<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Mon, Jun 8, 2015 at 8:55 PM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Mon, 8 Jun 2015, Chuck Wolber wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br></blockquote></span></blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I am able to connect to the VPN server with a variety of methods, but when I attempt to connect from within my application with the<br>
Personal VPN API, I get the following message on the server side:<br>
<br>
initial Aggressive Mode message from 10.1.0.4 but no (wildcard) connection has been configured with policy<br>
PSK+AGGRESSIVE+IKEV1_ALLOW<br>
</blockquote>
<br>
</span><span class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
When I check ipsec status, it seems like the policy should handle this:<br>
<br>
000 "RoadWarriors-ikev1-aggr-psk": policy:<br>
PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;<br>
</blockquote>
<br></span>
Note that the error message is a little misleading. While it does check<br>
some policy bits for the display, it does not tell you everything, so<br>
even if another important policy bit does not match, you will get the<br>
misleading "with policy PSK+AGGRESSIVE+IKEV1_ALLOW".<br>
<br>
For instance, this could be a pfs=yes/no mismatch. Or a subnet mismatch<br>
or ID mismatch. </blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br>
<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
conn RoadWarriors-ikev1-aggr-psk<br>
authby=secret<br>
aggrmode=yes<br>
auto=add<br>
rekey=no<br>
pfs=no <br>
left=10.1.0.1<br>
leftid=@<a href="http://10.1.0.1" target="_blank">10.1.0.1</a><br>
leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
rightaddresspool=10.1.0.10-10.1.0.254<br>
right=%any<br>
modecfgdns1=10.1.0.1<br>
leftxauthserver=yes<br>
rightxauthclient=yes<br>
leftmodecfgserver=yes<br>
rightmodecfgclient=yes<br>
modecfgpull=yes<br>
xauthby=alwaysok<br>
dpddelay=30<br>
dpdtimeout=120<br>
dpdaction=clear<br>
ike-frag=yes<br>
ikev2=never<br>
</blockquote>
<br></span>
It would help to see the matching plutodebug=all log so we can compare<br>
what you receive with what you configured.<span class="HOEnZb"><font color="#888888"><br></font></span></blockquote><div><br></div><div>I have attached the log file with plutodebug=all added to the setup section. The log includes the IPSec daemon startup sequence. You can jump directly to time index 18:13:01 for the connection attempt.</div><div><br></div><div>..Ch:W..</div><div><br></div></div>
</div></div>