[Swan] After upgrade, "No connection has been authorized with policy PSK+IKEV1_ALLOW" [SOLVED]
Hugh Sparks
hugh at csparks.com
Fri Sep 20 21:34:31 UTC 2019
The Wizard Wooters got me close enough: I added these incantations:
ikev2=no
ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024\
esp=aes256-sha256,aes256-sha1,3des-sha1
Now Windows and iphone clients work perfectly.
I spent 10 hours on this before I gave up and asked a question. What a great group!
Thanks,
-Hugh Sparks
On 9/20/2019 4:05 PM, Hugh Sparks wrote:
> I tried adding "ikev2=no" and got this error:
>
> Failed to add connection "L2TP-PSK": ike string error: IKE
> encryption algorithm 'aes_gcm256' is not supported by IKEv1
>
> Perhaps closer...
>
> Thanks again.
>
>
> On 9/20/2019 3:39 PM, Paul Wouters wrote:
>> Add ikev2=no
>>
>> The default changed from v1 to v2
>>
>> Paul
>>
>> Sent from my iPhone
>>
>>> On Sep 20, 2019, at 15:39, Hugh Sparks <hugh at csparks.com> wrote:
>>>
>>> New list member here.
>>>
>>> I have a server running Libreswan to allow iphone and Windows
>>> clients access to the office LAN. This has worked for many years.
>>> (I never needed to join this list.)
>>>
>>> Recently, I did three server upgrades in quick succession going from
>>> fedora 27 to fedora 30. Something along the way broke the
>>> VPN service.
>>>
>>> When either type of client tries to make a connection, I see this
>>> message in the server journal:
>>>
>>> pluto[16000]: packet from p.q.r.s:t: \
>>> initial Main Mode message received on a.b.c.d:500
>>> but no connection has been authorized with policy
>>> PSK+IKEV1_ALLOW
>>>
>>> Working:
>>>
>>> Fedora 27 with libreswan-3.27-1.fc27.x86_64
>>>
>>> Not working:
>>>
>>> Fedora 30 with libreswan-3.29-1.fc30.x86_64
>>>
>>> This command shows everything [OK]
>>>
>>> ipsec verify
>>>
>>> This command adds the connection with no errors reported:
>>>
>>> ipsec auto --add L2TP-PSK
>>>
>>> Some configuration files:
>>>
>>> /etc/ipsec.d/myvpn.conf:
>>>
>>> conn L2TP-PSK
>>> type=transport
>>> authby=secret
>>> pfs=no
>>> auto=add
>>> left=a.b.c.d
>>> right=%any
>>> leftprotoport=17/1701
>>> rightprotoport=17/%any
>>> dpddelay=15
>>> dpdtimeout=30
>>> dpdaction=clear
>>>
>>> ("a.b.c.d" is the public IP address of my server)
>>>
>>> /etc/ipsec.d/myvpn.secrets
>>>
>>> : PSK "some long key phrase"
>>>
>>> I can send more files if necessary, but it appears that the
>>> connection process never gets past "pluto"
>>>
>>> Clients tested are "Windows 10 version 1903" and "iOS 12.4.1"
>>>
>>> The client settings are for L2TP/IPSEC with PSK.
>>>
>>> I have downloaded and searched the mailing list archives.
>>> I found two threads, but none with any clear resolution.
>>>
>>> All suggestions appreciated.
>>>
>>>
>>> Thanks!
>>>
>>>
>>>
>>> --
>>> _______________________________________________
>>> Swan mailing list
>>> Swan at lists.libreswan.org
>>> https://lists.libreswan.org/mailman/listinfo/swan
>
>
More information about the Swan
mailing list