[Swan] PSK+AGGRESSIVE+IKEV1_ALLOW

Chuck Wolber chuckwolber at gmail.com
Tue Jun 9 05:50:32 EEST 2015


I am running Libreswan 3.14rc1 on CentOS 7.1.1503 with all updates applied.
This environment is only being used as a dev/test/proof-of-concept
environment, and is not being exposed to the Internet. SELinux and iptables
have been turned off.

My goal is to start using the Apple provided Personal VPN API to
programmatically control the VPN from within an application running on iOS
8.3. It should be noted that this is a different VPN client than the built
in Cisco VPN IPSEC client. For Xcode developers, this is part of the
NetworkExtension bundle.

I am able to connect to the VPN server with a variety of methods, but when
I attempt to connect from within my application with the Personal VPN API,
I get the following message on the server side:

initial Aggressive Mode message from 10.1.0.4 but no (wildcard) connection
has been configured with policy PSK+AGGRESSIVE+IKEV1_ALLOW


This is my server side configuration:

conn RoadWarriors-ikev1-aggr-psk
        authby=secret
        aggrmode=yes
        auto=add
        rekey=no
        pfs=no
        left=10.1.0.1
        leftid=@10.1.0.1
        leftsubnet=0.0.0.0/0
        rightaddresspool=10.1.0.10-10.1.0.254
        right=%any
        modecfgdns1=10.1.0.1
        leftxauthserver=yes
        rightxauthclient=yes
        leftmodecfgserver=yes
        rightmodecfgclient=yes
        modecfgpull=yes
        xauthby=alwaysok
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
        ike-frag=yes
        ikev2=never



When I check ipsec status, it seems like the policy should handle this:

000 "RoadWarriors-ikev1-aggr-psk":   policy:
PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
For reference, the full set of connection logs are:

Jun  9 02:41:43 vpnserver pluto[4733]: packet from 10.1.0.4:500: received
Vendor ID payload [FRAGMENTATION 80000000]
Jun  9 02:41:43 vpnserver pluto[4733]: packet from 10.1.0.4:500: received
Vendor ID payload [RFC 3947]
Jun  9 02:41:43 vpnserver pluto[4733]: packet from 10.1.0.4:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike]
Jun  9 02:41:43 vpnserver pluto[4733]: packet from 10.1.0.4:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-08]
Jun  9 02:41:43 vpnserver pluto[4733]: packet from 10.1.0.4:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-07]
Jun  9 02:41:43 vpnserver pluto[4733]: packet from 10.1.0.4:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-06]
Jun  9 02:41:43 vpnserver pluto[4733]: packet from 10.1.0.4:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-05]
Jun  9 02:41:43 vpnserver pluto[4733]: packet from 10.1.0.4:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-04]
Jun  9 02:41:43 vpnserver pluto[4733]: packet from 10.1.0.4:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Jun  9 02:41:43 vpnserver pluto[4733]: packet from 10.1.0.4:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Jun  9 02:41:43 vpnserver pluto[4733]: packet from 10.1.0.4:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jun  9 02:41:43 vpnserver pluto[4733]: packet from 10.1.0.4:500: received
Vendor ID payload [Dead Peer Detection]
Jun  9 02:41:43 vpnserver pluto[4733]: packet from 10.1.0.4:500: initial
Aggressive Mode message from 10.1.0.4 but no (wildcard) connection has been
configured with policy PSK+AGGRESSIVE+IKEV1_ALLOW


Google does not seem to have any answers, nor does the man page for
ipsec.conf. A look in the source code does not turn up anything obvious
either. Is there something I am missing in the configuration?

..Ch:W..
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20150608/f0951c8f/attachment.html>


More information about the Swan mailing list