subject:"Re\: \[strongSwan\] strongswan ipsec XAUTH\+PSK and iphone Problem \!"

Re: [strongSwan] strongswan ipsec XAUTH+PSK and iphone Problem !

2009-09-08 Thread Alok Thaker

Hi Techies,

   I am in a severe problem with the help of andreas and my grey
cells we made the iphone working for ipsec too but the thing is I am not
able to browse when I connect to isec vpn from iphone wiht xauth + psk. I
have masquerading enabled and this rule works fine for l2tp + ipsec.

When I see on iphone and mac book I don't get a dns ip from strongswan
ipsec. Is there any parameter to manually push the dns from ipsec.conf.

Please help me ASAP I am stucked due to this.

Thanks,
Alok

On Tue, Sep 8, 2009 at 8:36 PM, Alok Thaker alok.a...@gmail.com wrote:

 What could the possible resolutions I checked the command comes from ipsec
 which is from /usr/local/sbin/ipsec and it reads the
 /usr/local/etc/ipsec.conf created by strongswan, I am awaiting for your
 answer for the dns and internet browsing.

 And if strongswan-4.3.5 is introduced what how would we define it. It is
 very urgent for me to atleast make the internet running

 Thanks,
 Alok




 On Tue, Sep 8, 2009 at 11:01 AM, Andreas Steffen 
 andreas.stef...@strongswan.org wrote:

 Hi Alok,

 strongSwan doesn't have an ipsec verify command and does not
 enable opportunistic encryption by default. I think you
 got that from an earlier Openswan installation.

 Currently the IKEv1 pluto daemon does not support virtual
 IP pools yet. This feature will be introduced with the
 4.3.5 release in November. Currently you have to define
 one connection for each iphone client.

 Best regards

 Andreas

 Alok Thaker wrote:
  Hi Andreas,
 
I fired command ipsec verify it shows opportunitistic
 encryptions
  checks on is that might be the reason for not allowing client to browse
  internet and if i have kept rightsourceip=some ip it wld be used for all
  iphone clients simultaneously, can i give a range of ip to it or not.
 
  Please help on this issue.
 
  Thanks,
  Alok
 
  On Tue, Sep 8, 2009 at 7:43 AM, Alok Thaker alok.a...@gmail.com
 wrote:
 
  Hi Andreas,
 
  No still iphone clients can connect to strongswan but can't browse, I
 also
  added that rule but it isn't working.
 
  Thanks,
  Alok
 
 
  On Mon, Sep 7, 2009 at 8:39 AM, Alok Thaker alok.a...@gmail.com
 wrote:
 
  Would test and let you know andreas at present there is an internet
  downtime at my office. I am sending this message from my blackberry.
 
  Would let u know if this works or not in some time.
 
  Thanks,
  Alok
 
 
  On Mon, Sep 7, 2009 at 8:23 AM, andi andreas.stef...@strongswan.org
 wrote:
 
  Could you try to exempt traffic to be tunneled from masquerading by
  inserting the following rule:
 
  iptables -t nat -I POSTROUTING 1 -o eth0 -m policy --dir out --pol
 ipsec
  --proto esp -j ACCEPT
 
  Andreas
 
  On Mon, 7 Sep 2009 08:18:51 -0400, Alok Thaker alok.a...@gmail.com
  wrote:
  Here it is Anderas.
 
  iptables -v -n -t nat -L POSTROUTING
  Chain POSTROUTING (policy ACCEPT 188 packets, 13511 bytes)
   pkts bytes target prot opt in out source
  destination
122 15835 MASQUERADE  all  --  *  eth00.0.0.0/0
  0.0.0.0/0
   113K 8162K MASQUERADE  all
  --

 ==
 Andreas Steffen andreas.stef...@strongswan.org
 strongSwan - the Linux VPN Solution!www.strongswan.org
 Institute for Internet Technologies and Applications
 University of Applied Sciences Rapperswil
 CH-8640 Rapperswil (Switzerland)
 ===[ITA-HSR]==



___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] strongswan ipsec XAUTH+PSK and iphone Problem !

2009-09-06 Thread Andreas Steffen

Hi Alok,

besides some unexpected packets everything seems ok. Both XAUTH
and ModeConfig are established successfully but somehow
the negotiation does not go on the IKE Quick Mode.
Could you remove the modeconfig=push line since strange effects
might occur if Mode Config is used in conjunction with XAUTH.

