[Openswan Users] OpenSwan and iPhone

Paul Wouters paul at xelerance.com
Wed Nov 25 09:49:21 EST 2009

On Wed, 25 Nov 2009, Helmut Manck wrote:

>> Why not use L2TP? People are using that on their iphones to Openswan without
>> problems.
> The L2TP-support of the iPhone cannot use certificates to authenticate
> the server side (just preshared key). Thus it is basically vulnerable to
> man-in-the-middle attacks. The IPsec client _can_ use certificates to
> authenticate. IPsec is better ;-)

Fair enough.

> Setting
>    leftxauthserver=yes
>    rightxauthclient=yes
> doesn't change behaviour:
> Nov 25 09:49:03 server011 pluto[6470]: "vpngateway-intranet"[2]
> <iphone-ip> #1: received MODECFG message when in state
> STATE_MODE_CFG_R1, and we aren't xauth client

There are also modeconfig option you can try and enable.
    #modecfgpull=yes (dangerous on a server)

Our modeconfig stuff is very limited though.


More information about the Users mailing list