[Openswan Users] OpenSwan and iPhone
Paul Wouters
paul at xelerance.com
Wed Nov 25 09:49:21 EST 2009
On Wed, 25 Nov 2009, Helmut Manck wrote:
>> Why not use L2TP? People are using that on their iphones to Openswan without
>> problems.
>>
> The L2TP-support of the iPhone cannot use certificates to authenticate
> the server side (just preshared key). Thus it is basically vulnerable to
> man-in-the-middle attacks. The IPsec client _can_ use certificates to
> authenticate. IPsec is better ;-)
Fair enough.
> Setting
> leftxauthserver=yes
> rightxauthclient=yes
> doesn't change behaviour:
>
> Nov 25 09:49:03 server011 pluto[6470]: "vpngateway-intranet"[2]
> <iphone-ip> #1: received MODECFG message when in state
> STATE_MODE_CFG_R1, and we aren't xauth client
There are also modeconfig option you can try and enable.
rightmodecfgclient=yes
leftmodecfgserver=yes
#modecfgpull=yes (dangerous on a server)
Our modeconfig stuff is very limited though.
Paul
More information about the Users
mailing list