Trying to answer myself... On 26.11.2011 12:13, Klaus Darilion wrote: > Hi! > > Thanks for the nice tutorial at > http://wiki.strongswan.org/projects/strongswan/wiki/IOS_%28Apple%29. I > followed it and it works, but with some problems: > > I have configured it identical to the WIKI page except: > rightsubnet=192.168.102.0/24 > rightsourceip=192.168.102.2 > > The subnet 192.168.102.0/24 is natted to the public IP address > 88.198.163.203. > > Question 1: Connection setup works only on the first time. When I > disable the VPN on iPhone and enable it again it fails to connect. If I > restart strongSwan it works again. (Strangly I have the same issue with > Openwan in L2TP mode but not with strongSwan in L2TP mode). > > This is a known problem? Any ideas how to fix it?
It seems that it is a known problem: https://lists.strongswan.org/pipermail/users/2010-October/005462.html I have the same problem, the connection is not properly released. I guess as the client reconnects from the same IP:port, somehow the old connection settings are used instead of creating a new one. Thus, even expanding the pool does not work. I added dpdaction=clear dpddelay=60 dpdtimeout=60 but after some minutes "ipsec leases" still shows the IP address as assigned and re-login does not work. > Question 2: Using tcpdump (-i any) I see the packets (all on eth0): > > iPhone IP -> any website: > 12:07:14.177791 IP 192.168.102.2.62574> 194.232.104.77.80: > > NAT-IP address -> any website: > 12:07:14.177884 IP 88.198.163.203.62574> 194.232.104.77.80: > > any website -> NAT-IP address: > 12:07:14.208331 IP 194.232.104.77.80> 88.198.163.203.62574: > > I miss the de-NATed packet "any website -> iPhone IP". Is it possible to > see all packets or is it just a limitation of the kernel (Debian > 2.6.32-5-686) that the packets is internally de-NATed and immediately > encoded into the tunnel? > > Further, I wonder how the routing to 192.168.102.2 works as there is no > interface into this subnet and also no entry in the routing table. > > Question 3: The IP address of the client is hardcoded into ipsec.conf: > rightsourceip=192.168.102.2. How can I support multiple clients, e.g. > some kind of address pool? Can I assign fixed IP address e.g. based on > client-certificate or XAUTH username? Ok. Seems like rightsourceip=192.168.102.0/24 would make a range. Still trying to figure out how I can assign IP addresses based on xauth username or certificate..... Thanks Klaus _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
