<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jun 9, 2015 at 12:02 PM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">On Tue, 9 Jun 2015, Chuck Wolber wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;<br>
</blockquote>
<br>
Jun 9 18:13:01 vpnserver pluto[6728]: | found policy =<br>
PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW<br>
(RoadWarriors-ikev1-aggr-psk)<br>
<br>
Jun 9 18:13:01 vpnserver pluto[6728]: | find_next_host_connection returns empty<br>
Jun 9 18:13:01 vpnserver pluto[6728]: packet from <a href="http://10.1.0.4:500" target="_blank">10.1.0.4:500</a>: initial Aggressive Mode message from 10.1.0.4 but no (wildcard) connection has been configured with policy PSK+AGGRESSIVE+IKEV1_ALLOW<span class=""><br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
conn RoadWarriors-ikev1-aggr-psk<br>
authby=secret<br>
aggrmode=yes<br>
auto=add<br>
rekey=no<br>
pfs=no <br>
left=10.1.0.1<br>
leftid=@<a href="http://10.1.0.1" target="_blank">10.1.0.1</a><br>
leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
rightaddresspool=10.1.0.10-10.1.0.254<br>
right=%any<br>
modecfgdns1=10.1.0.1<br>
leftxauthserver=yes<br>
rightxauthclient=yes<br>
leftmodecfgserver=yes<br>
rightmodecfgclient=yes<br>
modecfgpull=yes<br>
xauthby=alwaysok<br>
dpddelay=30<br>
dpdtimeout=120<br>
dpdaction=clear<br>
ike-frag=yes<br>
ikev2=never<br>
</blockquote>
<br></span>
So it seems to match up. Odd. Can you show "ipsec status |grep RoadWarriors-ikev1-aggr-psk" ?</blockquote><div><br></div>000 "RoadWarriors-ikev1-aggr-psk": <a href="http://0.0.0.0/24===10.1.0.1">0.0.0.0/24===10.1.0.1</a><10.1.0.1>[@<a href="http://10.1.0.1">10.1.0.1</a>,MS+XS+S=C]...%any[+MC+XC+S=C]; unrouted; eroute owner: #0<br>000 "RoadWarriors-ikev1-aggr-psk": oriented; my_ip=unset; their_ip=unset<br>000 "RoadWarriors-ikev1-aggr-psk": xauth info: us:server, them:client, method:alwaysok; my_xauthuser=[any]; their_xauthuser=[any]<br>000 "RoadWarriors-ikev1-aggr-psk": modecfg info: us:server, them:client, modecfg policy:pull, dns1:10.1.0.1, dns2:unset, domain:unset, banner:unset;<br>000 "RoadWarriors-ikev1-aggr-psk": labeled_ipsec:no; <br>000 "RoadWarriors-ikev1-aggr-psk": policy_label:unset; <br>000 "RoadWarriors-ikev1-aggr-psk": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;<br>000 "RoadWarriors-ikev1-aggr-psk": retransmit-interval: 500ms; retransmit-timeout: 60s;<br>000 "RoadWarriors-ikev1-aggr-psk": sha2_truncbug:no; initial_contact:no; cisco_unity:no; send_vendorid:no;<br>000 "RoadWarriors-ikev1-aggr-psk": policy: PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW; <br>000 "RoadWarriors-ikev1-aggr-psk": conn_prio: 24,32; interface: enp0s3; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset;<br>000 "RoadWarriors-ikev1-aggr-psk": dpd: action:clear; delay:30; timeout:120; nat-t: force_encaps:no; nat_keepalive:yes; ikev1_natt:both<br>000 "RoadWarriors-ikev1-aggr-psk": newest ISAKMP SA: #0; newest IPsec SA: #0; </div><div class="gmail_quote"><br></div><div class="gmail_quote"><br></div><div class="gmail_quote">..Ch:W..</div><div class="gmail_quote"><br></div>
</div></div>