Hi Mark, does the problem still occur if you disable the IKEv2 charon daemon:
charonstart=no It might be that charon loads the socket-default plugin and does binds to UDP port 500. If you want to run both pluto and charon make sure that charon loads the socket-raw plugin only. The plugin list can be listed using ipsec statusall Regards Andreas On 19.12.2010 20:06, Mark S. wrote > hi guys, > > I have two roadwarriors: iPad and Android Phone using PSK. > > I used 4.3.6, both clients works great. I recently upgraded to 4.5.0 and > manually set the ike to version 1 per the changelog, as ikev2 is the new > default. (I did try it with and without specifying the ike version.) But > now...4.5.0 does not respond to my isakmp requests from either device. I > can reliably switch back to 4.3.6 and it works fine. I made sure to > reinstall xl2tpd 1.2.6 after 4.5.0 install. Arch Linux, on 2.6.36 > kernel. Port 500 is allowed on the firewall. The firewall is also the > ipsec server. Watching daemon.log, there are no entries for these > connections. 4.3.6 connections show up just fine in this log. > > [u...@machine ipsec]# tcpdump -i eth1 port 500 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes > 12:35:36.470254 IP 134.x.x.x.16529 > 137.x.x.x.isakmp: isakmp: phase 1 I > ident > 12:35:47.129753 IP 134.x.x.x.16529 > 137.x.x.x.isakmp: isakmp: phase 1 I > ident > 12:35:56.544619 IP 134.x.x.x.16529 > 137.x.x.x.isakmp: isakmp: phase 1 I > ident > 12:36:06.497248 IP 134.x.x.x.16529 > 137.x.x.x.isakmp: isakmp: phase 1 I > ident > > 134.x.x.x is my Android client. 137.x.x.x is my server. Eth1 is the > outside public interface. > > [u...@machine ~]# iptables -L -n > Chain INPUT (policy ACCEPT) > target prot opt source destination > ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4500 > ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:500 > ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 > > > ipsec.conf > > config setup > # crlcheckinterval=600 > # strictcrlpolicy=yes > # cachecrls=yes > nat_traversal=no > charonstart=yes > plutostart=yes > conn L2TP > authby=psk > pfs=no > keyexchange=ikev1 > rekey=no > type=tunnel > esp=aes128-sha1 > ike=aes128-sha-modp1024 > left=137.x.x.x > leftnexthop=%defaultroute > leftprotoport=17/1701 > right=%any > rightprotoport=17/%any > rightsubnetwithin=0.0.0.0/0 > auto=add > > > any ideas? I dug through the archives and the 4.5.0 changelog, yet could > not find anything other than the ikev1 requirement. > Would it be any big deal for me just to switch back to 4.3.6? Any > additional security risks? > > Thank you, > Mark ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
