Re: [strongSwan] strongswan ipsec XAUTH+PSK and iphone Problem !
Hi Techies, I am in a severe problem with the help of andreas and my grey cells we made the iphone working for ipsec too but the thing is I am not able to browse when I connect to isec vpn from iphone wiht xauth + psk. I have masquerading enabled and this rule works fine for l2tp + ipsec. When I see on iphone and mac book I don't get a dns ip from strongswan ipsec. Is there any parameter to manually push the dns from ipsec.conf. Please help me ASAP I am stucked due to this. Thanks, Alok On Tue, Sep 8, 2009 at 8:36 PM, Alok Thaker alok.a...@gmail.com wrote: What could the possible resolutions I checked the command comes from ipsec which is from /usr/local/sbin/ipsec and it reads the /usr/local/etc/ipsec.conf created by strongswan, I am awaiting for your answer for the dns and internet browsing. And if strongswan-4.3.5 is introduced what how would we define it. It is very urgent for me to atleast make the internet running Thanks, Alok On Tue, Sep 8, 2009 at 11:01 AM, Andreas Steffen andreas.stef...@strongswan.org wrote: Hi Alok, strongSwan doesn't have an ipsec verify command and does not enable opportunistic encryption by default. I think you got that from an earlier Openswan installation. Currently the IKEv1 pluto daemon does not support virtual IP pools yet. This feature will be introduced with the 4.3.5 release in November. Currently you have to define one connection for each iphone client. Best regards Andreas Alok Thaker wrote: Hi Andreas, I fired command ipsec verify it shows opportunitistic encryptions checks on is that might be the reason for not allowing client to browse internet and if i have kept rightsourceip=some ip it wld be used for all iphone clients simultaneously, can i give a range of ip to it or not. Please help on this issue. Thanks, Alok On Tue, Sep 8, 2009 at 7:43 AM, Alok Thaker alok.a...@gmail.com wrote: Hi Andreas, No still iphone clients can connect to strongswan but can't browse, I also added that rule but it isn't working. Thanks, Alok On Mon, Sep 7, 2009 at 8:39 AM, Alok Thaker alok.a...@gmail.com wrote: Would test and let you know andreas at present there is an internet downtime at my office. I am sending this message from my blackberry. Would let u know if this works or not in some time. Thanks, Alok On Mon, Sep 7, 2009 at 8:23 AM, andi andreas.stef...@strongswan.org wrote: Could you try to exempt traffic to be tunneled from masquerading by inserting the following rule: iptables -t nat -I POSTROUTING 1 -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT Andreas On Mon, 7 Sep 2009 08:18:51 -0400, Alok Thaker alok.a...@gmail.com wrote: Here it is Anderas. iptables -v -n -t nat -L POSTROUTING Chain POSTROUTING (policy ACCEPT 188 packets, 13511 bytes) pkts bytes target prot opt in out source destination 122 15835 MASQUERADE all -- * eth00.0.0.0/0 0.0.0.0/0 113K 8162K MASQUERADE all -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] strongswan ipsec XAUTH+PSK and iphone Problem !
Hi Alok, besides some unexpected packets everything seems ok. Both XAUTH and ModeConfig are established successfully but somehow the negotiation does not go on the IKE Quick Mode. Could you remove the modeconfig=push line since strange effects might occur if Mode Config is used in conjunction with XAUTH. Regards Andreas Alok Thaker wrote: Hi Friends, I am a fan of strongswan and I have made l2tp with ipsec running succesffuly with iphone and strongswan. The only problem I am facing is to make only ipsec with XAUTH+PSK running with iphone. I have also enabled --enable-cisco-quirks=yes as iphone works as cisco vpn client as I read in the strongswan answers but I have got no luck in establishment. I get the following errors while connecting strongswan ipsec(XAUTH+PSK) wiith iphone ipsec. packet from 82.132.139.25:44759: ignoring Vendor ID payload [Cisco-Unity] Sep 6 14:48:43 uk_server3 pluto[24769]: packet from 82.132.139.25:44759: received Vendor ID payload [Dead Peer Detection] Sep 6 14:48:43 uk_server3 pluto[24769]: win[1] 82.132.139.25:44759 #1: responding to Main Mode from unknown peer 82.132.139.25:44759 Sep 6 14:48:45 uk_server3 pluto[24769]: win[1] 82.132.139.25:44759 #1: NAT-Traversal: Result using RFC 3947: peer is NATed Sep 6 14:48:46 uk_server3 pluto[24769]: win[1] 82.132.139.25:44759 #1: Peer ID is ID_IPV4_ADDR: '10.38.42.53' Sep 6 14:48:46 uk_server3 pluto[24769]: win[2] 82.132.139.25:44759 #1: deleting connection win instance with peer 82.132.139.25 {isakmp=#0/ipsec=#0} Sep 6 14:48:46 uk_server3 pluto[24769]: | NAT-T: new mapping 82.132.139.25:44759/44760) Sep 6 14:48:46 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1: sent MR3, ISAKMP SA established Sep 6 14:48:46 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1: sending XAUTH request Sep 6 14:48:46 uk_server3 pluto[24769]: packet from 82.132.139.25:44760: Informational Exchange is for an unknown (expired?) SA Sep 6 14:48:46 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1: parsing XAUTH reply Sep 6 14:48:46 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1: extended authentication was successful Sep 6 14:48:46 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1: sending XAUTH status: Sep 6 14:48:47 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1: parsing XAUTH ack Sep 6 14:48:47 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1: received XAUTH ack, established Sep 6 14:48:47 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1: sending ModeCfg set Sep 6 14:48:47 uk_server3 pluto[24769]: packet from 82.132.139.25:44760: ModeCfg message is for a non-existent (expired?) ISAKMP SA Sep 6 14:48:48 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1: parsing ModeCfg ack Sep 6 14:48:48 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1: received ModeCfg ack, established Sep 6 14:48:48 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1: unsupported ModeCfg attribute 28683?? received. My ipsec.conf for for psk + xauth has this entry config setup # crlcheckinterval=600 # strictcrlpolicy=yes # cachecrls=yesA nat_traversal=yes conn win authby=xauthpsk xauth=server left=94.76.194.32 leftnexthop=%direct rightsourceip=%modeconfig modeconfig=push auto=start My ipsec.secrets has 94.76.194.32 %any : PSK alok : XAUTH alok alok Please it is urgent for me can someone hellp me out so that it wld be great achievement making strongswan ipsec (XAUTH+PSK) running with iphone. Thanks, Alok == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users