[Openswan Users] need help with ipsec tunnel to iphone

Richard Pagotto richard at vspec.net
Tue May 24 08:49:07 EDT 2011 

i have created certificates and emailed myself, installed fine on iphone

not sure which account name and password to set on the phone, i had to put in the password i used for the cert to install it

/etc/ipsec.secrets

: RSA /etc/ipsec.d/private/hostKey.pem "keytoloadcirt"
@username : XAUTH "password"

/etc/ipsec.conf

config setup
        plutoopts="--perpeerlog"
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25/8
        oe=off
        protostack=netkey

conn %default
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        keyingtries=1
        keylife=20m
        ikelifetime=240m

conn iphone
        auto=add
        dpdaction=clear
        dpdtimeout=15
        dpddelay=10
        authby=rsasig
        pfs=no
        leftcert=/etc/ipsec.d/certs/strongswanCert.pem
        left=192.168.0.1
        leftsubnet=0.0.0.0/0
        leftxauthserver=yes
        leftmodecfgclient=yes
        right=%any
        rightsourceip=192.168.0.2
        rightcert=/etc/ipsec.d/certs/hostCert.pem
        rightnexthop=%defaultroute
        rightxauthserver=yes
        rightmodecfgclient=yes

output messages are below when i try to connect, have tried many different usernames all with password as "password"

this is on my slackware smp box, i have installed same version of openswan on debian squeeze i386 and the same thing happens

am i missing anything?????

