[Openswan Users] OpenSwan and iPhone
Helmut Manck
helmut.manck at eonas.de
Wed Nov 25 11:48:28 EST 2009
Paul Wouters wrote:
> On Wed, 25 Nov 2009, Helmut Manck wrote:
>
>>> Why not use L2TP? People are using that on their iphones to Openswan
>>> without
>>> problems.
>>>
>> The L2TP-support of the iPhone cannot use certificates to authenticate
>> the server side (just preshared key). Thus it is basically vulnerable to
>> man-in-the-middle attacks. The IPsec client _can_ use certificates to
>> authenticate. IPsec is better ;-)
>
> Fair enough.
>
>> Setting
>> leftxauthserver=yes
>> rightxauthclient=yes
>> doesn't change behaviour:
>>
>> Nov 25 09:49:03 server011 pluto[6470]: "vpngateway-intranet"[2]
>> <iphone-ip> #1: received MODECFG message when in state
>> STATE_MODE_CFG_R1, and we aren't xauth client
>
> There are also modeconfig option you can try and enable.
> rightmodecfgclient=yes
> leftmodecfgserver=yes
> #modecfgpull=yes (dangerous on a server)
I had a try with this settings in first place, but doesn't help either.
Does anyone know how this cisco modecfg stuff works? Maybe it's worth
adding a few lines of code.
conn vpngateway-intranet
left=%defaultroute
leftsubnet=10.2.0.0/24
leftrsasigkey=%cert
leftcert="server011.office.eonas.de - TestCA"
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=no
modecfgdns1=10.2.0.128
right=%any
auto=add
pfs=no
Helmut
>
> Our modeconfig stuff is very limited though.
>
> Paul
--
Dipl. Ing. Helmut Manck
Senior Consultant
eonas IT-Beratung und Entwicklung GmbH
Gleimstr. 29
10437 Berlin
Germany
helmut.manck at eonas.de
Mobil +49-173 602 7102
Fax +49-30-692 010 089
Amtsgericht Charlottenburg, HRB 80613
Geschäftsführer: Helmut Manck
More information about the Users
mailing list