[strongSwan] ikev1 on 4.5.0 vs 4.3.6 iPad/Android problem

Andreas Steffen andreas.steffen at strongswan.org
Sun Dec 19 20:59:56 CET 2010 

Hi Mark,

does the problem still occur if you disable the IKEv2 charon daemon:

charonstart=no

It might be that charon loads the socket-default plugin and does
binds to UDP port 500. If you want to run both pluto and charon
make sure that charon loads the socket-raw plugin only.
The plugin list can be listed using

  ipsec statusall

Regards

Andreas

On 19.12.2010 20:06, Mark S. wrote
> hi guys,
> 
> I have two roadwarriors: iPad and Android Phone using PSK.
> 
> I used 4.3.6, both clients works great. I recently upgraded to 4.5.0 and
> manually set the ike to version 1 per the changelog, as ikev2 is the new
> default. (I did try it with and without specifying the ike version.) But
> now...4.5.0 does not respond to my isakmp requests from either device. I
> can reliably switch back to 4.3.6 and it works fine. I made sure to
> reinstall xl2tpd 1.2.6 after 4.5.0 install. Arch Linux, on 2.6.36
> kernel. Port 500 is allowed on the firewall. The firewall is also the
> ipsec server. Watching daemon.log, there are no entries for these
> connections. 4.3.6 connections show up just fine in this log.
> 
> [user at machine ipsec]# tcpdump -i eth1 port 500
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
> 12:35:36.470254 IP 134.x.x.x.16529 > 137.x.x.x.isakmp: isakmp: phase 1 I
> ident
> 12:35:47.129753 IP 134.x.x.x.16529 > 137.x.x.x.isakmp: isakmp: phase 1 I
> ident
> 12:35:56.544619 IP 134.x.x.x.16529 > 137.x.x.x.isakmp: isakmp: phase 1 I
> ident
> 12:36:06.497248 IP 134.x.x.x.16529 > 137.x.x.x.isakmp: isakmp: phase 1 I
> ident
> 
> 134.x.x.x is my Android client. 137.x.x.x is my server. Eth1 is the
> outside public interface.
> 
> [user at machine ~]# iptables -L -n
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:4500
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:500
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:1701
> 
> 
> ipsec.conf
> 
> config setup
>         # crlcheckinterval=600
>         # strictcrlpolicy=yes
>         # cachecrls=yes
>         nat_traversal=no
>         charonstart=yes
>         plutostart=yes
> conn L2TP
>         authby=psk
>         pfs=no
>         keyexchange=ikev1
>         rekey=no
>         type=tunnel
>         esp=aes128-sha1
>         ike=aes128-sha-modp1024
>         left=137.x.x.x
>         leftnexthop=%defaultroute
>         leftprotoport=17/1701
>         right=%any
>         rightprotoport=17/%any
>         rightsubnetwithin=0.0.0.0/0
>         auto=add
> 
> 
> any ideas? I dug through the archives and the 4.5.0 changelog, yet could
> not find anything other than the ikev1 requirement.
> Would it be any big deal for me just to switch back to 4.3.6?  Any
> additional security risks?
> 
> Thank you,
> Mark

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list