[Swan] After upgrade, "No connection has been authorized with policy PSK+IKEV1_ALLOW"
Hugh Sparks
hugh at csparks.com
Fri Sep 20 21:05:02 UTC 2019
I tried adding "ikev2=no" and got this error:
Failed to add connection "L2TP-PSK": ike string error: IKE encryption algorithm 'aes_gcm256' is not supported by IKEv1
Perhaps closer...
Thanks again.
On 9/20/2019 3:39 PM, Paul Wouters wrote:
> Add ikev2=no
>
> The default changed from v1 to v2
>
> Paul
>
> Sent from my iPhone
>
>> On Sep 20, 2019, at 15:39, Hugh Sparks <hugh at csparks.com> wrote:
>>
>> New list member here.
>>
>> I have a server running Libreswan to allow iphone and Windows clients access to the office LAN. This has worked for many years.
>> (I never needed to join this list.)
>>
>> Recently, I did three server upgrades in quick succession going from fedora 27 to fedora 30. Something along the way broke the
>> VPN service.
>>
>> When either type of client tries to make a connection, I see this message in the server journal:
>>
>> pluto[16000]: packet from p.q.r.s:t: \
>> initial Main Mode message received on a.b.c.d:500
>> but no connection has been authorized with policy PSK+IKEV1_ALLOW
>>
>> Working:
>>
>> Fedora 27 with libreswan-3.27-1.fc27.x86_64
>>
>> Not working:
>>
>> Fedora 30 with libreswan-3.29-1.fc30.x86_64
>>
>> This command shows everything [OK]
>>
>> ipsec verify
>>
>> This command adds the connection with no errors reported:
>>
>> ipsec auto --add L2TP-PSK
>>
>> Some configuration files:
>>
>> /etc/ipsec.d/myvpn.conf:
>>
>> conn L2TP-PSK
>> type=transport
>> authby=secret
>> pfs=no
>> auto=add
>> left=a.b.c.d
>> right=%any
>> leftprotoport=17/1701
>> rightprotoport=17/%any
>> dpddelay=15
>> dpdtimeout=30
>> dpdaction=clear
>>
>> ("a.b.c.d" is the public IP address of my server)
>>
>> /etc/ipsec.d/myvpn.secrets
>>
>> : PSK "some long key phrase"
>>
>> I can send more files if necessary, but it appears that the connection process never gets past "pluto"
>>
>> Clients tested are "Windows 10 version 1903" and "iOS 12.4.1"
>>
>> The client settings are for L2TP/IPSEC with PSK.
>>
>> I have downloaded and searched the mailing list archives.
>> I found two threads, but none with any clear resolution.
>>
>> All suggestions appreciated.
>>
>>
>> Thanks!
>>
>>
>>
>> --
>>
>> Mail: hugh at csparks.com <mailto:hugh at csparks.com> Office: 952-955-2800 Mobile: 612-247-2714
>>
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan
--
Mail: hugh at csparks.com <mailto:hugh at csparks.com> Office: 952-955-2800
Mobile: 612-247-2714
More information about the Swan
mailing list