<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
</head>
<body class='hmmessage'>
hi guys,<br><br>I have two roadwarriors: iPad and Android Phone using PSK.<br><br>I used 4.3.6, both clients works great. I recently upgraded to 4.5.0 and manually set the ike to version 1 per the changelog, as ikev2 is the new default. (I did try it with and without specifying the ike version.) But now...4.5.0 does not respond to my isakmp requests from either device. I can reliably switch back to 4.3.6 and it works fine. I made sure to reinstall xl2tpd 1.2.6 after 4.5.0 install. Arch Linux, on 2.6.36 kernel. Port 500 is allowed on the firewall. The firewall is also the ipsec server. Watching daemon.log, there are no entries for these connections. 4.3.6 connections show up just fine in this log.<br><br>[user@machine ipsec]# tcpdump -i eth1 port 500<br>tcpdump: verbose output suppressed, use -v or -vv for full protocol decode<br>listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes<br>12:35:36.470254 IP 134.x.x.x.16529 > 137.x.x.x.isakmp: isakmp: phase 1 I ident<br>12:35:47.129753 IP 134.x.x.x.16529 > 137.x.x.x.isakmp: isakmp: phase 1 I ident<br>12:35:56.544619 IP 134.x.x.x.16529 > 137.x.x.x.isakmp: isakmp: phase 1 I ident<br>12:36:06.497248 IP 134.x.x.x.16529 > 137.x.x.x.isakmp: isakmp: phase 1 I ident<br><br>134.x.x.x is my Android client. 137.x.x.x is my server. Eth1 is the outside public interface.<br><br>[user@machine ~]# iptables -L -n<br>Chain INPUT (policy ACCEPT)<br>target prot opt source destination<br>ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4500 <br>ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:500 <br>ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 <br><br><br>ipsec.conf<br><br>config setup<br> # crlcheckinterval=600<br> # strictcrlpolicy=yes<br> # cachecrls=yes<br> nat_traversal=no<br> charonstart=yes<br> plutostart=yes<br>conn L2TP<br> authby=psk<br> pfs=no<br> keyexchange=ikev1<br> rekey=no<br> type=tunnel<br> esp=aes128-sha1<br> ike=aes128-sha-modp1024<br> left=137.x.x.x<br> leftnexthop=%defaultroute<br> leftprotoport=17/1701<br> right=%any<br> rightprotoport=17/%any<br> rightsubnetwithin=0.0.0.0/0<br> auto=add<br><br><br>any ideas? I dug through the archives and the 4.5.0 changelog, yet could not find anything other than the ikev1 requirement.<br>Would it be any big deal for me just to switch back to 4.3.6? Any additional security risks?<br><br>Thank you,<br>Mark<br><br><br> </body>
</html>