[Openswan Users] OpenSwan and iPhone

Helmut Manck helmut.manck at eonas.de
Wed Nov 25 04:14:27 EST 2009

Paul Wouters wrote:
> On Tue, 24 Nov 2009, Helmut Manck wrote:
>> when trying to establish an IPsec tunnel between a roadwarrior iphone OS 
>> 3.1 and an openswan server running 2.6.21 I get some trouble regarding 
>> modecfg settings.
> Why not use L2TP? People are using that on their iphones to Openswan without
> problems.
The L2TP-support of the iPhone cannot use certificates to authenticate 
the server side (just preshared key). Thus it is basically vulnerable to 
man-in-the-middle attacks. The IPsec client _can_ use certificates to 
authenticate. IPsec is better ;-)
>> Nov 24 19:35:30 server011 pluto[894]: "vpngateway-intranet"[2] 
>> <iphone-ip> #1: the peer proposed: -> <iphone-ip>/32:0/0
>> Nov 24 19:35:30 server011 pluto[894]: "vpngateway-intranet"[2] 
>> <iphone-ip> #1: cannot respond to IPsec SA request because no connection 
>> is known for<openswan box ip> [C=DE, ST=Berlin, L=Berlin, 
>> O=eonas, OU=VPN Endpoint, 
> The peer claims to want ? Beter not give it to them.
>> When setting the leftsubnet (aka the openswan side) from 
>> "leftsubnet=" to "leftsubnet=" the tunnel is 
>> established but is not usable ( The openswan box is not reachable 
>> anymore, with or without the tunnel ).
> Yes because it now "lives" at the iphone.
>> STATE_MODE_CFG_R1, and we aren't xauth client
> You would need to use the xauthclient= and xauthserver= options. See man ipsec.conf.
doesn't change behaviour:

Nov 25 09:49:03 server011 pluto[6470]: "vpngateway-intranet"[2] 
<iphone-ip> #1: received MODECFG message when in state 
STATE_MODE_CFG_R1, and we aren't xauth client

Actually, it cannot change anything because receiving a modecfg message 
is ok in this condition and openswan is not supposed to be xauth client.
When just having a look at the source:

       else {
        /* XXX check if we are being a mode config server here */
        openswan_log("received MODECFG message when in state %s, and we 
aren't xauth client"
             , enum_name(&state_names, st->st_state));

I suppose openswan should reject the inbound MODECFG message and create 
an own proposal?

> Paul

Dipl. Ing. Helmut Manck
Senior Consultant

eonas IT-Beratung und Entwicklung GmbH
Gleimstr. 29
10437 Berlin

helmut.manck at eonas.de

Mobil +49-173 602 7102
Fax +49-30-692 010 089

Amtsgericht Charlottenburg, HRB 80613
Geschäftsführer: Helmut Manck

More information about the Users mailing list