May 24 21:27:56 linuxserver ipsec_setup: Starting Openswan IPsec U2.6.33/K2.6.21.5-smp...
May 24 21:27:56 linuxserver ipsec_setup: Using NETKEY(XFRM) stack
May 24 21:28:01 linuxserver ipsec_setup: defaulting rightsubnet to 192.168.0.2
May 24 21:28:01 linuxserver ipsec_setup: ...Openswan IPsec started
May 24 21:28:01 linuxserver pluto: adjusting ipsec.d to /etc/ipsec.d
May 24 21:28:01 linuxserver ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
May 24 21:28:01 linuxserver ipsec__plutorun: defaulting rightsubnet to 192.168.0.2
May 24 21:28:04 linuxserver ipsec__plutorun: 002 loading certificate from /etc/ipsec.d/certs/strongswanCert.pem
May 24 21:28:04 linuxserver ipsec__plutorun: 002   loaded host cert file '/etc/ipsec.d/certs/strongswanCert.pem' (1330 bytes)
May 24 21:28:04 linuxserver ipsec__plutorun: 002 loading certificate from /etc/ipsec.d/certs/hostCert.pem
May 24 21:28:04 linuxserver ipsec__plutorun: 002   loaded host cert file '/etc/ipsec.d/certs/hostCert.pem' (1086 bytes)
May 24 21:28:04 linuxserver ipsec__plutorun: 002 added connection description "iphone"
+ _________________________ plog
+ sed -n '5037731,$p' /var/log/secure
+ egrep -i pluto
+ case "$1" in
+ cat
May 24 21:28:01 linuxserver ipsec__plutorun: Starting Pluto subsystem...
May 24 21:28:01 linuxserver pluto[3517]: Starting Pluto (Openswan Version 2.6.33; Vendor ID XXXXXXXXXX) pid:3517
May 24 21:28:01 linuxserver pluto[3517]: LEAK_DETECTIVE support [disabled]
May 24 21:28:01 linuxserver pluto[3517]: OCF support for IKE [disabled]
May 24 21:28:01 linuxserver pluto[3517]: SAref support [disabled]: Protocol not available
May 24 21:28:01 linuxserver pluto[3517]: SAbind support [disabled]: Protocol not available
May 24 21:28:01 linuxserver pluto[3517]: NSS support [disabled]
May 24 21:28:01 linuxserver pluto[3517]: HAVE_STATSD notification support not compiled in
May 24 21:28:01 linuxserver pluto[3517]: Setting NAT-Traversal port-4500 floating to on
May 24 21:28:01 linuxserver pluto[3517]:    port floating activation criteria nat_t=1/port_float=1
May 24 21:28:01 linuxserver pluto[3517]:    NAT-Traversal support  [enabled]
May 24 21:28:01 linuxserver pluto[3517]: using /dev/urandom as source of random entropy
May 24 21:28:02 linuxserver pluto[3517]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
May 24 21:28:02 linuxserver pluto[3517]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
May 24 21:28:02 linuxserver pluto[3517]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
May 24 21:28:02 linuxserver pluto[3517]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
May 24 21:28:02 linuxserver pluto[3517]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
May 24 21:28:02 linuxserver pluto[3517]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
May 24 21:28:02 linuxserver pluto[3517]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
May 24 21:28:02 linuxserver pluto[3517]: starting up 1 cryptographic helpers
May 24 21:28:02 linuxserver pluto[3524]: using /dev/urandom as source of random entropy
May 24 21:28:02 linuxserver pluto[3517]: started helper pid=3524 (fd:7)
May 24 21:28:02 linuxserver pluto[3517]: Using Linux 2.6 IPsec interface code on 2.6.21.5-smp (experimental code)
May 24 21:28:03 linuxserver pluto[3517]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
May 24 21:28:03 linuxserver pluto[3517]: ike_alg_add(): ERROR: Algorithm already exists
May 24 21:28:03 linuxserver pluto[3517]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
May 24 21:28:03 linuxserver pluto[3517]: ike_alg_add(): ERROR: Algorithm already exists
May 24 21:28:03 linuxserver pluto[3517]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
May 24 21:28:03 linuxserver pluto[3517]: ike_alg_add(): ERROR: Algorithm already exists
May 24 21:28:03 linuxserver pluto[3517]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
May 24 21:28:03 linuxserver pluto[3517]: ike_alg_add(): ERROR: Algorithm already exists
May 24 21:28:03 linuxserver pluto[3517]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
May 24 21:28:03 linuxserver pluto[3517]: ike_alg_add(): ERROR: Algorithm already exists
May 24 21:28:03 linuxserver pluto[3517]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
May 24 21:28:04 linuxserver pluto[3517]: Changed path to directory '/etc/ipsec.d/cacerts'
May 24 21:28:04 linuxserver pluto[3517]:   loaded CA cert file 'strongswanCert.pem' (1330 bytes)
May 24 21:28:04 linuxserver pluto[3517]: Changed path to directory '/etc/ipsec.d/aacerts'
May 24 21:28:04 linuxserver pluto[3517]: Changed path to directory '/etc/ipsec.d/ocspcerts'
May 24 21:28:04 linuxserver pluto[3517]: Changing to directory '/etc/ipsec.d/crls'
May 24 21:28:04 linuxserver pluto[3517]:   loaded crl file 'crl.pem' (434 bytes)
May 24 21:28:04 linuxserver pluto[3517]: loading certificate from /etc/ipsec.d/certs/strongswanCert.pem
May 24 21:28:04 linuxserver pluto[3517]:   loaded host cert file '/etc/ipsec.d/certs/strongswanCert.pem' (1330 bytes)
May 24 21:28:04 linuxserver pluto[3517]: loading certificate from /etc/ipsec.d/certs/hostCert.pem
May 24 21:28:04 linuxserver pluto[3517]:   loaded host cert file '/etc/ipsec.d/certs/hostCert.pem' (1086 bytes)
May 24 21:28:04 linuxserver pluto[3517]: added connection description "iphone"
May 24 21:28:04 linuxserver pluto[3517]: listening for IKE messages
May 24 21:28:04 linuxserver pluto[3517]: adding interface eth0/eth0 192.168.0.2:500
May 24 21:28:04 linuxserver pluto[3517]: adding interface eth0/eth0 192.168.0.2:4500
May 24 21:28:04 linuxserver pluto[3517]: adding interface lo/lo 127.0.0.1:500
May 24 21:28:04 linuxserver pluto[3517]: adding interface lo/lo 127.0.0.1:4500
May 24 21:28:04 linuxserver pluto[3517]: adding interface lo/lo ::1:500
May 24 21:28:04 linuxserver pluto[3517]: loading secrets from "/etc/ipsec.secrets"
