[strongSwan] ikev1 on 4.5.0 vs 4.3.6 iPad/Android problem

Mark S. aikikid at hotmail.com
Sun Dec 19 22:30:35 CET 2010


I concur, thank you Mr Steffen. Ipsec shows good.
I believe the issue may be with xl2tpd. 

I am getting these errors upon trying to connect with the Android. The iPad doesn't even seem to make it past the ipsec toward xl2tpd, as there are no entries when it tries to connect. I tried swapping between natraversal yes and no. Same results.

Dec 19 15:09:13 localhost xl2tpd[13458]: check_control: Received out of order control packet on tunnel -1 (got 1, expected 0)
Dec 19 15:09:13 localhost xl2tpd[13458]: handle_packet: bad control packet!
Dec 19 15:09:13 localhost xl2tpd[13458]: network_thread: bad packet
Dec 19 15:09:13 localhost xl2tpd[13458]: build_fdset: closing down tunnel 33169
Dec 19 15:09:14 localhost xl2tpd[13458]: network_thread: select timeout
Dec 19 15:09:15 localhost xl2tpd[13458]: network_thread: select timeout
Dec 19 15:09:16 localhost xl2tpd[13458]: network_thread: select timeout
Dec 19 15:09:17 localhost xl2tpd[13458]: network_thread: select timeout
Dec 19 15:09:18 localhost xl2tpd[13458]: network_thread: select timeout
Dec 19 15:09:18 localhost xl2tpd[13458]: Maximum retries exceeded for tunnel 12086.  Closing.
Dec 19 15:09:18 localhost xl2tpd[13458]: Unable to deliver closing message for tunnel 19313. Destroying anyway.


[user at machine etc]# cat xl2tpd/xl2tpd.conf
[global]
debug network = yes
debug tunnel = yes
[lns default]
ip range = 192.168.2.220-192.168.2.222
local ip = 192.168.2.219
require chap = yes
refuse pap = yes
require authentication = yes
name = 137.x.x.x
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes


[user at machine etc]# cat /etc/ppp/options.xl2tpd 
ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.2.1
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
lcp-echo-interval 60
lcp-echo-failure 10


Anything weird stand out? All of this stuff worked with 4.3.6 with no modifications to these configs...

I think I might peel out xl2tpd and rebuild it from scratch.

