[Swan] no (wildcard) connection has been configured with policy PSK+AGGRESSIVE+IKEV1_ALLOW (fwd)
Andrew Cagney
andrew.cagney at gmail.com
Wed Mar 16 00:30:32 EET 2022
>From aggr_inI1_outR1():
const lset_t policy = preparse_isakmp_sa_body(sa_pd->pbs) |
POLICY_AGGRESSIVE | POLICY_IKEV1_ALLOW;
const lset_t policy_exact_mask = POLICY_XAUTH |
POLICY_AGGRESSIVE | POLICY_IKEV1_ALLOW;
struct connection *c = find_host_connection(
&md->iface->ip_addr, md->iface->port,
&md->sender, hportof(&md->sender),
policy, policy_exact_mask);
which, in find_host_connection(), logs:
> > | find_host_connection me=<server.address.redacted>:500 him=192.168.12.87:1500 policy=PSK+AGGRESSIVE+IKEV1_ALLOW
and calls find_next_host_connection(xauth-psk), which logs req_policy:
> > | find_next_host_connection policy=PSK+AGGRESSIVE+IKEV1_ALLOW
and the connection's policy, aka c->policy:
> > | found policy = PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (xauth-psk)
(and we know policy_exact_mask == XAUTH+AGGRESSIVE+IKEV1_ALLOW)
and then checks:
if (NEVER_NEGOTIATE(c->policy)) {
if ((req_policy ^ c->policy) & policy_exact_mask) continue
(PSK+AGGRESSIVE+IKEV1_ALLOW) ^
(PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO)
& (XAUTH+AGGRESSIVE+IKEV1_ALLOW)
If my math is right, this lacks XAUTH, which should have come from
preparse_isakmp_sa_body(sa_pd->pbs); is something missing in the
payload?
if ((req_policy & ~c->policy) == LEMPTY) break (i.e., good)
(PSK+AGGRESSIVE+IKEV1_ALLOW) &
~(PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO)
== LEMPTY
More information about the Swan
mailing list