[Swan] After upgrade, "No connection has been authorized with policy PSK+IKEV1_ALLOW" [SOLVED]

Hugh Sparks hugh at csparks.com
Fri Sep 20 21:34:31 UTC 2019


The Wizard Wooters got me close enough: I added these incantations:

     ikev2=no
     ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024\
     esp=aes256-sha256,aes256-sha1,3des-sha1

Now Windows and iphone clients work perfectly.

I spent 10 hours on this before I gave up and asked a question. What a great group!

Thanks,

-Hugh Sparks


On 9/20/2019 4:05 PM, Hugh Sparks wrote:
> I tried adding "ikev2=no" and got this error:
>
>     Failed to add connection "L2TP-PSK": ike string error: IKE 
> encryption algorithm 'aes_gcm256' is not supported by IKEv1
>
> Perhaps closer...
>
> Thanks again.
>
>
> On 9/20/2019 3:39 PM, Paul Wouters wrote:
>> Add ikev2=no
>>
>> The default changed from v1 to v2
>>
>> Paul
>>
>> Sent from my iPhone
>>
>>> On Sep 20, 2019, at 15:39, Hugh Sparks <hugh at csparks.com> wrote:
>>>
>>> New list member here.
>>>
>>> I have a server running Libreswan to allow iphone and Windows 
>>> clients access to the office LAN. This has worked for many years.
>>> (I never needed to join this list.)
>>>
>>> Recently, I did three server upgrades in quick succession going from 
>>> fedora 27 to fedora 30. Something along the way broke the
>>> VPN service.
>>>
>>> When either type of client tries to make a connection, I see this 
>>> message in the server journal:
>>>
>>>     pluto[16000]: packet from p.q.r.s:t: \
>>>         initial Main Mode message received on a.b.c.d:500
>>>         but no connection has been authorized with policy 
>>> PSK+IKEV1_ALLOW
>>>
>>> Working:
>>>
>>>     Fedora 27 with libreswan-3.27-1.fc27.x86_64
>>>
>>> Not working:
>>>
>>>     Fedora 30 with libreswan-3.29-1.fc30.x86_64
>>>
>>> This command shows everything [OK]
>>>
>>>     ipsec verify
>>>
>>> This command adds the connection with no errors reported:
>>>
>>>     ipsec auto --add L2TP-PSK
>>>
>>> Some configuration files:
>>>
>>> /etc/ipsec.d/myvpn.conf:
>>>
>>>     conn L2TP-PSK
>>>             type=transport
>>>             authby=secret
>>>             pfs=no
>>>             auto=add
>>>             left=a.b.c.d
>>>             right=%any
>>>             leftprotoport=17/1701
>>>             rightprotoport=17/%any
>>>         dpddelay=15
>>>         dpdtimeout=30
>>>             dpdaction=clear
>>>
>>>     ("a.b.c.d" is the public IP address of my server)
>>>
>>> /etc/ipsec.d/myvpn.secrets
>>>
>>>     : PSK "some long key phrase"
>>>
>>> I can send more files if necessary, but it appears that the 
>>> connection process never gets past "pluto"
>>>
>>> Clients tested are "Windows 10 version 1903" and "iOS 12.4.1"
>>>
>>> The client settings are for L2TP/IPSEC with PSK.
>>>
>>> I have downloaded and searched the mailing list archives.
>>> I found two threads, but none with any clear resolution.
>>>
>>> All suggestions appreciated.
>>>
>>>
>>> Thanks!
>>>
>>>
>>>
>>> -- 
>>> _______________________________________________
>>> Swan mailing list
>>> Swan at lists.libreswan.org
>>> https://lists.libreswan.org/mailman/listinfo/swan
>
>



More information about the Swan mailing list