hi guys,

I have two roadwarriors: iPad and Android Phone using PSK.

I used 4.3.6, both clients works great. I recently upgraded to 4.5.0 and 
manually set the ike to version 1 per the changelog, as ikev2 is the new 
default. (I did try it with and without specifying the ike version.) But 
now...4.5.0 does not respond to my isakmp requests from either device. I can 
reliably switch back to 4.3.6 and it works fine. I made sure to reinstall 
xl2tpd 1.2.6 after 4.5.0 install. Arch Linux, on 2.6.36 kernel. Port 500 is 
allowed on the firewall. The firewall is also the ipsec server. Watching 
daemon.log, there are no entries for these connections. 4.3.6 connections show 
up just fine in this log.

[u...@machine ipsec]# tcpdump -i eth1 port 500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
12:35:36.470254 IP 134.x.x.x.16529 > 137.x.x.x.isakmp: isakmp: phase 1 I ident
12:35:47.129753 IP 134.x.x.x.16529 > 137.x.x.x.isakmp: isakmp: phase 1 I ident
12:35:56.544619 IP 134.x.x.x.16529 > 137.x.x.x.isakmp: isakmp: phase 1 I ident
12:36:06.497248 IP 134.x.x.x.16529 > 137.x.x.x.isakmp: isakmp: phase 1 I ident

134.x.x.x is my Android client. 137.x.x.x is my server. Eth1 is the outside 
public interface.

[u...@machine ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:4500 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:500 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:1701 


ipsec.conf

config setup
        # crlcheckinterval=600
        # strictcrlpolicy=yes
        # cachecrls=yes
        nat_traversal=no
        charonstart=yes
        plutostart=yes
conn L2TP
        authby=psk
        pfs=no
        keyexchange=ikev1
        rekey=no
        type=tunnel
        esp=aes128-sha1
        ike=aes128-sha-modp1024
        left=137.x.x.x
        leftnexthop=%defaultroute
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any
        rightsubnetwithin=0.0.0.0/0
        auto=add


any ideas? I dug through the archives and the 4.5.0 changelog, yet could not 
find anything other than the ikev1 requirement.
Would it be any big deal for me just to switch back to 4.3.6?  Any additional 
security risks?

Thank you,
Mark


                                          
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to