Hi Noel,
I have two users set up in ipsec.secrets. iPad uses "user1", the
Android phone uses "user2". But the same problem still persists.
Everything is fine with just iPad. Connect with the Android phone and
iPad gets kicked off. As I am using only the sample files from the
Wiki, I am surprised no one else has experienced this issue? Thank you
for your suggestion.
=== [ /etc/ipsec.secrets ] ===
: RSA vpnKey.pem
user1 : XAUTH "somepass1"
user2 : XAUTH "somepass2"
=== [ EOF ] ===
=== [ /var/log/auth.log ] === (This log from the moment the Android
phone starts connection).
Nov 5 12:16:18 vmware-u003 pluto[27166]: packet from
166.147.65.85:28107: received Vendor ID payload [RFC 3947]
Nov 5 12:16:18 vmware-u003 pluto[27166]: packet from
166.147.65.85:28107: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02]
Nov 5 12:16:18 vmware-u003 pluto[27166]: packet from
166.147.65.85:28107: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n]
Nov 5 12:16:18 vmware-u003 pluto[27166]: packet from
166.147.65.85:28107: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]
Nov 5 12:16:18 vmware-u003 pluto[27166]: packet from
166.147.65.85:28107: received Vendor ID payload [XAUTH]
Nov 5 12:16:18 vmware-u003 pluto[27166]: packet from
166.147.65.85:28107: ignoring Vendor ID payload [Cisco-Unity]
Nov 5 12:16:18 vmware-u003 pluto[27166]: packet from
166.147.65.85:28107: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Nov 5 12:16:18 vmware-u003 pluto[27166]: packet from
166.147.65.85:28107: received Vendor ID payload [Dead Peer Detection]
Nov 5 12:16:18 vmware-u003 pluto[27166]: "ios"[3] 166.147.65.85:28107
#3: responding to Main Mode from unknown peer 166.147.65.85:28107
Nov 5 12:16:18 vmware-u003 pluto[27166]: "ios"[3] 166.147.65.85:28107
#3: NAT-Traversal: Result using RFC 3947: both are NATed
Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[3] 166.147.65.85:28107
#3: Peer ID is ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=win7.mycompany.local'
Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[3] 166.147.65.85:28107
#3: crl not found
Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[3] 166.147.65.85:28107
#3: certificate status unknown
Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[4] 166.147.65.85:28107
#3: deleting connection "ios" instance with peer 166.147.65.85
{isakmp=#0/ipsec=#0}
Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[4] 166.147.65.85:28107
#3: we have a cert and are sending it upon request
Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[4] 166.147.65.85:28107
#3: deleting connection "ios" instance with peer 70.139.113.210
{isakmp=#1/ipsec=#2}
Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios" #2: deleting state
(STATE_QUICK_R2)
Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios" #1: deleting state
(STATE_MODE_CFG_R1)
Nov 5 12:16:19 vmware-u003 pluto[27166]: lease 10.0.0.1 by 'vmware1'
went offline
Nov 5 12:16:19 vmware-u003 pluto[27166]: | NAT-T: new mapping
166.147.65.85:28107/7005)
Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[4] 166.147.65.85:7005
#3: sent MR3, ISAKMP SA established
Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[4] 166.147.65.85:7005
#3: sending XAUTH request
Nov 5 12:16:19 vmware-u003 pluto[27166]: packet from
166.147.65.85:7005: Informational Exchange is for an unknown (expired?) SA
Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[4] 166.147.65.85:7005
#3: parsing XAUTH reply
Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[4] 166.147.65.85:7005
#3: extended authentication was successful
Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[4] 166.147.65.85:7005
#3: sending XAUTH status
Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[4] 166.147.65.85:7005
#3: parsing XAUTH ack
Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[4] 166.147.65.85:7005
#3: received XAUTH ack, established
Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[4] 166.147.65.85:7005
#3: parsing ModeCfg request
Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[4] 166.147.65.85:7005
#3: peer requested virtual IP %any
Nov 5 12:16:19 vmware-u003 pluto[27166]: assigning new lease to 'vmware2'
Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[4] 166.147.65.85:7005
#3: assigning virtual IP 10.0.0.2 to peer
Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[4] 166.147.65.85:7005
#3: sending ModeCfg reply
Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[4] 166.147.65.85:7005
#3: sent ModeCfg reply, established
On 11/5/2013 9:35 AM, Noel Kuntze wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Lawrence,
>
> I think to make this work, you have to specify two different pars of XAUTH
> credentials in ipsec.secrets.
> One for your iPad and one for your Android phone.
>
> Regards
> Noel Kuntze
>
> On 05.11.2013 14:35, Lawrence Chiu wrote:
>> I originally sent this email on 10/4/2013 but I got no replies, and after a
>> month, I still have this problem. Can anyone help?
>>
>> I followed the configuration shown in the wiki for Apple IOS clients.
>> http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)
>> <http://wiki.strongswan.org/projects/strongswan/wiki/IOS_%28Apple%29>
>>
>> It works on one remote client (iPad). When I connect a second remote client
>> (Android phone) to the VPN, the iPad is disconnected immediately. The
>> ipsec.conf, ipsec.secrets, and strongswan.conf files are same as the wiki
>> example with two changes to support multiple clients (change rightsourceip
>> and removed rightcert).
