[strongSwan] strongswan on centos and ios client

Fri Jun 29 15:37:55 CEST 2012

Hi,

 I'm new to strongswan and run into issues on setting up my ipsec vpn
for roaming iOS clients. They need to have access to system on the LAN
while traveling and here is what I've got:

  LAN  192.168.10.0/24 ---- eth0 192.168.10.231 SERVER 64.xxx.xxx.200
eth1 ---- internet ---- client (iphone)

I have LAN with 192.168.10.0/24 range. There is Centos 6 server which
has two interfaces: LAN and WAN. It is not router, it is dedicated
system for VPN.  I've followed guide
http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple) but
after completing configuration, unable to ping anything. iOS reports,
that VPN connection established, but can't ping neither LAN IP of VPN
server not phone IP from VPN server.

Here is my ipsec.conf:
config setup
        plutostart=yes
        nat_traversal=yes

conn ios
        keyexchange=ikev1
        authby=xauthrsasig
        xauth=server
        left=%defaultroute
        leftsubnet=0.0.0.0/0
        leftfirewall=yes
        leftcert=serverCert.pem
        right=%any
        rightsubnet=192.168.200.0/24
        rightsourceip=192.168.200.2
        rightcert=user1.pem
        pfs=no
        auto=add

I have iptables enabled on the system. By default, INPUT is drop by
default, OUTPUT is accept by default.
I've added following rules into my iptables:
-A FIREWALL -i eth1 -p esp                     -j ACCEPT
-A FIREWALL -i eth1 -p udp -m udp --dport 500  -j ACCEPT
-A FIREWALL -i eth1 -p udp -m udp --dport 4500 -j ACCEPT
-t nat -A POSTROUTING -o eth1 -s 192.168.200.0/24 -j MASQUERADE

So here are my questions:
1. What did I miss in order to setup this VPN connection?
2. When I disconnect with iOS device, I won't able to re-connect
unless I restart strongswan
3. How can I modify this configuration to allow multiple clients to connect?

Regards,
 Sasha