[Swan] PSK+AGGRESSIVE+IKEV1_ALLOW

Chuck Wolber chuckwolber at gmail.com
Tue Jun 9 22:19:05 EEST 2015


On Tue, Jun 9, 2015 at 12:02 PM, Paul Wouters <paul at nohats.ca> wrote:

> On Tue, 9 Jun 2015, Chuck Wolber wrote:
>
>
>> PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
>>
>
> Jun  9 18:13:01 vpnserver pluto[6728]: | found policy =
>
> PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW
> (RoadWarriors-ikev1-aggr-psk)
>
> Jun  9 18:13:01 vpnserver pluto[6728]: | find_next_host_connection returns
> empty
> Jun  9 18:13:01 vpnserver pluto[6728]: packet from 10.1.0.4:500: initial
> Aggressive Mode message from 10.1.0.4 but no (wildcard) connection has been
> configured with policy PSK+AGGRESSIVE+IKEV1_ALLOW
>
>                    conn RoadWarriors-ikev1-aggr-psk
>>                           authby=secret
>>                           aggrmode=yes
>>                           auto=add
>>                           rekey=no
>>                           pfs=no
>>                           left=10.1.0.1
>>                           leftid=@10.1.0.1
>>                           leftsubnet=0.0.0.0/0
>>                           rightaddresspool=10.1.0.10-10.1.0.254
>>                           right=%any
>>                           modecfgdns1=10.1.0.1
>>                           leftxauthserver=yes
>>                           rightxauthclient=yes
>>                           leftmodecfgserver=yes
>>                           rightmodecfgclient=yes
>>                           modecfgpull=yes
>>                           xauthby=alwaysok
>>                           dpddelay=30
>>                           dpdtimeout=120
>>                           dpdaction=clear
>>                           ike-frag=yes
>>                           ikev2=never
>>
>
> So it seems to match up. Odd. Can you show "ipsec status |grep
> RoadWarriors-ikev1-aggr-psk" ?


000 "RoadWarriors-ikev1-aggr-psk":
0.0.0.0/24===10.1.0.1<10.1.0.1>[@10.1.0.1,MS+XS+S=C]...%any[+MC+XC+S=C];
unrouted; eroute owner: #0
000 "RoadWarriors-ikev1-aggr-psk":     oriented; my_ip=unset; their_ip=unset
000 "RoadWarriors-ikev1-aggr-psk":   xauth info: us:server, them:client,
method:alwaysok; my_xauthuser=[any]; their_xauthuser=[any]
000 "RoadWarriors-ikev1-aggr-psk":   modecfg info: us:server, them:client,
modecfg policy:pull, dns1:10.1.0.1, dns2:unset, domain:unset, banner:unset;
000 "RoadWarriors-ikev1-aggr-psk":   labeled_ipsec:no;
000 "RoadWarriors-ikev1-aggr-psk":    policy_label:unset;
000 "RoadWarriors-ikev1-aggr-psk":   ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "RoadWarriors-ikev1-aggr-psk":   retransmit-interval: 500ms;
retransmit-timeout: 60s;
000 "RoadWarriors-ikev1-aggr-psk":   sha2_truncbug:no; initial_contact:no;
cisco_unity:no; send_vendorid:no;
000 "RoadWarriors-ikev1-aggr-psk":   policy:
PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;

000 "RoadWarriors-ikev1-aggr-psk":   conn_prio: 24,32; interface: enp0s3;
metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset;
000 "RoadWarriors-ikev1-aggr-psk":   dpd: action:clear; delay:30;
timeout:120; nat-t: force_encaps:no; nat_keepalive:yes; ikev1_natt:both
000 "RoadWarriors-ikev1-aggr-psk":   newest ISAKMP SA: #0; newest IPsec SA:
#0;


..Ch:W..
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20150609/ec90549f/attachment.html>


More information about the Swan mailing list