[Swan] no (wildcard) connection has been configured with policy PSK+AGGRESSIVE+IKEV1_ALLOW

1one.w01f dev.1one.w01f at gmail.com
Sun Mar 13 15:18:59 EET 2022 

Hi there,

I have an old client app that only does IKEv1 aggressive mode and XAUTH 
with PSK. I know it's not ideal, but we're interested in testing that 
client and we're not planning on letting it have access to anything 
sensitive.

Anyway, I am using libreswan 3.29 (from apt) on Ubuntu 20.04, and 
followed the example on the libreswan Wiki 
(https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH_with_PSK) 
and used the following config on the server:

    # libreswan /etc/ipsec.conf configuration file
    config setup
       protostack=netkey
       # exclude networks used on server side by adding %v4:!a.b.c.0/24
    virtual-private=%v4:!10.231.247.0/24,%v4:!10.231.246.0/24
       # PSK clients can have the same ID if they send it based on IP
    address.
       uniqueids=no
       logfile="/var/log/ipsec.log"
       plutodebug="all"

    conn xauth-psk
         authby=secret
         pfs=no
         auto=add
         rekey=no
         left=<server.address.redacted>
         leftsubnet=0.0.0.0/0
    rightaddresspool=10.231.247.10-10.231.247.254
         right=%any
         # make cisco clients happy
         cisco-unity=yes
         # address of your internal DNS server
         #modecfgdns=10.231.247.1
         # versions up to 3.22 used modecfgdns1 and modecfgdns2
         #modecfgdns1=10.231.247.1
         leftxauthserver=yes
         rightxauthclient=yes
         #leftmodecfgserver=yes
         #rightmodecfgclient=yes
         #modecfgpull=yes
         xauthby=file
         aggressive=yes
         #configure pam via /etc/pam.d/pluto
         #xauthby=pam
         # xauthby=alwaysok MUST NOT be used with PSK
         # Can be played with below
         dpddelay=30
         dpdtimeout=120
         dpdaction=clear
         # xauthfail=soft
         ikev2=never
         ike-frag=yes

The PSK is stored in /etc/ipsec.secrets like this:

    # /etc/ipsec.secrets
    : PSK "NotTheRealPSK"

Unfortunately, I keep getting this in the libreswan log:

    Mar 13 16:19:44.370045: | find_host_connection
    me=<server.address.redacted>:500 him=%any:1500
    policy=PSK+AGGRESSIVE+IKEV1_ALLOW
    Mar 13 16:19:44.370061: | find_host_pair: comparing
    <server.address.redacted>:500 to 0.0.0.0:500
    Mar 13 16:19:44.370087: | find_next_host_connection
    policy=PSK+AGGRESSIVE+IKEV1_ALLOW
    Mar 13 16:19:44.370105: | found policy =
    PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
    (xauth-psk)
    Mar 13 16:19:44.370117: | find_next_host_connection returns empty
    Mar 13 16:19:44.370135: packet from 192.168.12.87:1500: initial
    Aggressive Mode message from 192.168.12.87 but no (wildcard)
    connection has been configured with policy PSK+AGGRESSIVE+IKEV1_ALLOW

Which is quite odd as the policy found seems to be a match? And this 
seems to be quite similar to the problem discussed in a 7-year old 
thread 
(https://www.mail-archive.com/swan@lists.libreswan.org/msg00581.html), 
but I don't see a way to fix this problem in that discussion.

Any thoughts on this would be highly appreciated.

Thanks.

Cheers,
Wolf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20220313/ecf96583/attachment.htm>

More information about the Swan mailing list