.168.1.254) --> port 500/4500 are routed to 192.168.1.51 where strongswan is running on
> 
> my config looks like this:
> 
> ipsec.conf:
> 
> config setup
> # plutodebug=all
> # crlcheckinterval=600
> # strictcrlpolicy=yes
> # cachecrls=yes
> nat_traversal=yes
> # charonstart=yes
> plutostart=yes
> 
> # Add connections here.
> 
> conn ios
> keyexchange=ikev1
> authby=xauthrsasig
> xauth=server
> left=%defaultroute
> leftsubnet=0.0.0.0/0
> # left=hohaso.dyndns.org
> leftfirewall=yes
> leftcert=serverCert.pem
> right=%any
> # rightsubnet=10.8.0.0/24
> # rightsourceip=10.8.0.5
> rightsubnet=192.168.1.0/24
> rightsourceip=192.168.1.11
> rightcert=clientCert.pem
> pfs=no
> auto=add
> 
> i tried here to use the lan ip's as well but some result not difference for 10 or 192 network
> 
> strongswan.conf
> 
> charon {
> 
> # number of worker threads in charon
> threads = 16
> 
> # plugins to load in charon
> load = aes des sha1 md5 sha2 hmac gmp random pubkey xcbc x509 stroke
> 
> # plugins {
> 
> # sql {
> # loglevel to log into sql database
> # loglevel = -1
> 
> # URI to the database
> # database = sqlite:///path/to/file.db
> # database = mysql://user:password@localhost/database
> # }
> # }
> 
> # ...
> }
> 
> pluto {
> 
> # plugins to load in pluto
> # load = aes des sha1 md5 sha2 hmac gmp random pubkey
> dns1 = 192.168.1.254
> }
> 
> libstrongswan {
> 
> # set to no, the DH exponent size is optimized
> # dh_exponent_ansi_x9_42 = no
> }
> 
> so within the log file all looks ok i guess?
> 
> Nov 27 23:52:02 holli-nas-2 pluto[31618]: | NAT-T: new mapping 46.207.255.74:22256/5848)
> Nov 27 23:52:02 holli-nas-2 pluto[31618]: "ios"[2] 46.207.255.74:5848 #3: sent MR3, ISAKMP SA established
> Nov 27 23:52:02 holli-nas-2 pluto[31618]: "ios"[2] 46.207.255.74:5848 #3: sending XAUTH request
> Nov 27 23:52:02 holli-nas-2 pluto[31618]: "ios"[2] 46.207.255.74:5848 #3: parsing XAUTH reply
> Nov 27 23:52:02 holli-nas-2 pluto[31618]: "ios"[2] 46.207.255.74:5848 #3: extended authentication was successful
> Nov 27 23:52:02 holli-nas-2 pluto[31618]: "ios"[2] 46.207.255.74:5848 #3: sending XAUTH status
> Nov 27 23:52:02 holli-nas-2 pluto[31618]: "ios"[2] 46.207.255.74:5848 #3: parsing XAUTH ack
> Nov 27 23:52:02 holli-nas-2 pluto[31618]: "ios"[2] 46.207.255.74:5848 #3: received XAUTH ack, established
> Nov 27 23:52:02 holli-nas-2 pluto[31618]: "ios"[2] 46.207.255.74:5848 #3: parsing ModeCfg request
> Nov 27 23:52:02 holli-nas-2 pluto[31618]: "ios"[2] 46.207.255.74:5848 #3: unknown attribute type (28683)
> Nov 27 23:52:02 holli-nas-2 pluto[31618]: "ios"[2] 46.207.255.74:5848 #3: peer requested virtual IP %any
> Nov 27 23:52:02 holli-nas-2 pluto[31618]: reassigning offline lease to 'holli'
> Nov 27 23:52:02 holli-nas-2 pluto[31618]: "ios"[2] 46.207.255.74:5848 #3: assigning virtual IP 10.8.0.5 to peer
> Nov 27 23:52:02 holli-nas-2 pluto[31618]: "ios"[2] 46.207.255.74:5848 #3: sending ModeCfg reply
> Nov 27 23:52:02 holli-nas-2 pluto[31618]: "ios"[2] 46.207.255.74:5848 #3: sent ModeCfg reply, established
> Nov 27 23:52:02 holli-nas-2 pluto[31618]: "ios"[2] 46.207.255.74:5848 #4: responding to Quick Mode
> Nov 27 23:52:03 holli-nas-2 pluto[31618]: "ios"[2] 46.207.255.74:5848 #4: IPsec SA established {ESP=>0x0174e0da <0xccf7980d NATOA=0.0.0.0}
> 
> and on the iphone i get a welcome with success but i can only access the box where ipsec is on so what is the trick to access all boxes on the lan and have also access to the internet?
> 
> thanks
> holli
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111128/43803180/attachment.html>


More information about the Users mailing list