[Swan] no (wildcard) connection has been configured with policy PSK+AGGRESSIVE+IKEV1_ALLOW (fwd)

Andrew Cagney andrew.cagney at gmail.com
Tue Mar 15 17:12:06 EET 2022


> Starting Pluto (Libreswan Version 3.29 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC SYSTEMD_WATCHDOG LABELED_IPSEC LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS) LDAP(non-NSS)) pid:7125
> ...
> | forked child 7133
> seccomp security not supported
> | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd at 14 (in whack_handle() at rcv_whack.c:717)
> | Added new connection xauth-psk with policy PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
> | ike (phase1) algorithm values: 3DES_CBC-HMAC_MD5-MODP1536, 3DES_CBC-HMAC_SHA1-MODP1536, AES_CBC-HMAC_SHA1-MODP1536, AES_CBC-HMAC_MD5-MODP1536
> | counting wild cards for <server.address.redacted> is 0
> | counting wild cards for (none) is 15
> | add new addresspool to global pools 10.231.247.10-10.231.247.254 size 245 ptr 0x55b964cc9f98
> | based upon policy, the connection is a template.
> | reference addresspool of conn xauth-psk[0] kind CK_TEMPLATE refcnt 0
> added connection description "xauth-psk"
> | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
> | 0.0.0.0/0===<server.address.redacted><<server.address.redacted>>[MS+XS+S=C]...%any[+MC+XC+S=C]
> ...
> | connect_to_host_pair: <server.address.redacted>:500 0.0.0.0:500 -> hp:none
> ...
> | *received 572 bytes from 192.168.12.87:1500 on vipnet (port=500)
> ...
> | **parse ISAKMP Message:
> |    initiator cookie:
> |   0c 75 da 3b  07 7a f1 49
> |    responder cookie:
> |   00 00 00 00  00 00 00 00
> |    next payload type: ISAKMP_NEXT_SA (0x1)
> |    ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10)
> |    exchange type: ISAKMP_XCHG_AGGR (0x4)
> |    flags: none (0x0)
> |    Message ID: 0 (0x0)
> |    length: 572 (0x23c)
> ...
> | find_host_connection me=<server.address.redacted>:500 him=192.168.12.87:1500 policy=PSK+AGGRESSIVE+IKEV1_ALLOW
> | find_host_pair: comparing <server.address.redacted>:500 to 0.0.0.0:500
> | find_next_host_connection policy=PSK+AGGRESSIVE+IKEV1_ALLOW
> | find_next_host_connection returns empty
> | find_host_connection me=<server.address.redacted>:500 him=%any:1500 policy=PSK+AGGRESSIVE+IKEV1_ALLOW
> | find_host_pair: comparing <server.address.redacted>:500 to 0.0.0.0:500
> | find_next_host_connection policy=PSK+AGGRESSIVE+IKEV1_ALLOW
> | found policy = PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (xauth-psk)
> | find_next_host_connection returns empty
> packet from 192.168.12.87:1500: initial Aggressive Mode message from 192.168.12.87 but no (wildcard) connection has been configured with policy PSK+AGGRESSIVE+IKEV1_ALLOW

For some reason, it isn't even considering xauth-psk configuration.


More information about the Swan mailing list