[strongSwan] ikev1 on 4.5.0 vs 4.3.6 iPad/Android problem

Sun Dec 19 21:19:46 CET 2010

thank you for the reply. I set charonstart=no and it failed on both my Android over 3g and iPad over wifi.

I think I should now try the socket-raw option?

This is using my local wifi and iPad. Identical setup/problem as my public config below.

No entries in daemon.log

iPad via wifi
[user at machine ipsec]# tcpdump -i eth3 port 500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth3, link-type EN10MB (Ethernet), capture size 65535 bytes
13:57:09.052952 IP 10.5.5.2.isakmp > 10.5.5.1.isakmp: isakmp: phase 1 I ident
13:57:09.079719 IP 10.5.5.1.isakmp > 10.5.5.2.isakmp: isakmp: phase 1 R ident
13:57:09.132013 IP 10.5.5.2.isakmp > 10.5.5.1.isakmp: isakmp: phase 1 I ident
13:57:09.134725 IP 10.5.5.1.isakmp > 10.5.5.2.isakmp: isakmp: phase 1 R ident
13:57:09.188516 IP 10.5.5.2.isakmp > 10.5.5.1.isakmp: isakmp: phase 1 I ident[E]
13:57:09.189188 IP 10.5.5.1.isakmp > 10.5.5.2.isakmp: isakmp: phase 1 R ident[E]
13:57:10.197248 IP 10.5.5.2.isakmp > 10.5.5.1.isakmp: isakmp: phase 2/others I oakley-quick[E]
13:57:10.210796 IP 10.5.5.1.isakmp > 10.5.5.2.isakmp: isakmp: phase 2/others R oakley-quick[E]
13:57:10.220899 IP 10.5.5.2.isakmp > 10.5.5.1.isakmp: isakmp: phase 2/others I oakley-quick[E]

iPad fails to connect. 

And via my Android over 3g.
Android via 3g
[user at machine ipsec]# tcpdump -i eth1 port 500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
14:07:00.700072 IP 134.x.x.x.16534 > 137.x.x.x.isakmp: isakmp: phase 1 I ident
14:07:11.507131 IP 134.x.x.x..16534 > 137.x.x.x.isakmp: isakmp: phase 1 I ident
14:07:21.696309 IP 134.x.x.x..16534 > 137.x.x.x.isakmp: isakmp: phase 1 I ident
14:07:31.133663 IP 134..x.x.x..16534 > 137.x.x.x..isakmp: isakmp: phase 1 I ident

[user at machine ipsec]# ipsec statusall
000 Status of IKEv1 pluto daemon (strongSwan 4.5.0):
000 interface foo/foo aaaa::1:500
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 192.168.2.1:500
000 interface eth0/eth0 192.168.2.0:500
000 interface eth1/eth1 137.x.x.x:500
000 interface eth3/eth3 10.5.5.1:500
000 interface eth2/eth2 192.168.4.1:500
000 %myid = '%any'
000 loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem gmp hmac xauth attr kernel-netlink resolve 
000 debug options: none
000 
000 "L2TP": 137.x.x.x.[137.x.x.x.]:17/1701---137.x.x.x....%any[%any]:17/%any==={0.0.0.0/0}; unrouted; eroute owner: #0
000 "L2TP":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "L2TP":   policy: PSK+ENCRYPT+TUNNEL+DONTREKEY; prio: 32,0; interface: eth1; 
000 "L2TP":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
000 "L2TP_Wireless": 10.5.5.1[10.5.5.1]:17/1701---137.xx.x.x...%any[%any]:17/%any==={0.0.0.0/0}; unrouted; eroute owner: #0
000 "L2TP_Wireless":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "L2TP_Wireless":   policy: PSK+ENCRYPT+TUNNEL+DONTREKEY; prio: 32,0; interface: eth3; 
000 "L2TP_Wireless":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
000 "L2TP_Wireless"[2]: 10.5.5.1[10.5.5.1]:17/1701---137.x.x.x.x...10.5.5.2[192.168.50.138]:17/59512===192.168.50.138/32; erouted; eroute owner: #2
000 "L2TP_Wireless"[2]:   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "L2TP_Wireless"[2]:   policy: PSK+ENCRYPT+TUNNEL+DONTREKEY; prio: 32,0; interface: eth3; 
000 "L2TP_Wireless"[2]:   newest ISAKMP SA: #1; newest IPsec SA: #2; 
000 "L2TP_Wireless"[2]:   IKE proposal: AES_CBC_256/HMAC_SHA1/MODP_1024
000 "L2TP_Wireless"[2]:   ESP proposal: AES_CBC_256/HMAC_SHA1/<N/A>
000 
000 #2: "L2TP_Wireless"[2] 10.5.5.2 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 3302s; newest IPSEC; eroute owner
000 #2: "L2TP_Wireless"[2] 10.5.5.2 esp.53ae617 at 10.5.5.2 (0 bytes) esp.c809ae1c at 10.5.5.1 (0 bytes); transport
000 #1: "L2TP_Wireless"[2] 10.5.5.2 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 3301s; newest ISAKMP

I really appreciate the help!
Thank you!
Mark

> Subject: Re: [strongSwan] ikev1 on 4.5.0 vs 4.3.6 iPad/Android problem
> 
> Hi Mark,
> 
> does the problem still occur if you disable the IKEv2 charon daemon:
> 
> charonstart=no
> 
> It might be that charon loads the socket-default plugin and does
> binds to UDP port 500. If you want to run both pluto and charon
> make sure that charon loads the socket-raw plugin only.
> The plugin list can be listed using
> 
>   ipsec statusall
> 
> Regards
> 
> Andreas
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101219/3bebd349/attachment.html>