[Swan] After upgrade, "No connection has been authorized with policy PSK+IKEV1_ALLOW"
Andrew Cagney
andrew.cagney at gmail.com
Sat Sep 21 01:58:22 UTC 2019
On Fri, 20 Sep 2019 at 17:05, Hugh Sparks <hugh at csparks.com> wrote:
>
> I tried adding "ikev2=no" and got this error:
>
> Failed to add connection "L2TP-PSK": ike string error: IKE encryption algorithm 'aes_gcm256' is not supported by IKEv1
IKEv1 doesn't support AES GCM for IKE (only ESP). One way to get this error is:
- force IKEv1, and
- include ike=aes_gcm256 in the config file
but I didn't notice ike=... in the config? So I'm a little puzzled.
For reference, the code leading into the error is:
if (!LIN(POLICY_AUTH_NEVER, wm->policy) &&
(wm->ike != NULL || c->ike_version == IKEv2)) {
const struct proposal_policy proposal_policy = {
.....
.ignore_parser_errors = (wm->ike == NULL),
};
struct proposal_parser *parser =
ike_proposal_parser(&proposal_policy);
c->ike_proposals.p =
proposals_from_str(parser, wm->ike);
if (c->ike_proposals.p == NULL) {
pexpect(parser->error[0]); /* something */
loglog(RC_FATAL, "Failed to add
connection \"%s\": ike string error: %s",
wm->name, parser->error);
Notice how it should ignore errors when there's no lke= line.
Andrew
> Perhaps closer...
>
> Thanks again.
>
>
> On 9/20/2019 3:39 PM, Paul Wouters wrote:
> > Add ikev2=no
> >
> > The default changed from v1 to v2
> >
> > Paul
> >
> > Sent from my iPhone
> >
> >> On Sep 20, 2019, at 15:39, Hugh Sparks <hugh at csparks.com> wrote:
> >>
> >> New list member here.
> >>
> >> I have a server running Libreswan to allow iphone and Windows clients access to the office LAN. This has worked for many years.
> >> (I never needed to join this list.)
> >>
> >> Recently, I did three server upgrades in quick succession going from fedora 27 to fedora 30. Something along the way broke the
> >> VPN service.
> >>
> >> When either type of client tries to make a connection, I see this message in the server journal:
> >>
> >> pluto[16000]: packet from p.q.r.s:t: \
> >> initial Main Mode message received on a.b.c.d:500
> >> but no connection has been authorized with policy PSK+IKEV1_ALLOW
> >>
> >> Working:
> >>
> >> Fedora 27 with libreswan-3.27-1.fc27.x86_64
> >>
> >> Not working:
> >>
> >> Fedora 30 with libreswan-3.29-1.fc30.x86_64
> >>
> >> This command shows everything [OK]
> >>
> >> ipsec verify
> >>
> >> This command adds the connection with no errors reported:
> >>
> >> ipsec auto --add L2TP-PSK
> >>
> >> Some configuration files:
> >>
> >> /etc/ipsec.d/myvpn.conf:
> >>
> >> conn L2TP-PSK
> >> type=transport
> >> authby=secret
> >> pfs=no
> >> auto=add
> >> left=a.b.c.d
> >> right=%any
> >> leftprotoport=17/1701
> >> rightprotoport=17/%any
> >> dpddelay=15
> >> dpdtimeout=30
> >> dpdaction=clear
> >>
> >> ("a.b.c.d" is the public IP address of my server)
> >>
> >> /etc/ipsec.d/myvpn.secrets
> >>
> >> : PSK "some long key phrase"
> >>
> >> I can send more files if necessary, but it appears that the connection process never gets past "pluto"
> >>
> >> Clients tested are "Windows 10 version 1903" and "iOS 12.4.1"
> >>
> >> The client settings are for L2TP/IPSEC with PSK.
> >>
> >> I have downloaded and searched the mailing list archives.
> >> I found two threads, but none with any clear resolution.
> >>
> >> All suggestions appreciated.
> >>
> >>
> >> Thanks!
> >>
> >>
> >>
> >> --
> >>
> >> Mail: hugh at csparks.com <mailto:hugh at csparks.com> Office: 952-955-2800 Mobile: 612-247-2714
> >>
> >> _______________________________________________
> >> Swan mailing list
> >> Swan at lists.libreswan.org
> >> https://lists.libreswan.org/mailman/listinfo/swan
>
>
> --
>
> Mail: hugh at csparks.com <mailto:hugh at csparks.com> Office: 952-955-2800
> Mobile: 612-247-2714
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
More information about the Swan
mailing list