[Swan] no (wildcard) connection has been configured with policy PSK+AGGRESSIVE+IKEV1_ALLOW (fwd)

1one.w01f dev.1one.w01f at gmail.com
Wed Mar 16 20:26:18 EET 2022 

Dear Paul,

Thank you for the suggestions. Unfortunately after setting pfs=no and 
fixing ike=3des-md5;modp1536, libreswan still outputs "no (wildcard) 
connection has been configured with policy PSK+AGGRESSIVE+IKEV1_ALLOW" 
in the log.

Using adb logcat, I got this output from the android app, which seems to 
confirm that libreswan couldn't find a matching policy to proceed:

    I FORTIKE : 2022-03-16 12:05:11.426 192.168.12.87[1500] used as
    isakmp port (fd=5)
    I FORTIKE : 2022-03-16 12:05:11.433 192.168.12.87[4500] used as
    isakmp port (fd=8)
    I FORTIKE : 2022-03-16 12:05:11.435  (proto_id=ESP spisize=4
    spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)
    I FORTIKE : 2022-03-16 12:05:11.435   (trns_id=AES encklen=128
    authtype=hmac-sha)
    I FORTIKE : 2022-03-16 12:05:11.435   (trns_id=AES encklen=128
    authtype=hmac-md5)
    I FORTIKE : 2022-03-16 12:05:11.435   (trns_id=3DES encklen=0
    authtype=hmac-sha)
    I FORTIKE : 2022-03-16 12:05:11.435   (trns_id=3DES encklen=0
    authtype=hmac-md5)
    I FORTIKE : 2022-03-16 12:05:11.435 IPsec-SA request for
    <server.address.redacted> queued due to no phase1 found.
    I FORTIKE : 2022-03-16 12:05:11.435 initiate new phase 1
    negotiation: 192.168.12.87<=><server.address.redacted>[500]
    I FORTIKE : 2022-03-16 12:05:11.435 begin Aggressive mode.
    E FORTIKE : 2022-03-16 12:05:26.486 phase1 negotiation failed due to
    time up. e343368acb0535af:0000000000000000
    I FORTIKE : 2022-03-16 12:05:26.486 Phase 1 negotiation failed due
    to connection timeout or proposal mismatch.

Thanks,
Wolf


On 15/03/2022 23:55, Paul Wouters wrote:
> On Tue, 15 Mar 2022, 1one.w01f wrote:
>
>> Thank you very much for the suggestion. Unfortunately the client 
>> doesn't have options for choosing the
>> algorithms. I then added
>> ike=3des-md5;modp1536,3des-sha1;modp1536,aes-sha1;modp1536,aes-md5;modp1536
>
> Only use ike=3des-md5;modp1536 as that is the only proposal they are
> sending you. Aggressive mode is a bit tricky in you needing to get it
> all exactly right. If that by itself does not work, try adding pfs=no
>
> If you can see logs of the fortinet device that would be best, it might
> tell you what it does not like.
>
> Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20220317/1800c6d4/attachment.htm>

More information about the Swan mailing list