[Openswan Users] OpenSwan and iPhone

Tue Nov 24 14:02:39 EST 2009

Hi,

when trying to establish an IPsec tunnel between a roadwarrior iphone OS 
3.1 and an openswan server running 2.6.21 I get some trouble regarding 
modecfg settings.
Cisco clients (aka iPhone) seem to "pull" modecfg settings, although 
this seems not to be intended by openswan. The manpage offers an option

    modecfgpull=yes

which leads to the following (shortened):

Nov 24 19:35:30 server011 pluto[894]: "vpngateway-intranet"[2] 
<iphone-ip> #1: the peer proposed: 0.0.0.0/0:0/0 -> <iphone-ip>/32:0/0
Nov 24 19:35:30 server011 pluto[894]: "vpngateway-intranet"[2] 
<iphone-ip> #1: cannot respond to IPsec SA request because no connection 
is known for 0.0.0.0/0===<openswan box ip> [C=DE, ST=Berlin, L=Berlin, 
O=eonas, OU=VPN Endpoint, 
CN=server011.office.eonas.de,MS+XS+S=C]...<iphone-ip> [C=DE, ST=Berlin, 
L=Berlin, O=eonas, CN=Testiphone,+MC+S=C]

When setting the leftsubnet (aka the openswan side) from 
"leftsubnet=10.2.0.0/24" to "leftsubnet=0.0.0.0/0" the tunnel is 
established but is not usable ( The openswan box is not reachable 
anymore, with or without the tunnel ).

Nov 24 19:46:29 server011 pluto[1265]: "vpngateway-intranet"[2] 
<iphone-ip> #2: responding to Quick Mode proposal {msgid:d0bc5cfd}
Nov 24 19:46:29 server011 pluto[1265]: "vpngateway-intranet"[2] 
<iphone-ip> #2:     us: 0.0.0.0/0===<openswan box ip>[C=DE, ST=Berlin, 
L=Berlin, O=eonas, OU=VPN Endpoint, CN=server011.office.eonas.de,MS+XS+S=C]
Nov 24 19:46:29 server011 pluto[1265]: "vpngateway-intranet"[2] 
<iphone-ip> #2:   them: <iphone-ip> [C=DE, ST=Berlin, L=Berlin, O=eonas, 
CN=Testiphone,+MC+S=C]

When setting

    modecfgpull=no

the following happens:

Nov 24 19:59:37 server011 pluto[3323]: "vpngateway-intranet"[4] 
<iphone-ip> #2: transition from state STATE_XAUTH_R1 to state STATE_MAIN_R3
Nov 24 19:59:37 server011 pluto[3323]: "vpngateway-intranet"[4] 
<iphone-ip> #2: STATE_MAIN_R3: sent MR3, ISAKMP SA established
Nov 24 19:59:37 server011 pluto[3323]: "vpngateway-intranet"[4] 
<iphone-ip> #2: Sending MODE CONFIG set
Nov 24 19:59:37 server011 pluto[3323]: "vpngateway-intranet"[4] 
<iphone-ip> #2: received MODECFG message when in state 
STATE_MODE_CFG_R1, and we aren't xauth client

Any ideas?

Regards, Helmut Manck

iphone.conf:
    left=%defaultroute
    leftsubnet=10.2.0.0/24
    leftrsasigkey=%cert
    leftcert="server011.office.eonas.de - TestCA"
    leftxauthserver=yes
    leftmodecfgserver=yes
    rightmodecfgclient=yes
    modecfgpull=yes
    modecfgdns1=10.2.0.128
    right=%any
    auto=add
    pfs=no

openswan-2.6.21-5.el5 running on CentOS 5.4 i386.

-- 
Dipl. Ing. Helmut Manck
Senior Consultant

eonas IT-Beratung und Entwicklung GmbH
Gleimstr. 29
10437 Berlin
Germany

helmut.manck at eonas.de

Mobil +49-173 602 7102
Fax +49-30-692 010 089

Amtsgericht Charlottenburg, HRB 80613
Geschäftsführer: Helmut Manck