[Swan] After upgrade, "No connection has been authorized with policy PSK+IKEV1_ALLOW"

Hugh Sparks hugh at csparks.com
Fri Sep 20 21:05:02 UTC 2019


I tried adding "ikev2=no" and got this error:

     Failed to add connection "L2TP-PSK": ike string error: IKE encryption algorithm 'aes_gcm256' is not supported by IKEv1

Perhaps closer...

Thanks again.


On 9/20/2019 3:39 PM, Paul Wouters wrote:
> Add ikev2=no
>
> The default changed from v1 to v2
>
> Paul
>
> Sent from my iPhone
>
>> On Sep 20, 2019, at 15:39, Hugh Sparks <hugh at csparks.com> wrote:
>>
>> New list member here.
>>
>> I have a server running Libreswan to allow iphone and Windows clients access to the office LAN. This has worked for many years.
>> (I never needed to join this list.)
>>
>> Recently, I did three server upgrades in quick succession going from fedora 27 to fedora 30. Something along the way broke the
>> VPN service.
>>
>> When either type of client tries to make a connection, I see this message in the server journal:
>>
>>     pluto[16000]: packet from p.q.r.s:t: \
>>         initial Main Mode message received on a.b.c.d:500
>>         but no connection has been authorized with policy PSK+IKEV1_ALLOW
>>
>> Working:
>>
>>     Fedora 27 with libreswan-3.27-1.fc27.x86_64
>>
>> Not working:
>>
>>     Fedora 30 with libreswan-3.29-1.fc30.x86_64
>>
>> This command shows everything [OK]
>>
>>     ipsec verify
>>
>> This command adds the connection with no errors reported:
>>
>>     ipsec auto --add L2TP-PSK
>>
>> Some configuration files:
>>
>> /etc/ipsec.d/myvpn.conf:
>>
>>     conn L2TP-PSK
>>             type=transport
>>             authby=secret
>>             pfs=no
>>             auto=add
>>             left=a.b.c.d
>>             right=%any
>>             leftprotoport=17/1701
>>             rightprotoport=17/%any
>>         dpddelay=15
>>         dpdtimeout=30
>>             dpdaction=clear
>>
>>     ("a.b.c.d" is the public IP address of my server)
>>
>> /etc/ipsec.d/myvpn.secrets
>>
>>     : PSK "some long key phrase"
>>
>> I can send more files if necessary, but it appears that the connection process never gets past "pluto"
>>
>> Clients tested are "Windows 10 version 1903" and "iOS 12.4.1"
>>
>> The client settings are for L2TP/IPSEC with PSK.
>>
>> I have downloaded and searched the mailing list archives.
>> I found two threads, but none with any clear resolution.
>>
>> All suggestions appreciated.
>>
>>
>> Thanks!
>>
>>
>>
>> -- 
>>
>> Mail: hugh at csparks.com <mailto:hugh at csparks.com> Office: 952-955-2800 Mobile: 612-247-2714
>>
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan


-- 

Mail: hugh at csparks.com <mailto:hugh at csparks.com> Office: 952-955-2800 
Mobile: 612-247-2714



More information about the Swan mailing list