Thanks,
Mark



> Date: Sun, 19 Dec 2010 21:48:37 +0100
> From: andreas.steffen at strongswan.org
> To: aikikid at hotmail.com
> CC: users at lists.strongswan.org
> Subject: Re: [strongSwan] ikev1 on 4.5.0 vs 4.3.6 iPad/Android problem
> 
> Since you have a NAT situation over 3g you must activate NAT Traversal
> with
> 
>    nat_traversal=yes
> 
> Over WIFI the tunnel is successfully established.
> 
> Regards
> 
> Andreas
> 
> On 19.12.2010 21:19, Mark S. wrote:
> > thank you for the reply. I set charonstart=no and it failed on both my
> > Android over 3g and iPad over wifi.
> > 
> > I think I should now try the socket-raw option?
> > 
> > This is using my local wifi and iPad. Identical setup/problem as my
> > public config below.
> > 
> > No entries in daemon.log
> > 
> > iPad via wifi
> > [user at machine ipsec]# tcpdump -i eth3 port 500
> > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> > listening on eth3, link-type EN10MB (Ethernet), capture size 65535 bytes
> > 13:57:09.052952 IP 10.5.5.2.isakmp > 10.5.5.1.isakmp: isakmp: phase 1 I
> > ident
> > 13:57:09.079719 IP 10.5.5.1.isakmp > 10.5.5.2.isakmp: isakmp: phase 1 R
> > ident
> > 13:57:09.132013 IP 10.5.5.2.isakmp > 10.5.5.1.isakmp: isakmp: phase 1 I
> > ident
> > 13:57:09.134725 IP 10.5.5.1.isakmp > 10.5.5.2.isakmp: isakmp: phase 1 R
> > ident
> > 13:57:09.188516 IP 10.5.5.2.isakmp > 10.5.5.1.isakmp: isakmp: phase 1 I
> > ident[E]
> > 13:57:09.189188 IP 10.5.5.1.isakmp > 10.5.5.2.isakmp: isakmp: phase 1 R
> > ident[E]
> > 13:57:10.197248 IP 10.5.5.2.isakmp > 10.5.5.1.isakmp: isakmp: phase
> > 2/others I oakley-quick[E]
> > 13:57:10.210796 IP 10.5.5.1.isakmp > 10.5.5.2.isakmp: isakmp: phase
> > 2/others R oakley-quick[E]
> > 13:57:10.220899 IP 10.5.5.2.isakmp > 10.5.5.1.isakmp: isakmp: phase
> > 2/others I oakley-quick[E]
> > 
> > iPad fails to connect.
> > 
> > And via my Android over 3g.
> > Android via 3g
> > [user at machine ipsec]# tcpdump -i eth1 port 500
> > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> > listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
> > 14:07:00.700072 IP 134.x.x.x.16534 > 137.x.x.x.isakmp: isakmp: phase 1 I
> > ident
> > 14:07:11.507131 IP 134.x.x.x..16534 > 137.x.x.x.isakmp: isakmp: phase 1
> > I ident
> > 14:07:21.696309 IP 134.x.x.x..16534 > 137.x.x.x.isakmp: isakmp: phase 1
> > I ident
> > 14:07:31.133663 IP 134..x.x.x..16534 > 137.x.x.x..isakmp: isakmp: phase
> > 1 I ident
> > 
> > 
> > [user at machine ipsec]# ipsec statusall
> > 000 Status of IKEv1 pluto daemon (strongSwan 4.5.0):
> > 000 interface foo/foo aaaa::1:500
> > 000 interface lo/lo ::1:500
> > 000 interface lo/lo 127.0.0.1:500
> > 000 interface eth0/eth0 192.168.2.1:500
> > 000 interface eth0/eth0 192.168.2.0:500
> > 000 interface eth1/eth1 137.x.x.x:500
> > 000 interface eth3/eth3 10.5.5.1:500
> > 000 interface eth2/eth2 192.168.4.1:500
> > 000 %myid = '%any'
> > 000 loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey
> > pem gmp hmac xauth attr kernel-netlink resolve
> > 000 debug options: none
> > 000
> > 000 "L2TP":
> > 137.x.x.x.[137.x.x.x.]:17/1701---137.x.x.x....%any[%any]:17/%any==={0.0.0.0/0};
> > unrouted; eroute owner: #0
> > 000 "L2TP":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s;
> > rekey_fuzz: 100%; keyingtries: 3
> > 000 "L2TP":   policy: PSK+ENCRYPT+TUNNEL+DONTREKEY; prio: 32,0;
> > interface: eth1;
> > 000 "L2TP":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> > 000 "L2TP_Wireless":
> > 10.5.5.1[10.5.5.1]:17/1701---137.xx.x.x...%any[%any]:17/%any==={0.0.0.0/0};
> > unrouted; eroute owner: #0
> > 000 "L2TP_Wireless":   ike_life: 10800s; ipsec_life: 3600s;
> > rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
> > 000 "L2TP_Wireless":   policy: PSK+ENCRYPT+TUNNEL+DONTREKEY; prio: 32,0;
> > interface: eth3;
> > 000 "L2TP_Wireless":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> > 000 "L2TP_Wireless"[2]:
> > 10.5.5.1[10.5.5.1]:17/1701---137.x.x.x.x...10.5.5.2[192.168.50.138]:17/59512===192.168.50.138/32;
> > erouted; eroute owner: #2
> > 000 "L2TP_Wireless"[2]:   ike_life: 10800s; ipsec_life: 3600s;
> > rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
> > 000 "L2TP_Wireless"[2]:   policy: PSK+ENCRYPT+TUNNEL+DONTREKEY; prio:
> > 32,0; interface: eth3;
> > 000 "L2TP_Wireless"[2]:   newest ISAKMP SA: #1; newest IPsec SA: #2;
> > 000 "L2TP_Wireless"[2]:   IKE proposal: AES_CBC_256/HMAC_SHA1/MODP_1024
> > 000 "L2TP_Wireless"[2]:   ESP proposal: AES_CBC_256/HMAC_SHA1/<N/A>
> > 000
> > 000 #2: "L2TP_Wireless"[2] 10.5.5.2 STATE_QUICK_R2 (IPsec SA
> > established); EVENT_SA_EXPIRE in 3302s; newest IPSEC; eroute owner
> > 000 #2: "L2TP_Wireless"[2] 10.5.5.2 esp.53ae617 at 10.5.5.2 (0 bytes)
> > esp.c809ae1c at 10.5.5.1 (0 bytes); transport
> > 000 #1: "L2TP_Wireless"[2] 10.5.5.2 STATE_MAIN_R3 (sent MR3, ISAKMP SA
> > established); EVENT_SA_EXPIRE in 3301s; newest ISAKMP
> > 
> > I really appreciate the help!
> > Thank you!
> > Mark
> > 
> >> Subject: Re: [strongSwan] ikev1 on 4.5.0 vs 4.3.6 iPad/Android problem
> >>
> >> Hi Mark,
> >>
> >> does the problem still occur if you disable the IKEv2 charon daemon:
> >>
> >> charonstart=no
> >>
> >> It might be that charon loads the socket-default plugin and does
> >> binds to UDP port 500. If you want to run both pluto and charon
> >> make sure that charon loads the socket-raw plugin only.
> >> The plugin list can be listed using
> >>
> >> ipsec statusall
> >>
> >> Regards
> >>
> >> Andreas
> >>
> 
> 
> -- 
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101219/fc42fb1a/attachment.html>


More information about the Users mailing list