Regards

Andreas

Alok Thaker wrote:
 Hi Friends,
 
  I am a fan of strongswan and I have made l2tp with ipsec running
 succesffuly with iphone and strongswan. The only problem I am facing is to
 make only ipsec with XAUTH+PSK running with iphone.
 
 I have also enabled --enable-cisco-quirks=yes as iphone works as cisco vpn
 client as I read in the strongswan answers but I have got no luck in
 establishment.
 I get the following errors while connecting strongswan ipsec(XAUTH+PSK)
 wiith iphone ipsec.
 
  packet from 82.132.139.25:44759: ignoring Vendor ID payload [Cisco-Unity]
 Sep  6 14:48:43 uk_server3 pluto[24769]: packet from 82.132.139.25:44759:
 received Vendor ID payload [Dead Peer Detection]
 Sep  6 14:48:43 uk_server3 pluto[24769]: win[1] 82.132.139.25:44759 #1:
 responding to Main Mode from unknown peer 82.132.139.25:44759
 Sep  6 14:48:45 uk_server3 pluto[24769]: win[1] 82.132.139.25:44759 #1:
 NAT-Traversal: Result using RFC 3947: peer is NATed
 Sep  6 14:48:46 uk_server3 pluto[24769]: win[1] 82.132.139.25:44759 #1:
 Peer ID is ID_IPV4_ADDR: '10.38.42.53'
 Sep  6 14:48:46 uk_server3 pluto[24769]: win[2] 82.132.139.25:44759 #1:
 deleting connection win instance with peer 82.132.139.25
 {isakmp=#0/ipsec=#0}
 Sep  6 14:48:46 uk_server3 pluto[24769]: | NAT-T: new mapping
 82.132.139.25:44759/44760)
 Sep  6 14:48:46 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1:
 sent MR3, ISAKMP SA established
 Sep  6 14:48:46 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1:
 sending XAUTH request
 Sep  6 14:48:46 uk_server3 pluto[24769]: packet from 82.132.139.25:44760:
 Informational Exchange is for an unknown (expired?) SA
 Sep  6 14:48:46 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1:
 parsing XAUTH reply
 Sep  6 14:48:46 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1:
 extended authentication was successful
 Sep  6 14:48:46 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1:
 sending XAUTH status:
 Sep  6 14:48:47 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1:
 parsing XAUTH ack
 Sep  6 14:48:47 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1:
 received XAUTH ack, established
 Sep  6 14:48:47 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1:
 sending ModeCfg set
 Sep  6 14:48:47 uk_server3 pluto[24769]: packet from 82.132.139.25:44760:
 ModeCfg message is for a non-existent (expired?) ISAKMP SA
 Sep  6 14:48:48 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1:
 parsing ModeCfg ack
 Sep  6 14:48:48 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1:
 received ModeCfg ack, established
 Sep  6 14:48:48 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1:
 unsupported ModeCfg attribute 28683?? received.
 
 My ipsec.conf for for psk + xauth has this entry
 
 config setup
 # crlcheckinterval=600
 # strictcrlpolicy=yes
 # cachecrls=yesA
 nat_traversal=yes
 conn win
 authby=xauthpsk
 xauth=server
 left=94.76.194.32
 leftnexthop=%direct
 rightsourceip=%modeconfig
 modeconfig=push
 auto=start
 
 My ipsec.secrets has
 94.76.194.32 %any : PSK alok
 : XAUTH alok alok
 
 Please it is urgent for me can someone hellp me out so that it wld be great
 achievement making strongswan ipsec (XAUTH+PSK) running with iphone.
 
 Thanks,
 Alok

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==


smime.p7s
Description: S/MIME Cryptographic Signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] strongswan ipsec XAUTH+PSK and iphone Problem !

Re: [strongSwan] strongswan ipsec XAUTH+PSK and iphone Problem !

2 matches

Site Navigation

Mail list logo

Footer information