[strongSwan] ikev1 on 4.5.0 vs 4.3.6 iPad/Android problem
Mark S.
aikikid at hotmail.com
Sun Dec 19 20:06:45 CET 2010
hi guys,
I have two roadwarriors: iPad and Android Phone using PSK.
I used 4.3.6, both clients works great. I recently upgraded to 4.5.0 and manually set the ike to version 1 per the changelog, as ikev2 is the new default. (I did try it with and without specifying the ike version.) But now...4.5.0 does not respond to my isakmp requests from either device. I can reliably switch back to 4.3.6 and it works fine. I made sure to reinstall xl2tpd 1.2.6 after 4.5.0 install. Arch Linux, on 2.6.36 kernel. Port 500 is allowed on the firewall. The firewall is also the ipsec server. Watching daemon.log, there are no entries for these connections. 4.3.6 connections show up just fine in this log.
[user at machine ipsec]# tcpdump -i eth1 port 500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
12:35:36.470254 IP 134.x.x.x.16529 > 137.x.x.x.isakmp: isakmp: phase 1 I ident
12:35:47.129753 IP 134.x.x.x.16529 > 137.x.x.x.isakmp: isakmp: phase 1 I ident
12:35:56.544619 IP 134.x.x.x.16529 > 137.x.x.x.isakmp: isakmp: phase 1 I ident
12:36:06.497248 IP 134.x.x.x.16529 > 137.x.x.x.isakmp: isakmp: phase 1 I ident
134.x.x.x is my Android client. 137.x.x.x is my server. Eth1 is the outside public interface.
[user at machine ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4500
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:500
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1701
ipsec.conf
config setup
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
nat_traversal=no
charonstart=yes
plutostart=yes
conn L2TP
authby=psk
pfs=no
keyexchange=ikev1
rekey=no
type=tunnel
esp=aes128-sha1
ike=aes128-sha-modp1024
left=137.x.x.x
leftnexthop=%defaultroute
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
rightsubnetwithin=0.0.0.0/0
auto=add
any ideas? I dug through the archives and the 4.5.0 changelog, yet could not find anything other than the ikev1 requirement.
Would it be any big deal for me just to switch back to 4.3.6? Any additional security risks?
Thank you,
Mark
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101219/1e281778/attachment.html>
More information about the Users
mailing list