Miroslav,
thank you for responding, I believe the second device connecting is
getting the same IP address as the first;
Here's a log I spit out of updown scripts, both devices get
10.255.0.1/32, the intent it to have 10.255.0.0/16 as a pool of
addresses for the connecting devices.
up-client C=US, O=strongSwan, CN=IDE-B1DA-3355-4C89-BA98-A580BD513292
bytes in '0' out '0' packets in '0' out '0'
up-client eth0 0 10.255.0.1/32 10.199.65.236 -m policy --pol ipsec
--proto esp --reqid 7 --dir in
down-client C=US, O=strongSwan, CN=IDE-B1DA-3355-4C89-BA98-A580BD513292
bytes in '1478' out '5161' packets in '17' out '14'
up-client C=US, O=strongSwan, CN=IDE-0DF5-9A4B-47B0-829E-245DDF715C4E
bytes in '0' out '0' packets in '0' out '0'
up-client eth0 0 10.255.0.1/32 10.199.65.236 -m policy --pol ipsec
--proto esp --reqid 8 --dir in
down-client C=US, O=strongSwan, CN=IDE-0DF5-9A4B-47B0-829E-245DDF715C4E
bytes in '3937' out '9212' packets in '28' out '23'
up-client C=US, O=strongSwan, CN=IDE-B1DA-3355-4C89-BA98-A580BD513292
bytes in '0' out '0' packets in '0' out '0'
up-client eth0 0 10.255.0.1/32 10.199.65.236 -m policy --pol ipsec
--proto esp --reqid 9 --dir in
and the route
ip route list table 220
10.255.0.1 via 10.199.65.193 dev eth0 proto static
statusall only shows the first device to connect
Status of IKE charon daemon (strongSwan 5.3.0, Linux 3.2.0-54-virtual,
x86_64):
uptime: 18 minutes, since Apr 24 15:04:24 2015
malloc: sbrk 2555904, mmap 0, used 473168, free 2082736
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 23
loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
pem fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve
socket-default stroke updown xauth-generic
Virtual IP pools (size/online/offline):
10.255.0.0/16: 65534/1/0
Listening IP addresses:
10.199.65.236
10.0.0.116
10.0.1.10
10.0.1.12
10.0.0.242
10.0.0.120
10.0.0.122
10.0.0.238
Connections:
ios: %any,0.0.0.0/0,::/0...%any IKEv1
ios: local: [C=US, ST=California, L=New York, O=Internet
Widgits Pty Ltd, OU=ActMobile, CN=ipsec.corp.actmobile.com,
[email protected]] uses public key authentication
ios: cert: "C=US, ST=California, L=New York, O=Internet
Widgits Pty Ltd, OU=ActMobile, CN=ipsec.corp.actmobile.com,
[email protected]"
ios: remote: uses public key authentication
ios: remote: uses XAuth authentication: any
ios: child: 0.0.0.0/0 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
ios[12]: ESTABLISHED 2 minutes ago, 10.199.65.236[C=US,
ST=California, L=New York, O=Internet Widgits Pty Ltd, OU=ActMobile,
CN=ipsec.corp.actmobile.com,
[email protected]]...166.170.42.208[C=US, O=strongSwan,
CN=IDE-B1DA-3355-4C89-BA98-A580BD513292]
ios[12]: Remote XAuth identity: actmobile
ios[12]: IKEv1 SPIs: 387433cc7c4e0cf7_i b7f0e6ff754ca158_r*,
public key reauthentication in 2 hours
ios[12]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
ios{11}: INSTALLED, TUNNEL, reqid 11, ESP in UDP SPIs:
cca21352_i 0ef3c1ab_o
ios{11}: AES_CBC_128/HMAC_SHA1_96, 1534 bytes_i (18 pkts,
104s ago), 5393 bytes_o (15 pkts, 104s ago), rekeying in 23 hours
ios{11}: 0.0.0.0/0 === 10.255.0.1/32
Here's the conn from ipsec.conf, do I really need to setup a dhcp
service instead?
conn ios
keyexchange=ikev1
authby=xauthrsasig
xauth=server
left=%any
leftsubnet=0.0.0.0/0
leftsourceip = %modeconfig
leftallowany = yes
lefthostaccess=yes
leftupdown=/opt/actmobile/accelerator/actmobile_ipsec_updown
leftcert=serverCert.pem
right=%any
rightsourceip=10.255.0.0/16
rightfirewall=yes
righthostaccess=yes
auto=start
rekey=yes
fragmentation=yes
lifetime=24h
dpddelay=0
dpdtimeout=24h
On 4/24/15 12:51 AM, Miroslav Svoboda wrote:
Please can you provide:
- log with default loglevel set to 2, showing start of both iPhones
connection
- output of command "strongswan statusall" at the time both iphone are
connected
- route table and iptables rules (tables filter, nat, mangle)
I believe this question would be next time better fit for users list
and even might get answered quicker there.
Miroslav
On Thursday, April 23, 2015 at 4:40:15 PM UTC+2, Andrew Foss wrote:
I am bringing up an ipsec server for our ios users and suspect my
"left"
parameters aren't quite right, but so far my changes have made it not
work at all and I am not fully understanding the descriptions. I am
running 5.3.0, our ifupdown scripts open iptables rules to allow
access
to dns and the servers.
What is see is first device on a network connects and works fine.
Second
device connects and neither works, second device gets
disconnected, as
if the routing/nat handling is sending packets down the wrong tunnel.
Here's my config, I suspect leftsubnet should be 0/0, these are just
devices connecting for themselves, not another vpn gateway
connecting a
network. Any pointers?
conn ios
keyexchange=ikev1
#esp=null-sha1!
authby=xauthrsasig
xauth=server
left=%defaultroute
leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
#leftsubnet=10.66.0.0/16 <http://10.66.0.0/16>
#leftfirewall=yes
leftupdown=/opt/actmobile/accelerator/actmobile_ipsec_updown
leftcert=serverCert.pem
right=%any
rightsourceip=10.0.0.0/16 <http://10.0.0.0/16>
#rightsourceip=10.100.255.0/28 <http://10.100.255.0/28>
#rightcert=clientCert.pem
#pfs=no
auto=start
rekey=yes
fragmentation=yes
lifetime=24h
dpddelay=0
dpdtimeout=24h
actmobile@accel:~-u
thanks,
andrew
_______________________________________________
Dev mailing list
[email protected] <mailto:[email protected]>
https://lists.strongswan.org/mailman/listinfo/dev
<https://lists.strongswan.org/mailman/listinfo/dev>
_______________________________________________
Dev mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/dev
