[strongSwan] ikev1 on 4.5.0 vs 4.3.6 iPad/Android problem

Mark S. aikikid at hotmail.com
Sun Dec 19 20:06:45 CET 2010 

hi guys,

I have two roadwarriors: iPad and Android Phone using PSK.

I used 4.3.6, both clients works great. I recently upgraded to 4.5.0 and manually set the ike to version 1 per the changelog, as ikev2 is the new default. (I did try it with and without specifying the ike version.) But now...4.5.0 does not respond to my isakmp requests from either device. I can reliably switch back to 4.3.6 and it works fine. I made sure to reinstall xl2tpd 1.2.6 after 4.5.0 install. Arch Linux, on 2.6.36 kernel. Port 500 is allowed on the firewall. The firewall is also the ipsec server. Watching daemon.log, there are no entries for these connections. 4.3.6 connections show up just fine in this log.

[user at machine ipsec]# tcpdump -i eth1 port 500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
12:35:36.470254 IP 134.x.x.x.16529 > 137.x.x.x.isakmp: isakmp: phase 1 I ident
12:35:47.129753 IP 134.x.x.x.16529 > 137.x.x.x.isakmp: isakmp: phase 1 I ident
12:35:56.544619 IP 134.x.x.x.16529 > 137.x.x.x.isakmp: isakmp: phase 1 I ident
12:36:06.497248 IP 134.x.x.x.16529 > 137.x.x.x.isakmp: isakmp: phase 1 I ident

134.x.x.x is my Android client. 137.x.x.x is my server. Eth1 is the outside public interface.

[user at machine ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:4500 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:500 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:1701 


ipsec.conf

config setup
        # crlcheckinterval=600
        # strictcrlpolicy=yes
        # cachecrls=yes
        nat_traversal=no
        charonstart=yes
        plutostart=yes
conn L2TP
        authby=psk
        pfs=no
        keyexchange=ikev1
        rekey=no
        type=tunnel
        esp=aes128-sha1
        ike=aes128-sha-modp1024
        left=137.x.x.x
        leftnexthop=%defaultroute
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any
        rightsubnetwithin=0.0.0.0/0
        auto=add


any ideas? I dug through the archives and the 4.5.0 changelog, yet could not find anything other than the ikev1 requirement.
Would it be any big deal for me just to switch back to 4.3.6?  Any additional security risks?

Thank you,
Mark


 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101219/1e281778/attachment.html>

More information about the Users mailing list