[Openswan Users] OpenSwan and iPhone

Wed Nov 25 04:14:27 EST 2009

Paul Wouters wrote:
> On Tue, 24 Nov 2009, Helmut Manck wrote:
>
>   
>> when trying to establish an IPsec tunnel between a roadwarrior iphone OS 
>> 3.1 and an openswan server running 2.6.21 I get some trouble regarding 
>> modecfg settings.
>>     
>
> Why not use L2TP? People are using that on their iphones to Openswan without
> problems.
>   
The L2TP-support of the iPhone cannot use certificates to authenticate 
the server side (just preshared key). Thus it is basically vulnerable to 
man-in-the-middle attacks. The IPsec client _can_ use certificates to 
authenticate. IPsec is better ;-)

>   
>> Nov 24 19:35:30 server011 pluto[894]: "vpngateway-intranet"[2] 
>> <iphone-ip> #1: the peer proposed: 0.0.0.0/0:0/0 -> <iphone-ip>/32:0/0
>> Nov 24 19:35:30 server011 pluto[894]: "vpngateway-intranet"[2] 
>> <iphone-ip> #1: cannot respond to IPsec SA request because no connection 
>> is known for 0.0.0.0/0===<openswan box ip> [C=DE, ST=Berlin, L=Berlin, 
>> O=eonas, OU=VPN Endpoint, 
>>     
>
> The peer claims to want 0.0.0.0/0 ? Beter not give it to them.
>   
Sure.
>   
>> When setting the leftsubnet (aka the openswan side) from 
>> "leftsubnet=10.2.0.0/24" to "leftsubnet=0.0.0.0/0" the tunnel is 
>> established but is not usable ( The openswan box is not reachable 
>> anymore, with or without the tunnel ).
>>     
>
> Yes because it now "lives" at the iphone.
>
>   
>> STATE_MODE_CFG_R1, and we aren't xauth client
>>     
>
> You would need to use the xauthclient= and xauthserver= options. See man ipsec.conf.
>   
Setting
    leftxauthserver=yes
    rightxauthclient=yes
doesn't change behaviour:

Nov 25 09:49:03 server011 pluto[6470]: "vpngateway-intranet"[2] 
<iphone-ip> #1: received MODECFG message when in state 
STATE_MODE_CFG_R1, and we aren't xauth client

Actually, it cannot change anything because receiving a modecfg message 
is ok in this condition and openswan is not supposed to be xauth client.
When just having a look at the source:

programs/pluto/ikev1.c:
       else {
        /* XXX check if we are being a mode config server here */
        openswan_log("received MODECFG message when in state %s, and we 
aren't xauth client"
             , enum_name(&state_names, st->st_state));
        return;
        }

I suppose openswan should reject the inbound MODECFG message and create 
an own proposal?

Helmut
> Paul
>   

-- 
Dipl. Ing. Helmut Manck
Senior Consultant

eonas IT-Beratung und Entwicklung GmbH
Gleimstr. 29
10437 Berlin
Germany

helmut.manck at eonas.de

Mobil +49-173 602 7102
Fax +49-30-692 010 089

Amtsgericht Charlottenburg, HRB 80613
Geschäftsführer: Helmut Manck