[Openswan Users] Problem with PSK - Certificate and iphone

Denis Beltramo denis.beltramo at gmail.com
Thu Jan 29 12:01:21 EST 2009


Hello,

I have many problem with openswan.

I have now the iPhone.. so I have make the connection for this (see below)..
When i connect with mobile card (my iphone have a public ip) work,
when connect with a wireless behind nat NOT work
when connect with a windows xp behind nat to roadwarrior-iphone work.
the error is:

an 23 20:14:05 vpnserver pluto[10098]: "roadwarrior-iphone"[2]
11.22.33.44 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
Jan 23 20:14:05 vpnserver pluto[10098]: "roadwarrior-iphone"[2]
11.22.33.44 #1: ignoring informational payload, type
IPSEC_INITIAL_CONTACT
Jan 23 20:14:05 vpnserver pluto[10098]: "roadwarrior-iphone"[2]
11.22.33.44 #1: received and ignored informational message
Jan 23 20:14:06 vpnserver pluto[10098]: "roadwarrior-iphone"[2]
11.22.33.44 #1: cannot respond to IPsec SA request because no
connection is known for
123.123.123.124:17/1701...11.22.33.44[192.168.2.13]:17/49156===192.168.2.13/32
Jan 23 20:14:06 vpnserver pluto[10098]: "roadwarrior-iphone"[2]
11.22.33.44 #1: sending encrypted notification INVALID_ID_INFORMATION
to 11.22.33.44:36071

The the old connection (roadwarrior) with certificate don't work and say:

an 29 17:05:27 vpnserver pluto[6105]: "roadwarrior"[26] 22.43.21.44
#36: Dead Peer Detection (RFC 3706): not enabled because peer did not
advertise it
Jan 29 17:05:27 vpnserver pluto[6105]: "roadwarrior"[26] 22.43.21.44
#36: retransmitting in response to duplicate packet; already
STATE_MAIN_R3
Jan 29 17:05:27 vpnserver pluto[6105]: "roadwarrior"[26] 22.43.21.44
#37: responding to Quick Mode {msgid:6a15fc54}
Jan 29 17:05:27 vpnserver pluto[6105]: "roadwarrior"[26] 22.43.21.44
#37: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jan 29 17:05:27 vpnserver pluto[6105]: "roadwarrior"[26] 22.43.21.44
#37: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting
QI2
Jan 29 17:05:28 vpnserver pluto[6105]: "roadwarrior"[26] 22.43.21.44
#37: Dead Peer Detection (RFC 3706): not enabled because peer did not
advertise it
Jan 29 17:05:28 vpnserver pluto[6105]: "roadwarrior"[26] 22.43.21.44
#37: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jan 29 17:05:28 vpnserver pluto[6105]: "roadwarrior"[26] 22.43.21.44
#37: STATE_QUICK_R2: IPsec SA established {ESP/NAT=>0x00f59a30
<0x3e0da257 xfrm=3DES_0-HMAC_SHA1 NATD=22.43.21.44:4500 DPD=none}

You say the how to resolve my problem?

The conf file:


version 2.0

config setup
       interfaces=%defaultroute
       virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!172.31.1.0/24
       nat_traversal=yes

conn %default
       keyingtries=3
       compress=no
       disablearrivalcheck=no
       authby=rsasig
       keyexchange=ike
       ikelifetime=240m
       keylife=60m

conn roadwarrior
       left=123.123.123.123
       leftcert=/etc/ipsec.d/certs/server2Cert.pem
       leftid=123.123.123.123
       leftrsasigkey=%cert
       leftnexthop=%defaultroute
       rightrsasigkey=%cert
       leftprotoport=17/1701
       rightprotoport=17/%any
       rightsubnet=vhost:%priv,%no
       forceencaps=yes
       rightca=%same
       right=%any
       dpddelay=30
       dpdtimeout=120
       dpdaction=hold
       type=transport
       auto=add
       pfs=no

conn roadwarrior-iphone
       authby=secret
       rekey=no
       keyingtries=3
       left=123.123.123.124
       leftnexthop=%defaultroute
       leftprotoport=17/1701
       right=%any
       rightprotoport=17/%any
       pfs=no
       auto=add

conn block
       auto=ignore

conn private
       auto=ignore

conn private-or-clear
       auto=ignore

conn clear-or-private
       auto=ignore

conn clear
       auto=ignore

conn packetdefault
       auto=ignore

-- 
Denis Beltramo


More information about the Users mailing list