[strongSwan] unity_split_include prevents VPN from connecting.
Michael Gorbach
michael at mgorbach.name
Fri Mar 9 19:03:51 CET 2012
And one more thing …
- In ipsec.conf:
conn ansible-threshold-pki |~
left=%defaultroute |~
leftsubnet=172.16.1.0/24
~ M.
On Mar 9, 2012, at 1:00 PM, Michael Gorbach wrote:
> I've got this working as follows:
>
> - Removed the UNITU_SPLIT_INCLUDE attribute from the SQL DB.
> - In StrongSwan.conf:
>
> pluto {
> plugins {
> attr {
> dns = 172.16.1.1
> 28675 = mgorbach.home
> 28676 = 172.16.1.0/24
> }
> }
> }
>
> The 28676 and 28675 are the the SPIT_INCLUDE and DOMAIN attributes.makes a
> - Switched strongSwan to running as root, though I don't know if that made a difference.
>
> ~ M.
>
> On Mar 7, 2012, at 11:13 PM, Michael Gorbach wrote:
>
>> (Don't know if this email will get threaded correctly. I can't reply to the original email, since I just joined the list when i saw this thread) …
>>
>> I'm seeing the same problem, also with the iOS Cisco Client. Interestingly, its happening even though the pool isn't actually set (yet) for that strongSwann connection. The presence of a pool is fine, but the presence of a pool with this UNITY_SPLIT_INCLUDE attribute set appears to cause the connection to fail with the following:
>>
>> "ansible-threshold-pki"[2] <client IP>:3047 #1: cannot respond to IPsec SA request because no connection is known for 172.16.1.0/24===172.16.1.102:4500[C=US, O=AnsibleThreshold strongSwan, CN=<server ip>]...174.252.36.126:3047[C=US, O=AnsibleThreshold strongSwan, CN=<My iPhone>]===10.0.8.1/32
>>
>> Some help would be very much appreciated,
>> ~ Michael Gorbach
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4371 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120309/6a63ce0e/attachment.bin>
More information about the Users
mailing list