[Swan] PSK+AGGRESSIVE+IKEV1_ALLOW

Paul Wouters paul at nohats.ca
Tue Jun 9 22:02:19 EEST 2015


On Tue, 9 Jun 2015, Chuck Wolber wrote:

>             PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;

Jun  9 18:13:01 vpnserver pluto[6728]: | found policy =
PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW
(RoadWarriors-ikev1-aggr-psk)

Jun  9 18:13:01 vpnserver pluto[6728]: | find_next_host_connection returns empty
Jun  9 18:13:01 vpnserver pluto[6728]: packet from 10.1.0.4:500: initial Aggressive Mode message from 10.1.0.4 but no (wildcard) connection has been configured with policy PSK+AGGRESSIVE+IKEV1_ALLOW

>                   conn RoadWarriors-ikev1-aggr-psk
>                           authby=secret
>                           aggrmode=yes
>                           auto=add
>                           rekey=no
>                           pfs=no  
>                           left=10.1.0.1
>                           leftid=@10.1.0.1
>                           leftsubnet=0.0.0.0/0
>                           rightaddresspool=10.1.0.10-10.1.0.254
>                           right=%any
>                           modecfgdns1=10.1.0.1
>                           leftxauthserver=yes
>                           rightxauthclient=yes
>                           leftmodecfgserver=yes
>                           rightmodecfgclient=yes
>                           modecfgpull=yes
>                           xauthby=alwaysok
>                           dpddelay=30
>                           dpdtimeout=120
>                           dpdaction=clear
>                           ike-frag=yes
>                           ikev2=never

So it seems to match up. Odd. Can you show "ipsec status |grep RoadWarriors-ikev1-aggr-psk" ?

Paul


More information about the Swan mailing list