[Swan] PSK+AGGRESSIVE+IKEV1_ALLOW
Chuck Wolber
chuckwolber at gmail.com
Tue Jun 9 21:31:00 EEST 2015
On Mon, Jun 8, 2015 at 8:55 PM, Paul Wouters <paul at nohats.ca> wrote:
> On Mon, 8 Jun 2015, Chuck Wolber wrote:
>
>
>> I am able to connect to the VPN server with a variety of methods, but
>> when I attempt to connect from within my application with the
>> Personal VPN API, I get the following message on the server side:
>>
>> initial Aggressive Mode message from 10.1.0.4 but no (wildcard)
>> connection has been configured with policy
>> PSK+AGGRESSIVE+IKEV1_ALLOW
>>
>
> When I check ipsec status, it seems like the policy should handle this:
>>
>> 000 "RoadWarriors-ikev1-aggr-psk": policy:
>>
>> PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
>>
>
> Note that the error message is a little misleading. While it does check
> some policy bits for the display, it does not tell you everything, so
> even if another important policy bit does not match, you will get the
> misleading "with policy PSK+AGGRESSIVE+IKEV1_ALLOW".
>
> For instance, this could be a pfs=yes/no mismatch. Or a subnet mismatch
> or ID mismatch.
>
>
> conn RoadWarriors-ikev1-aggr-psk
>> authby=secret
>> aggrmode=yes
>> auto=add
>> rekey=no
>> pfs=no
>> left=10.1.0.1
>> leftid=@10.1.0.1
>> leftsubnet=0.0.0.0/0
>> rightaddresspool=10.1.0.10-10.1.0.254
>> right=%any
>> modecfgdns1=10.1.0.1
>> leftxauthserver=yes
>> rightxauthclient=yes
>> leftmodecfgserver=yes
>> rightmodecfgclient=yes
>> modecfgpull=yes
>> xauthby=alwaysok
>> dpddelay=30
>> dpdtimeout=120
>> dpdaction=clear
>> ike-frag=yes
>> ikev2=never
>>
>
> It would help to see the matching plutodebug=all log so we can compare
> what you receive with what you configured.
>
I have attached the log file with plutodebug=all added to the setup
section. The log includes the IPSec daemon startup sequence. You can jump
directly to time index 18:13:01 for the connection attempt.
..Ch:W..
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20150609/b298a824/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec.log.gz
Type: application/x-gzip
Size: 11777 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20150609/b298a824/attachment.gz>
More information about the Swan
mailing list