[strongSwan] IKEv2 IpPool and Traffic Selectors

joshua fish grossjo2 at hotmail.com
Wed Dec 9 14:46:11 CET 2015 

I am trying to configure IKEv2 connection against an iphone iOS 9 device.  I am able to get the vpn to come up.   But I can not get more than one client able to push traffic through the VPN to the internet if connected to the same wifi network (i.e.: same public ip).Both have valid connections vpn connections.
I have a very similar setup to my ikev1 configuration, but it would assign individual IP's as traffic selectors, versus ikev2 seems to put the whole subnet from ipsec statusall per connection
ie:ikev1: 0.0.0.0/0 === 10.252.0.2/32ikev2 0.0.0.0/0 === 10.252.0.0/16
Below is my conn entry:
conn iphone-ios8-ikev2
  ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! # Win7 is aes256, sha-1, modp1024; iOS is aes256, sha-256, m odp1024; OS X is 3DES, sha-1, modp1024
  esp=aes256-sha256,aes256-sha1,3des-sha1! # Win 7 is aes256-sha1, iOS is aes256-sha256, OS X is 3des-shal1
  keyexchange=ikev2
  rightauth=pubkey
  left=%defaultroute
  #leftsourceip=%config
  leftid=@*.domain.com
  leftsubnet=0.0.0.0/0
  leftfirewall=no
  leftcert=validCert.pem
  leftsendcert=always
  right=%any
  rightsubnet=10.252.0.0/16
  #rightsourceip=%config
  rightsourceip=10.252.0.0/16
  type=transport
  #rightsendcert=always
  eap_identity=%any
  forceencaps=yes
  fragmentation=yes
  auto=add


Below is the output of ipsec statusall:iphone-ios8-ikev2-singlecert[2]: ESTABLISHED 3 minutes ago, 107.170.72.232[domain.com]...96.45.197.22[0B0F98DB052278DC4665135C7EC97A4E31991A74]
iphone-ios8-ikev2-singlecert[2]: IKEv2 SPIs: 52ff6b0aaa621567_i b852c16ab1f05f10_r*, public key reauthentication in 51 minutes
iphone-ios8-ikev2-singlecert[2]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
iphone-ios8-ikev2-singlecert{2}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: caa83fc0_i 09edb239_o
iphone-ios8-ikev2-singlecert{2}:  3DES_CBC/HMAC_SHA1_96, 60104 bytes_i (384 pkts, 51s ago), 92776 bytes_o (312 pkts, 54s ago), rekeying in 11 minutes
iphone-ios8-ikev2-singlecert{2}:   0.0.0.0/0 === 10.252.0.0/16 
iphone-ios8-ikev2-singlecert[1]: ESTABLISHED 3 minutes ago, 107.170.72.232[domain.com]...96.45.197.22[93C7AACB6BEDE86EB4FDBDC35C520C15205B9714]
iphone-ios8-ikev2-singlecert[1]: IKEv2 SPIs: 62497d4b160b041e_i 819b74662f867de9_r*, public key reauthentication in 50 minutes
iphone-ios8-ikev2-singlecert[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
iphone-ios8-ikev2-singlecert{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c6c41add_i 0af27f57_o
iphone-ios8-ikev2-singlecert{1}:  3DES_CBC/HMAC_SHA1_96, 8870 bytes_i (74 pkts, 51s ago), 11537 bytes_o (46 pkts, 54s ago), rekeying in 11 minutes
iphone-ios8-ikev2-singlecert{1}:   0.0.0.0/0 === 10.252.0.0/16 

Any help would be appreciated.
Thanks,Josh




Joshua J. Gross
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151209/4f51c04a/attachment.html>

More information about the Users mailing list