[Swan] no (wildcard) connection has been configured with policy PSK+AGGRESSIVE+IKEV1_ALLOW (fwd)

Andrew Cagney andrew.cagney at gmail.com
Wed Mar 16 01:25:08 EET 2022


>         if ((req_policy ^ c->policy) & policy_exact_mask) continue
>
> (PSK+AGGRESSIVE+IKEV1_ALLOW) ^
> (PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO)
> & (XAUTH+AGGRESSIVE+IKEV1_ALLOW)
>
> If my math is right, this lacks XAUTH, which should have come from
> preparse_isakmp_sa_body(sa_pd->pbs); is something missing in the
> payload?

It looks like:

Mar 13 16:19:32.346676: | ******parse ISAKMP Oakley attribute:
Mar 13 16:19:32.346688: |    af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003)
Mar 13 16:19:32.346699: |    length/value: 1 (0x1)

which is:

enum ikev1_auth_method {
OAKLEY_PRESHARED_KEY = 1,

but to get XAUTH, I'm guessing it needs to see something like:

| ******parse ISAKMP Oakley attribute:
|    af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003)
|    length/value: 65001 (fd e9)
|    [65001 is XAUTHInitPreShared]

https://testing.libreswan.org/v4.6-409-g0dd023c306-main/xauth-pluto-04/OUTPUT/east.pluto.log.gz

if the xauth parts of the config are dropped, does it get further?


More information about the Swan mailing list