[Swan] PSK+AGGRESSIVE+IKEV1_ALLOW
Chuck Wolber
chuckwolber at gmail.com
Tue Jun 9 22:19:05 EEST 2015
On Tue, Jun 9, 2015 at 12:02 PM, Paul Wouters <paul at nohats.ca> wrote:
> On Tue, 9 Jun 2015, Chuck Wolber wrote:
>
>
>> PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
>>
>
> Jun 9 18:13:01 vpnserver pluto[6728]: | found policy =
>
> PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW
> (RoadWarriors-ikev1-aggr-psk)
>
> Jun 9 18:13:01 vpnserver pluto[6728]: | find_next_host_connection returns
> empty
> Jun 9 18:13:01 vpnserver pluto[6728]: packet from 10.1.0.4:500: initial
> Aggressive Mode message from 10.1.0.4 but no (wildcard) connection has been
> configured with policy PSK+AGGRESSIVE+IKEV1_ALLOW
>
> conn RoadWarriors-ikev1-aggr-psk
>> authby=secret
>> aggrmode=yes
>> auto=add
>> rekey=no
>> pfs=no
>> left=10.1.0.1
>> leftid=@10.1.0.1
>> leftsubnet=0.0.0.0/0
>> rightaddresspool=10.1.0.10-10.1.0.254
>> right=%any
>> modecfgdns1=10.1.0.1
>> leftxauthserver=yes
>> rightxauthclient=yes
>> leftmodecfgserver=yes
>> rightmodecfgclient=yes
>> modecfgpull=yes
>> xauthby=alwaysok
>> dpddelay=30
>> dpdtimeout=120
>> dpdaction=clear
>> ike-frag=yes
>> ikev2=never
>>
>
> So it seems to match up. Odd. Can you show "ipsec status |grep
> RoadWarriors-ikev1-aggr-psk" ?
000 "RoadWarriors-ikev1-aggr-psk":
0.0.0.0/24===10.1.0.1<10.1.0.1>[@10.1.0.1,MS+XS+S=C]...%any[+MC+XC+S=C];
unrouted; eroute owner: #0
000 "RoadWarriors-ikev1-aggr-psk": oriented; my_ip=unset; their_ip=unset
000 "RoadWarriors-ikev1-aggr-psk": xauth info: us:server, them:client,
method:alwaysok; my_xauthuser=[any]; their_xauthuser=[any]
000 "RoadWarriors-ikev1-aggr-psk": modecfg info: us:server, them:client,
modecfg policy:pull, dns1:10.1.0.1, dns2:unset, domain:unset, banner:unset;
000 "RoadWarriors-ikev1-aggr-psk": labeled_ipsec:no;
000 "RoadWarriors-ikev1-aggr-psk": policy_label:unset;
000 "RoadWarriors-ikev1-aggr-psk": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "RoadWarriors-ikev1-aggr-psk": retransmit-interval: 500ms;
retransmit-timeout: 60s;
000 "RoadWarriors-ikev1-aggr-psk": sha2_truncbug:no; initial_contact:no;
cisco_unity:no; send_vendorid:no;
000 "RoadWarriors-ikev1-aggr-psk": policy:
PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "RoadWarriors-ikev1-aggr-psk": conn_prio: 24,32; interface: enp0s3;
metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset;
000 "RoadWarriors-ikev1-aggr-psk": dpd: action:clear; delay:30;
timeout:120; nat-t: force_encaps:no; nat_keepalive:yes; ikev1_natt:both
000 "RoadWarriors-ikev1-aggr-psk": newest ISAKMP SA: #0; newest IPsec SA:
#0;
..Ch:W..
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20150609/ec90549f/attachment.html>
More information about the Swan
mailing list