[Swan] PSK+AGGRESSIVE+IKEV1_ALLOW

Paul Wouters paul at nohats.ca
Tue Jun 9 06:55:45 EEST 2015


On Mon, 8 Jun 2015, Chuck Wolber wrote:

> My goal is to start using the Apple provided Personal VPN API to programmatically control the VPN from within an application running on
> iOS 8.3. It should be noted that this is a different VPN client than the built in Cisco VPN IPSEC client. For Xcode developers, this is
> part of the NetworkExtension bundle.

I'm not sure what this means in practise....

> I am able to connect to the VPN server with a variety of methods, but when I attempt to connect from within my application with the
> Personal VPN API, I get the following message on the server side:
>
>       initial Aggressive Mode message from 10.1.0.4 but no (wildcard) connection has been configured with policy
>       PSK+AGGRESSIVE+IKEV1_ALLOW

> When I check ipsec status, it seems like the policy should handle this:
> 
> 000 "RoadWarriors-ikev1-aggr-psk":   policy:
> PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;

Note that the error message is a little misleading. While it does check
some policy bits for the display, it does not tell you everything, so
even if another important policy bit does not match, you will get the
misleading "with policy PSK+AGGRESSIVE+IKEV1_ALLOW".

For instance, this could be a pfs=yes/no mismatch. Or a subnet mismatch
or ID mismatch.


>       conn RoadWarriors-ikev1-aggr-psk
>               authby=secret
>               aggrmode=yes
>               auto=add
>               rekey=no
>               pfs=no  
>               left=10.1.0.1
>               leftid=@10.1.0.1
>               leftsubnet=0.0.0.0/0
>               rightaddresspool=10.1.0.10-10.1.0.254
>               right=%any
>               modecfgdns1=10.1.0.1
>               leftxauthserver=yes
>               rightxauthclient=yes
>               leftmodecfgserver=yes
>               rightmodecfgclient=yes
>               modecfgpull=yes
>               xauthby=alwaysok
>               dpddelay=30
>               dpdtimeout=120
>               dpdaction=clear
>               ike-frag=yes
>               ikev2=never

It would help to see the matching plutodebug=all log so we can compare
what you receive with what you configured.

Paul


More information about the Swan mailing list