<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<font face="monospace">Hi there,<br>
<br>
I have an old client app that only does IKEv1 aggressive mode and
XAUTH with PSK. I know it's not ideal, but we're interested in
testing that client and we're not planning on letting it have
access to anything sensitive.<br>
<br>
Anyway, I am using libreswan 3.29 (from apt) on Ubuntu 20.04, and
followed the example on the libreswan Wiki
(<a class="moz-txt-link-freetext"
href="https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH_with_PSK">https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH_with_PSK</a>)
and used the following config on the server:<br>
</font>
<blockquote><font face="monospace"># libreswan /etc/ipsec.conf
configuration file</font><br>
<font face="monospace">config setup</font><br>
<font face="monospace"> protostack=netkey</font><br>
<font face="monospace"> # exclude networks used on server side by
adding %v4:!a.b.c.0/24</font><br>
<font face="monospace">
virtual-private=%v4:!10.231.247.0/24,%v4:!10.231.246.0/24</font><br>
<font face="monospace"> # PSK clients can have the same ID if
they send it based on IP address.</font><br>
<font face="monospace"> uniqueids=no</font><br>
<font face="monospace"> logfile="/var/log/ipsec.log"</font><br>
<font face="monospace"> plutodebug="all"</font><br>
<br>
<font face="monospace">conn xauth-psk</font><br>
<font face="monospace"> authby=secret</font><br>
<font face="monospace"> pfs=no</font><br>
<font face="monospace"> auto=add</font><br>
<font face="monospace"> rekey=no</font><br>
<font face="monospace"> left=<server.address.redacted></font><br>
<font face="monospace"> leftsubnet=0.0.0.0/0</font><br>
<font face="monospace">
rightaddresspool=10.231.247.10-10.231.247.254</font><br>
<font face="monospace"> right=%any</font><br>
<font face="monospace"> # make cisco clients happy</font><br>
<font face="monospace"> cisco-unity=yes</font><br>
<font face="monospace"> # address of your internal DNS server</font><br>
<font face="monospace"> #modecfgdns=10.231.247.1</font><br>
<font face="monospace"> # versions up to 3.22 used modecfgdns1
and modecfgdns2</font><br>
<font face="monospace"> #modecfgdns1=10.231.247.1</font><br>
<font face="monospace"> leftxauthserver=yes</font><br>
<font face="monospace"> rightxauthclient=yes</font><br>
<font face="monospace"> #leftmodecfgserver=yes</font><br>
<font face="monospace"> #rightmodecfgclient=yes</font><br>
<font face="monospace"> #modecfgpull=yes</font><br>
<font face="monospace"> xauthby=file</font><br>
<font face="monospace"> aggressive=yes</font><br>
<font face="monospace"> #configure pam via /etc/pam.d/pluto</font><br>
<font face="monospace"> #xauthby=pam</font><br>
<font face="monospace"> # xauthby=alwaysok MUST NOT be used
with PSK</font><br>
<font face="monospace"> # Can be played with below</font><br>
<font face="monospace"> dpddelay=30</font><br>
<font face="monospace"> dpdtimeout=120</font><br>
<font face="monospace"> dpdaction=clear</font><br>
<font face="monospace"> # xauthfail=soft</font><br>
<font face="monospace"> ikev2=never</font><br>
<font face="monospace"> ike-frag=yes</font><br>
</blockquote>
<font face="monospace">The PSK is stored in /etc/ipsec.secrets like
this:<br>
</font>
<blockquote><font face="monospace"># /etc/ipsec.secrets<br>
: PSK "NotTheRealPSK"<br>
</font></blockquote>
<font face="monospace">Unfortunately, I keep getting this in the
libreswan log:<br>
</font>
<blockquote><font face="monospace">Mar 13 16:19:44.370045: |
find_host_connection me=<server.address.redacted>:500
him=%any:1500 policy=PSK+AGGRESSIVE+IKEV1_ALLOW</font><br>
<font face="monospace">Mar 13 16:19:44.370061: | find_host_pair:
comparing <server.address.redacted>:500 to 0.0.0.0:500</font><br>
<font face="monospace">Mar 13 16:19:44.370087: |
find_next_host_connection policy=PSK+AGGRESSIVE+IKEV1_ALLOW</font><br>
<font face="monospace">Mar 13 16:19:44.370105: | found policy =
PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
(xauth-psk)</font><br>
<font face="monospace">Mar 13 16:19:44.370117: |
find_next_host_connection returns empty</font><br>
<font face="monospace">Mar 13 16:19:44.370135: packet from
192.168.12.87:1500: initial Aggressive Mode message from
192.168.12.87 but no (wildcard) connection has been configured
with policy PSK+AGGRESSIVE+IKEV1_ALLOW</font><br>
</blockquote>
<font face="monospace">Which is quite odd as the policy found seems
to be a match? And this seems to be quite similar to the problem
discussed in a 7-year old thread (<a class="moz-txt-link-freetext"
href="https://www.mail-archive.com/swan@lists.libreswan.org/msg00581.html">https://www.mail-archive.com/swan@lists.libreswan.org/msg00581.html</a>),
but I don't see a way to fix this problem in that discussion.<br>
<br>
Any thoughts on this would be highly appreciated.<br>
<br>
Thanks.<br>
<br>
Cheers,<br>
Wolf<br>
</font>
</body>
</html>