[Swan] PSK+AGGRESSIVE+IKEV1_ALLOW

Chuck Wolber chuckwolber at gmail.com
Tue Jun 9 21:31:00 EEST 2015


On Mon, Jun 8, 2015 at 8:55 PM, Paul Wouters <paul at nohats.ca> wrote:

> On Mon, 8 Jun 2015, Chuck Wolber wrote:
>
>
>>  I am able to connect to the VPN server with a variety of methods, but
>> when I attempt to connect from within my application with the
>> Personal VPN API, I get the following message on the server side:
>>
>>       initial Aggressive Mode message from 10.1.0.4 but no (wildcard)
>> connection has been configured with policy
>>       PSK+AGGRESSIVE+IKEV1_ALLOW
>>
>
>  When I check ipsec status, it seems like the policy should handle this:
>>
>> 000 "RoadWarriors-ikev1-aggr-psk":   policy:
>>
>> PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
>>
>
> Note that the error message is a little misleading. While it does check
> some policy bits for the display, it does not tell you everything, so
> even if another important policy bit does not match, you will get the
> misleading "with policy PSK+AGGRESSIVE+IKEV1_ALLOW".
>
> For instance, this could be a pfs=yes/no mismatch. Or a subnet mismatch
> or ID mismatch.


>
>
>        conn RoadWarriors-ikev1-aggr-psk
>>               authby=secret
>>               aggrmode=yes
>>               auto=add
>>               rekey=no
>>               pfs=no
>>               left=10.1.0.1
>>               leftid=@10.1.0.1
>>               leftsubnet=0.0.0.0/0
>>               rightaddresspool=10.1.0.10-10.1.0.254
>>               right=%any
>>               modecfgdns1=10.1.0.1
>>               leftxauthserver=yes
>>               rightxauthclient=yes
>>               leftmodecfgserver=yes
>>               rightmodecfgclient=yes
>>               modecfgpull=yes
>>               xauthby=alwaysok
>>               dpddelay=30
>>               dpdtimeout=120
>>               dpdaction=clear
>>               ike-frag=yes
>>               ikev2=never
>>
>
> It would help to see the matching plutodebug=all log so we can compare
> what you receive with what you configured.
>

I have attached the log file with plutodebug=all added to the setup
section. The log includes the IPSec daemon startup sequence. You can jump
directly to time index 18:13:01 for the connection attempt.

..Ch:W..
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20150609/b298a824/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec.log.gz
Type: application/x-gzip
Size: 11777 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20150609/b298a824/attachment.gz>


More information about the Swan mailing list