[Swan] no (wildcard) connection has been configured with policy PSK+AGGRESSIVE+IKEV1_ALLOW (fwd)
1one.w01f
dev.1one.w01f at gmail.com
Wed Mar 16 20:26:18 EET 2022
Dear Paul,
Thank you for the suggestions. Unfortunately after setting pfs=no and
fixing ike=3des-md5;modp1536, libreswan still outputs "no (wildcard)
connection has been configured with policy PSK+AGGRESSIVE+IKEV1_ALLOW"
in the log.
Using adb logcat, I got this output from the android app, which seems to
confirm that libreswan couldn't find a matching policy to proceed:
I FORTIKE : 2022-03-16 12:05:11.426 192.168.12.87[1500] used as
isakmp port (fd=5)
I FORTIKE : 2022-03-16 12:05:11.433 192.168.12.87[4500] used as
isakmp port (fd=8)
I FORTIKE : 2022-03-16 12:05:11.435 (proto_id=ESP spisize=4
spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)
I FORTIKE : 2022-03-16 12:05:11.435 (trns_id=AES encklen=128
authtype=hmac-sha)
I FORTIKE : 2022-03-16 12:05:11.435 (trns_id=AES encklen=128
authtype=hmac-md5)
I FORTIKE : 2022-03-16 12:05:11.435 (trns_id=3DES encklen=0
authtype=hmac-sha)
I FORTIKE : 2022-03-16 12:05:11.435 (trns_id=3DES encklen=0
authtype=hmac-md5)
I FORTIKE : 2022-03-16 12:05:11.435 IPsec-SA request for
<server.address.redacted> queued due to no phase1 found.
I FORTIKE : 2022-03-16 12:05:11.435 initiate new phase 1
negotiation: 192.168.12.87<=><server.address.redacted>[500]
I FORTIKE : 2022-03-16 12:05:11.435 begin Aggressive mode.
E FORTIKE : 2022-03-16 12:05:26.486 phase1 negotiation failed due to
time up. e343368acb0535af:0000000000000000
I FORTIKE : 2022-03-16 12:05:26.486 Phase 1 negotiation failed due
to connection timeout or proposal mismatch.
Thanks,
Wolf
On 15/03/2022 23:55, Paul Wouters wrote:
> On Tue, 15 Mar 2022, 1one.w01f wrote:
>
>> Thank you very much for the suggestion. Unfortunately the client
>> doesn't have options for choosing the
>> algorithms. I then added
>> ike=3des-md5;modp1536,3des-sha1;modp1536,aes-sha1;modp1536,aes-md5;modp1536
>
> Only use ike=3des-md5;modp1536 as that is the only proposal they are
> sending you. Aggressive mode is a bit tricky in you needing to get it
> all exactly right. If that by itself does not work, try adding pfs=no
>
> If you can see logs of the fortinet device that would be best, it might
> tell you what it does not like.
>
> Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20220317/1800c6d4/attachment.htm>
More information about the Swan
mailing list