thank you for the reply. I set charonstart=no and it failed on both my Android
over 3g and iPad over wifi.
I think I should now try the socket-raw option?
This is using my local wifi and iPad. Identical setup/problem as my public
config below.
No entries in daemon.log
iPad via wifi
[u...@machine ipsec]# tcpdump -i eth3 port 500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth3, link-type EN10MB (Ethernet), capture size 65535 bytes
13:57:09.052952 IP 10.5.5.2.isakmp > 10.5.5.1.isakmp: isakmp: phase 1 I ident
13:57:09.079719 IP 10.5.5.1.isakmp > 10.5.5.2.isakmp: isakmp: phase 1 R ident
13:57:09.132013 IP 10.5.5.2.isakmp > 10.5.5.1.isakmp: isakmp: phase 1 I ident
13:57:09.134725 IP 10.5.5.1.isakmp > 10.5.5.2.isakmp: isakmp: phase 1 R ident
13:57:09.188516 IP 10.5.5.2.isakmp > 10.5.5.1.isakmp: isakmp: phase 1 I ident[E]
13:57:09.189188 IP 10.5.5.1.isakmp > 10.5.5.2.isakmp: isakmp: phase 1 R ident[E]
13:57:10.197248 IP 10.5.5.2.isakmp > 10.5.5.1.isakmp: isakmp: phase 2/others I
oakley-quick[E]
13:57:10.210796 IP 10.5.5.1.isakmp > 10.5.5.2.isakmp: isakmp: phase 2/others R
oakley-quick[E]
13:57:10.220899 IP 10.5.5.2.isakmp > 10.5.5.1.isakmp: isakmp: phase 2/others I
oakley-quick[E]
iPad fails to connect.
And via my Android over 3g.
Android via 3g
[u...@machine ipsec]# tcpdump -i eth1 port 500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
14:07:00.700072 IP 134.x.x.x.16534 > 137.x.x.x.isakmp: isakmp: phase 1 I ident
14:07:11.507131 IP 134.x.x.x..16534 > 137.x.x.x.isakmp: isakmp: phase 1 I ident
14:07:21.696309 IP 134.x.x.x..16534 > 137.x.x.x.isakmp: isakmp: phase 1 I ident
14:07:31.133663 IP 134..x.x.x..16534 > 137.x.x.x..isakmp: isakmp: phase 1 I
ident
[u...@machine ipsec]# ipsec statusall
000 Status of IKEv1 pluto daemon (strongSwan 4.5.0):
000 interface foo/foo aaaa::1:500
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 192.168.2.1:500
000 interface eth0/eth0 192.168.2.0:500
000 interface eth1/eth1 137.x.x.x:500
000 interface eth3/eth3 10.5.5.1:500
000 interface eth2/eth2 192.168.4.1:500
000 %myid = '%any'
000 loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem gmp
hmac xauth attr kernel-netlink resolve
000 debug options: none
000
000 "L2TP":
137.x.x.x.[137.x.x.x.]:17/1701---137.x.x.x....%any[%any]:17/%any==={0.0.0.0/0};
unrouted; eroute owner: #0
000 "L2TP": ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 3
000 "L2TP": policy: PSK+ENCRYPT+TUNNEL+DONTREKEY; prio: 32,0; interface:
eth1;
000 "L2TP": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "L2TP_Wireless":
10.5.5.1[10.5.5.1]:17/1701---137.xx.x.x...%any[%any]:17/%any==={0.0.0.0/0};
unrouted; eroute owner: #0
000 "L2TP_Wireless": ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 3
000 "L2TP_Wireless": policy: PSK+ENCRYPT+TUNNEL+DONTREKEY; prio: 32,0;
interface: eth3;
000 "L2TP_Wireless": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "L2TP_Wireless"[2]:
10.5.5.1[10.5.5.1]:17/1701---137.x.x.x.x...10.5.5.2[192.168.50.138]:17/59512===192.168.50.138/32;
erouted; eroute owner: #2
000 "L2TP_Wireless"[2]: ike_life: 10800s; ipsec_life: 3600s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 3
000 "L2TP_Wireless"[2]: policy: PSK+ENCRYPT+TUNNEL+DONTREKEY; prio: 32,0;
interface: eth3;
000 "L2TP_Wireless"[2]: newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "L2TP_Wireless"[2]: IKE proposal: AES_CBC_256/HMAC_SHA1/MODP_1024
000 "L2TP_Wireless"[2]: ESP proposal: AES_CBC_256/HMAC_SHA1/<N/A>
000
000 #2: "L2TP_Wireless"[2] 10.5.5.2 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_EXPIRE in 3302s; newest IPSEC; eroute owner
000 #2: "L2TP_Wireless"[2] 10.5.5.2 [email protected] (0 bytes)
[email protected] (0 bytes); transport
000 #1: "L2TP_Wireless"[2] 10.5.5.2 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_EXPIRE in 3301s; newest ISAKMP
I really appreciate the help!
Thank you!
Mark
> Subject: Re: [strongSwan] ikev1 on 4.5.0 vs 4.3.6 iPad/Android problem
>
> Hi Mark,
>
> does the problem still occur if you disable the IKEv2 charon daemon:
>
> charonstart=no
>
> It might be that charon loads the socket-default plugin and does
> binds to UDP port 500. If you want to run both pluto and charon
> make sure that charon loads the socket-raw plugin only.
> The plugin list can be listed using
>
> ipsec statusall
>
> Regards
>
> Andreas
>
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
