[Openswan Users] OpenSwan and iPhone again

Shinji Ikari bombayvdmo at yahoo.com.mx
Tue Sep 13 16:11:56 EDT 2011


Hi,

I'm trying to configure a pure rsa+xauth ipec vpn with openswan and iphone, but during negociation that message appear in log:

Sep 13 14:55:39 hefesto pluto[14933]: "iphone"[1] 172.23.254.126 #1: responding to Main Mode from unknown peer 172.23.254.126
Sep 13 14:55:39 hefesto pluto[14933]: "iphone"[1] 172.23.254.126 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Sep 13 14:55:39 hefesto pluto[14933]: "iphone"[1] 172.23.254.126 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Sep 13 14:55:40 hefesto pluto[14933]: "iphone"[1] 172.23.254.126 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT detected
Sep 13 14:55:40 hefesto pluto[14933]: "iphone"[1] 172.23.254.126 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Sep 13 14:55:40 hefesto pluto[14933]: "iphone"[1] 172.23.254.126 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Sep 13 14:55:41 hefesto pluto[14933]: "iphone"[1] 172.23.254.126 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Sep 13 14:55:41 hefesto pluto[14933]: "iphone"[1] 172.23.254.126 #1: Main mode peer ID is ID_DER_ASN1_DN: 'CN=host'
Sep 13 14:55:41 hefesto pluto[14933]: "iphone"[1] 172.23.254.126 #1: no crl from issuer "CN=cacert" found (strict=no)
Sep 13 14:55:41 hefesto pluto[14933]: "iphone"[1] 172.23.254.126 #1: switched from "iphone" to "iphone"
Sep 13 14:55:41 hefesto pluto[14933]: "iphone"[2] 172.23.254.126 #1: deleting connection "iphone" instance with peer 172.23.254.126 {isakmp=#0/ipsec=#0}
Sep 13 14:55:41 hefesto pluto[14933]: "iphone"[2] 172.23.254.126 #1: I am sending my cert
Sep 13 14:55:41 hefesto pluto[14933]: "iphone"[2] 172.23.254.126 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Sep 13 14:55:41 hefesto pluto[14933]: "iphone"[2] 172.23.254.126 #1: new NAT mapping for #1, was 172.23.254.126:500, now 172.23.254.126:4500
Sep 13 14:55:41 hefesto pluto[14933]: "iphone"[2] 172.23.254.126 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_256 prf=oakley_sha group=modp1536}
Sep 13 14:55:41 hefesto pluto[14933]: "iphone"[2] 172.23.254.126 #1: XAUTH: Sending XAUTH Login/Password Request
Sep 13 14:55:41 hefesto pluto[14933]: "iphone"[2] 172.23.254.126 #1: XAUTH: Sending Username/Password request (XAUTH_R0)
Sep 13 14:55:44 hefesto pluto[14933]: "iphone"[2] 172.23.254.126 #1: discarding duplicate packet; already STATE_XAUTH_R0
Sep 13 14:55:47 hefesto pluto[14933]: "iphone"[2] 172.23.254.126 #1: discarding duplicate packet; already STATE_XAUTH_R0
Sep 13 14:55:50 hefesto pluto[14933]: "iphone"[2] 172.23.254.126 #1: discarding duplicate packet; already STATE_XAUTH_R0


My ipsec.conf file:

version2.0# conforms to second version of ipsec.conf specification

config setup
        plutoopts="--perpeerlog"
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25/8
        oe=off
        protostack=netkey

conn %default
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        keyingtries=1
        keylife=20m
        ikelifetime=240m

conn iphone
        auto=add
        authby=rsasig
        left=172.23.253.2
        right=%any
        leftxauthserver=yes
        leftca=cacert
        leftcert=hefesto
        leftrsasigkey=%cert

ipsec.secrets
: RSA hefesto
@host : XAUTH "redhat"

passwd
host:lxMEQMBDRiWN6:*


RHEL6
openswan-2.6.32-4.el6_1.1.x86_64


Tks for your help.

Best regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110913/713aa3cc/attachment.html 


More information about the Users mailing list