[Openswan Users] Problem with PSK - Certificate and iphone

Denis Beltramo denis.beltramo at gmail.com
Thu Jan 29 11:58:07 EST 2009


Hello,

I have many problem with openswan.

I have now the iPhone.. so I have make the connection for this (see below)..
When i connect with mobile card (my iphone have a public ip) work,
when connect with a wireless behind nat NOT work
when connect with a windows xp behind nat to roadwarrior-iphone work.
the error is:

an 23 20:14:05 vpnserver pluto[10098]: "roadwarrior-iphone"[2]
11.22.33.44 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
Jan 23 20:14:05 vpnserver pluto[10098]: "roadwarrior-iphone"[2]
11.22.33.44 #1: ignoring informational payload, type
IPSEC_INITIAL_CONTACT
Jan 23 20:14:05 vpnserver pluto[10098]: "roadwarrior-iphone"[2]
11.22.33.44 #1: received and ignored informational message
Jan 23 20:14:06 vpnserver pluto[10098]: "roadwarrior-iphone"[2]
11.22.33.44 #1: cannot respond to IPsec SA request because no
connection is known for
123.123.123.124:17/1701...11.22.33.44[192.168.2.13]:17/49156===192.168.2.13/32
Jan 23 20:14:06 vpnserver pluto[10098]: "roadwarrior-iphone"[2]
11.22.33.44 #1: sending encrypted notification INVALID_ID_INFORMATION
to 11.22.33.44:36071

The the old connection (roadwarrior) with certificate don't work and say:

an 29 17:05:27 vpnserver pluto[6105]: "roadwarrior"[26] 22.43.21.44
#36: Dead Peer Detection (RFC 3706): not enabled because peer did not
advertise it
Jan 29 17:05:27 vpnserver pluto[6105]: "roadwarrior"[26] 22.43.21.44
#36: retransmitting in response to duplicate packet; already
STATE_MAIN_R3
Jan 29 17:05:27 vpnserver pluto[6105]: "roadwarrior"[26] 22.43.21.44
#37: responding to Quick Mode {msgid:6a15fc54}
Jan 29 17:05:27 vpnserver pluto[6105]: "roadwarrior"[26] 22.43.21.44
#37: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jan 29 17:05:27 vpnserver pluto[6105]: "roadwarrior"[26] 22.43.21.44
#37: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting
QI2
Jan 29 17:05:28 vpnserver pluto[6105]: "roadwarrior"[26] 22.43.21.44
#37: Dead Peer Detection (RFC 3706): not enabled because peer did not
advertise it
Jan 29 17:05:28 vpnserver pluto[6105]: "roadwarrior"[26] 22.43.21.44
#37: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jan 29 17:05:28 vpnserver pluto[6105]: "roadwarrior"[26] 22.43.21.44
#37: STATE_QUICK_R2: IPsec SA established {ESP/NAT=>0x00f59a30
<0x3e0da257 xfrm=3DES_0-HMAC_SHA1 NATD=22.43.21.44:4500 DPD=none}

You say the how to resolve my problem?

The conf file:


version 2.0

config setup
        interfaces=%defaultroute
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!172.31.1.0/24
        nat_traversal=yes

conn %default
        keyingtries=3
        compress=no
        disablearrivalcheck=no
        authby=rsasig
        keyexchange=ike
        ikelifetime=240m
        keylife=60m

conn roadwarrior
        left=123.123.123.123
        leftcert=/etc/ipsec.d/certs/server2Cert.pem
        leftid=123.123.123.123
        leftrsasigkey=%cert
        leftnexthop=%defaultroute
        rightrsasigkey=%cert
        leftprotoport=17/1701
        rightprotoport=17/%any
        rightsubnet=vhost:%priv,%no
        forceencaps=yes
        rightca=%same
        right=%any
        dpddelay=30
        dpdtimeout=120
        dpdaction=hold
        type=transport
        auto=add
        pfs=no

conn roadwarrior-iphone
        authby=secret
        rekey=no
        keyingtries=3
        left=123.123.123.124
        leftnexthop=%defaultroute
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any
        pfs=no
        auto=add

conn block
        auto=ignore

conn private
        auto=ignore

conn private-or-clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn clear
        auto=ignore

conn packetdefault
        auto=ignore


-- 
Denis Beltramo


More information about the Users mailing list