[strongSwan] Can't have more then one connection

Andreas Steffen andreas.steffen at strongswan.org
Mon Jul 2 07:01:35 CEST 2012


If you have different client IDs and corresponding distinct client
certificates why do you locally load a fixed client certificate with

rightcert=clientCert.pem ?

Andreas

On 07/02/2012 12:15 AM, Sharon Sahar wrote:
> Hi,
> 
> I'm using SS v4.6.3 configured to support iPhone devices.
> After successfully connecting an iPhone, when i try to connect another
> iPhone or Racoon (with different username and certificate from same CA)
> the first connection is disconnected. As a result, i can only have one
> active connection at a time.
> 
> This is what is see in the log (164.40.134.185 initiates new connection
> and  109.64.217.197 is being disconnected):
> 
> "ios"[3] 164.40.134.185 #4: we have a cert and are sending it upon request
> Jul  1 16:56:08 02104-8-1222487 pluto[12915]: "ios"[3] 164.40.134.185
> #4: deleting connection "ios" instance with peer 109.64.217.197
> {isakmp=#2/ipsec=#3}
> Jul  1 16:56:08 02104-8-1222487 pluto[12915]: "ios" #3: deleting state
> (STATE_QUICK_R2)
> Jul  1 16:56:08 02104-8-1222487 pluto[12915]: "ios" #2: deleting state
> (STATE_MODE_CFG_R1)
> Jul  1 16:56:08 02104-8-1222487 pluto[12915]: | unref key: 0x174acb0
> 0x174ab10 cnt 1 'C=CH, O=LacoonSecurity, CN=client'
> Jul  1 16:56:08 02104-8-1222487 pluto[12915]: "ios"[3] 164.40.134.185
> #4: unroute-client output: /usr/libexec/ipsec/_updown: doroute `ip route
> delete 10.0.0.3/32 <http://10.0.0.3/32> via 109.64.217.197 dev eth0  src
> 10.0.0.15 table 220' failed (RTNETLINK answers: No such process)
> 
> Any idea whats causing this behavior?
> 
> Thanks!
> 
> ipsec.conf is below:
> 
> config setup
> plutodebug=controlmore
> # crlcheckinterval=600
> # strictcrlpolicy=yes
> # cachecrls=yes
> nat_traversal=yes
> charonstart=no
> plutostart=yes
> # plutostderrlog=/var/log/plutolog.log
> uniqueids=yes
> 
> 
> conn ios
> type=tunnel
> # modeconfig=pull
> # installpolicy=yes
> keyexchange=ikev1
>         authby=xauthrsasig         
> xauth=server
>         left=164.40.134.181
> leftsourceip=10.0.0.15
>         leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>         leftfirewall=yes
>         leftcert=serverCert.pem
> leftprotoport=%any
>         right=%any
>         rightsourceip=10.0.0.1/24 <http://10.0.0.1/24>
> rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> rightprotoport=%any
> rightnexthop=%defaultroute
> rightid=%any
>         rightcert=clientCert.pem
>         pfs=no
>         auto=add
>  dpdaction=clear
>  dpddelay=10
>  dpdtimeout=150
> rekey=no
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==






More information about the Users mailing list