May 24 21:28:04 linuxserver pluto[3517]:   loaded private key file '/etc/ipsec.d/private/hostKey.pem' (963 bytes)
May 24 21:28:04 linuxserver pluto[3517]: loaded private key for keyid: PPK_RSA:XXXXXXXXX
May 24 21:28:48 linuxserver pluto[3517]: packet from 203.20.35.28:33009: received Vendor ID payload [RFC 3947] method set to=109
May 24 21:28:48 linuxserver pluto[3517]: packet from 203.20.35.28:33009: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110
May 24 21:28:48 linuxserver pluto[3517]: packet from 203.20.35.28:33009: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
May 24 21:28:48 linuxserver pluto[3517]: packet from 203.20.35.28:33009: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
May 24 21:28:48 linuxserver pluto[3517]: packet from 203.20.35.28:33009: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
May 24 21:28:48 linuxserver pluto[3517]: packet from 203.20.35.28:33009: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
May 24 21:28:48 linuxserver pluto[3517]: packet from 203.20.35.28:33009: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
May 24 21:28:48 linuxserver pluto[3517]: packet from 203.20.35.28:33009: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
May 24 21:28:48 linuxserver pluto[3517]: packet from 203.20.35.28:33009: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
May 24 21:28:48 linuxserver pluto[3517]: packet from 203.20.35.28:33009: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
May 24 21:28:48 linuxserver pluto[3517]: packet from 203.20.35.28:33009: received Vendor ID payload [XAUTH]
May 24 21:28:48 linuxserver pluto[3517]: packet from 203.20.35.28:33009: received Vendor ID payload [Cisco-Unity]
May 24 21:28:48 linuxserver pluto[3517]: packet from 203.20.35.28:33009: received Vendor ID payload [Dead Peer Detection]
May 24 21:28:48 linuxserver pluto[3517]: packet from 203.20.35.28:33009: initial Main Mode message received on 192.168.0.2:500 but no connection has been authorized with policy=RSASIG
May 24 21:28:52 linuxserver pluto[3517]: packet from 203.20.35.28:33009: received Vendor ID payload [RFC 3947] method set to=109
May 24 21:28:52 linuxserver pluto[3517]: packet from 203.20.35.28:33009: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110
May 24 21:28:52 linuxserver pluto[3517]: packet from 203.20.35.28:33009: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
May 24 21:28:52 linuxserver pluto[3517]: packet from 203.20.35.28:33009: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
May 24 21:28:52 linuxserver pluto[3517]: packet from 203.20.35.28:33009: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
May 24 21:28:52 linuxserver pluto[3517]: packet from 203.20.35.28:33009: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
May 24 21:28:52 linuxserver pluto[3517]: packet from 203.20.35.28:33009: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
May 24 21:28:52 linuxserver pluto[3517]: packet from 203.20.35.28:33009: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
May 24 21:28:52 linuxserver pluto[3517]: packet from 203.20.35.28:33009: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
May 24 21:28:52 linuxserver pluto[3517]: packet from 203.20.35.28:33009: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
May 24 21:28:52 linuxserver pluto[3517]: packet from 203.20.35.28:33009: received Vendor ID payload [XAUTH]
May 24 21:28:52 linuxserver pluto[3517]: packet from 203.20.35.28:33009: received Vendor ID payload [Cisco-Unity]
May 24 21:28:52 linuxserver pluto[3517]: packet from 203.20.35.28:33009: received Vendor ID payload [Dead Peer Detection]
May 24 21:28:52 linuxserver pluto[3517]: packet from 203.20.35.28:33009: initial Main Mode message received on 192.168.0.2:500 but no connection has been authorized with policy=RSASIG
May 24 21:28:58 linuxserver pluto[3517]: packet from 203.20.35.28:33009: received Vendor ID payload [RFC 3947] method set to=109
May 24 21:28:58 linuxserver pluto[3517]: packet from 203.20.35.28:33009: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110
May 24 21:28:58 linuxserver pluto[3517]: packet from 203.20.35.28:33009: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
May 24 21:28:58 linuxserver pluto[3517]: packet from 203.20.35.28:33009: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
May 24 21:28:58 linuxserver pluto[3517]: packet from 203.20.35.28:33009: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
May 24 21:28:58 linuxserver pluto[3517]: packet from 203.20.35.28:33009: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
May 24 21:28:58 linuxserver pluto[3517]: packet from 203.20.35.28:33009: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
May 24 21:28:58 linuxserver pluto[3517]: packet from 203.20.35.28:33009: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
May 24 21:28:58 linuxserver pluto[3517]: packet from 203.20.35.28:33009: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
May 24 21:28:58 linuxserver pluto[3517]: packet from 203.20.35.28:33009: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
May 24 21:28:58 linuxserver pluto[3517]: packet from 203.20.35.28:33009: received Vendor ID payload [XAUTH]
May 24 21:28:58 linuxserver pluto[3517]: packet from 203.20.35.28:33009: received Vendor ID payload [Cisco-Unity]
May 24 21:28:58 linuxserver pluto[3517]: packet from 203.20.35.28:33009: received Vendor ID payload [Dead Peer Detection]
May 24 21:28:58 linuxserver pluto[3517]: packet from 203.20.35.28:33009: initial Main Mode message received on 192.168.0.2:500 but no connection has been authorized with policy=RSASIG
+ _________________________ date
+ date
Tue May 24 21:30:13 EST 2011

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110524/bc2f8235/attachment-0001.html

More information about the Users mailing list