[strongSwan] ikev1 on 4.5.0 vs 4.3.6 iPad/Android problem

Andreas Steffen andreas.steffen at strongswan.org
Sun Dec 19 21:48:37 CET 2010


Since you have a NAT situation over 3g you must activate NAT Traversal
with

   nat_traversal=yes

Over WIFI the tunnel is successfully established.

Regards

Andreas

On 19.12.2010 21:19, Mark S. wrote:
> thank you for the reply. I set charonstart=no and it failed on both my
> Android over 3g and iPad over wifi.
> 
> I think I should now try the socket-raw option?
> 
> This is using my local wifi and iPad. Identical setup/problem as my
> public config below.
> 
> No entries in daemon.log
> 
> iPad via wifi
> [user at machine ipsec]# tcpdump -i eth3 port 500
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth3, link-type EN10MB (Ethernet), capture size 65535 bytes
> 13:57:09.052952 IP 10.5.5.2.isakmp > 10.5.5.1.isakmp: isakmp: phase 1 I
> ident
> 13:57:09.079719 IP 10.5.5.1.isakmp > 10.5.5.2.isakmp: isakmp: phase 1 R
> ident
> 13:57:09.132013 IP 10.5.5.2.isakmp > 10.5.5.1.isakmp: isakmp: phase 1 I
> ident
> 13:57:09.134725 IP 10.5.5.1.isakmp > 10.5.5.2.isakmp: isakmp: phase 1 R
> ident
> 13:57:09.188516 IP 10.5.5.2.isakmp > 10.5.5.1.isakmp: isakmp: phase 1 I
> ident[E]
> 13:57:09.189188 IP 10.5.5.1.isakmp > 10.5.5.2.isakmp: isakmp: phase 1 R
> ident[E]
> 13:57:10.197248 IP 10.5.5.2.isakmp > 10.5.5.1.isakmp: isakmp: phase
> 2/others I oakley-quick[E]
> 13:57:10.210796 IP 10.5.5.1.isakmp > 10.5.5.2.isakmp: isakmp: phase
> 2/others R oakley-quick[E]
> 13:57:10.220899 IP 10.5.5.2.isakmp > 10.5.5.1.isakmp: isakmp: phase
> 2/others I oakley-quick[E]
> 
> iPad fails to connect.
> 
> And via my Android over 3g.
> Android via 3g
> [user at machine ipsec]# tcpdump -i eth1 port 500
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
> 14:07:00.700072 IP 134.x.x.x.16534 > 137.x.x.x.isakmp: isakmp: phase 1 I
> ident
> 14:07:11.507131 IP 134.x.x.x..16534 > 137.x.x.x.isakmp: isakmp: phase 1
> I ident
> 14:07:21.696309 IP 134.x.x.x..16534 > 137.x.x.x.isakmp: isakmp: phase 1
> I ident
> 14:07:31.133663 IP 134..x.x.x..16534 > 137.x.x.x..isakmp: isakmp: phase
> 1 I ident
> 
> 
> [user at machine ipsec]# ipsec statusall
> 000 Status of IKEv1 pluto daemon (strongSwan 4.5.0):
> 000 interface foo/foo aaaa::1:500
> 000 interface lo/lo ::1:500
> 000 interface lo/lo 127.0.0.1:500
> 000 interface eth0/eth0 192.168.2.1:500
> 000 interface eth0/eth0 192.168.2.0:500
> 000 interface eth1/eth1 137.x.x.x:500
> 000 interface eth3/eth3 10.5.5.1:500
> 000 interface eth2/eth2 192.168.4.1:500
> 000 %myid = '%any'
> 000 loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey
> pem gmp hmac xauth attr kernel-netlink resolve
> 000 debug options: none
> 000
> 000 "L2TP":
> 137.x.x.x.[137.x.x.x.]:17/1701---137.x.x.x....%any[%any]:17/%any==={0.0.0.0/0};
> unrouted; eroute owner: #0
> 000 "L2TP":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s;
> rekey_fuzz: 100%; keyingtries: 3
> 000 "L2TP":   policy: PSK+ENCRYPT+TUNNEL+DONTREKEY; prio: 32,0;
> interface: eth1;
> 000 "L2TP":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000 "L2TP_Wireless":
> 10.5.5.1[10.5.5.1]:17/1701---137.xx.x.x...%any[%any]:17/%any==={0.0.0.0/0};
> unrouted; eroute owner: #0
> 000 "L2TP_Wireless":   ike_life: 10800s; ipsec_life: 3600s;
> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
> 000 "L2TP_Wireless":   policy: PSK+ENCRYPT+TUNNEL+DONTREKEY; prio: 32,0;
> interface: eth3;
> 000 "L2TP_Wireless":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000 "L2TP_Wireless"[2]:
> 10.5.5.1[10.5.5.1]:17/1701---137.x.x.x.x...10.5.5.2[192.168.50.138]:17/59512===192.168.50.138/32;
> erouted; eroute owner: #2
> 000 "L2TP_Wireless"[2]:   ike_life: 10800s; ipsec_life: 3600s;
> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
> 000 "L2TP_Wireless"[2]:   policy: PSK+ENCRYPT+TUNNEL+DONTREKEY; prio:
> 32,0; interface: eth3;
> 000 "L2TP_Wireless"[2]:   newest ISAKMP SA: #1; newest IPsec SA: #2;
> 000 "L2TP_Wireless"[2]:   IKE proposal: AES_CBC_256/HMAC_SHA1/MODP_1024
> 000 "L2TP_Wireless"[2]:   ESP proposal: AES_CBC_256/HMAC_SHA1/<N/A>
> 000
> 000 #2: "L2TP_Wireless"[2] 10.5.5.2 STATE_QUICK_R2 (IPsec SA
> established); EVENT_SA_EXPIRE in 3302s; newest IPSEC; eroute owner
> 000 #2: "L2TP_Wireless"[2] 10.5.5.2 esp.53ae617 at 10.5.5.2 (0 bytes)
> esp.c809ae1c at 10.5.5.1 (0 bytes); transport
> 000 #1: "L2TP_Wireless"[2] 10.5.5.2 STATE_MAIN_R3 (sent MR3, ISAKMP SA
> established); EVENT_SA_EXPIRE in 3301s; newest ISAKMP
> 
> I really appreciate the help!
> Thank you!
> Mark
> 
>> Subject: Re: [strongSwan] ikev1 on 4.5.0 vs 4.3.6 iPad/Android problem
>>
>> Hi Mark,
>>
>> does the problem still occur if you disable the IKEv2 charon daemon:
>>
>> charonstart=no
>>
>> It might be that charon loads the socket-default plugin and does
>> binds to UDP port 500. If you want to run both pluto and charon
>> make sure that charon loads the socket-raw plugin only.
>> The plugin list can be listed using
>>
>> ipsec statusall
>>
>> Regards
>>
>> Andreas
>>


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list