>>
>> $ diff ipsec.conf ipsec.conf.template
>> < rightsourceip=10.0.0.0/24
>> ---
>>> rightsourceip=10.0.0.2
>>> rightcert=clientCert.pem
>> The /var/log/auth.log is attached starting from when USER #2 connects to the
>> VPN (at this time USER #1 is already connected and everything is working).
>> Thank you.
>>
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: packet from 192.168.0.3:500:
>> received Vendor ID payload [RFC 3947]
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: packet from 192.168.0.3:500:
>> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: packet from 192.168.0.3:500:
>> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: packet from 192.168.0.3:500:
>> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: packet from 192.168.0.3:500:
>> received Vendor ID payload [XAUTH]
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: packet from 192.168.0.3:500:
>> ignoring Vendor ID payload [Cisco-Unity]
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: packet from 192.168.0.3:500:
>> ignoring Vendor ID payload [FRAGMENTATION 80000000]
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: packet from 192.168.0.3:500:
>> received Vendor ID payload [Dead Peer Detection]
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios"[5] 192.168.0.3 #4: responding
>> to Main Mode from unknown peer 192.168.0.3
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios"[5] 192.168.0.3 #4:
>> NAT-Traversal: Result using RFC 3947: both are NATed
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios"[5] 192.168.0.3 #4: Peer ID is
>> ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=win7.mycompany.local'
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios"[5] 192.168.0.3 #4: crl not
>> found
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios"[5] 192.168.0.3 #4:
>> certificate status unknown
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios"[6] 192.168.0.3 #4: deleting
>> connection "ios" instance with peer 192.168.0.3 {isakmp=#0/ipsec=#0}
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios"[6] 192.168.0.3 #4: we have a
>> cert and are sending it upon request
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios"[6] 192.168.0.3 #4: deleting
>> connection "ios" instance with peer 70.139.113.210 {isakmp=#2/ipsec=#3}
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios" #3: deleting state
>> (STATE_QUICK_R2)
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios" #2: deleting state
>> (STATE_MODE_CFG_R1)
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: lease 10.10.4.1 by 'vmware' went
>> offline
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: | NAT-T: new mapping
>> 192.168.0.3:500/4500)
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios"[6] 192.168.0.3:4500 #4: sent
>> MR3, ISAKMP SA established
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios"[6] 192.168.0.3:4500 #4:
>> sending XAUTH request
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: packet from 192.168.0.3:4500:
>> Informational Exchange is for an unknown (expired?) SA
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios"[6] 192.168.0.3:4500 #4:
>> parsing XAUTH reply
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios"[6] 192.168.0.3:4500 #4:
>> extended authentication was successful
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios"[6] 192.168.0.3:4500 #4:
>> sending XAUTH status
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios"[6] 192.168.0.3:4500 #4:
>> parsing XAUTH ack
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios"[6] 192.168.0.3:4500 #4:
>> received XAUTH ack, established
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios"[6] 192.168.0.3:4500 #4:
>> parsing ModeCfg request
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios"[6] 192.168.0.3:4500 #4: peer
>> requested virtual IP %any
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: reassigning offline lease to
>> 'vmware'
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios"[6] 192.168.0.3:4500 #4:
>> assigning virtual IP 10.10.4.1 to peer
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios"[6] 192.168.0.3:4500 #4:
>> sending ModeCfg reply
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios"[6] 192.168.0.3:4500 #4: sent
>> ModeCfg reply, established
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> [email protected]
>> https://lists.strongswan.org/mailman/listinfo/users
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJSeRBEAAoJEDg5KY9j7GZYRncP/2j79MpIhNHCOlmxO/4dF6qt
> F19yyvYMXfWzBo1tCEnPP0SCTmVYSppxC2JPt9MFobEmvY/MJJwZBrA559wF+B9U
> R4FeyKAfCgwtMkpuhCdVf4CuOrikkF7HRihnGuBF4FyyDlSNghB77D30BDtU88SP
> L8YcZEn3Vx5i/RHin0xCFvIBcX17rq+iqWkh1ewbYEgvsQXc9aftFRcAIfZyh6NW
> oOWwsIWymdawbUpdMLBzfe+1z/fnP26OCFcAI/2n6Y48WNY2tMhIzo+3Y8CcPV8P
> jK59nAz7YhbgAoL8TjVb5pvw+DiXzmZ9Ap5VawH9fzJjUe++wcJU9CxENaNoqWhU
> 9Jp2MXECxaHNTKs+t7eL4roleOut38sUwcxW/WiAqlS807yzDC22E/DDafsVRhOc
> tvsh60MqERSHWGD38CS1tz4pqtcoB+1Kkulotc9dDTnq2aD+C9L291wswwrLk9lJ
> Alpas+ytP8lAH87NaJMG5Xzjb0RGdtgV+i0U5AAmWeEZ8ShqXM1mod3RDKZniwvp
> WkGZ0rmlBU+jdzNvaGbnBArZ9kjZzoUSL9vtGgqLWvqhEmYtPkqc1lVn3D5p3CSJ
> MczKf9qce2on2Kb0yWJUi5i0/eeL3emReAfclXJiDsgeSSMKEm7wBJGkq2iaeG6B
> cIMhtYg6qF0O2LtT+88D
> =FD1A
> -----END PGP SIGNATURE-----
>
>
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
