<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<font face="monospace">Dear Paul,<br>
<br>
Thank you for the suggestions. Unfortunately after setting pfs=no
and fixing ike=3des-md5;modp1536, libreswan still outputs "no
(wildcard) connection has been configured with policy
PSK+AGGRESSIVE+IKEV1_ALLOW" in the log.<br>
<br>
Using adb logcat, I got this output from the android app, which
seems to confirm that libreswan couldn't find a matching policy to
proceed:<br>
</font>
<blockquote><font face="monospace">I FORTIKE : 2022-03-16
12:05:11.426 192.168.12.87[1500] used as isakmp port (fd=5)<br>
I FORTIKE : 2022-03-16 12:05:11.433 192.168.12.87[4500] used as
isakmp port (fd=8)<br>
I FORTIKE : 2022-03-16 12:05:11.435 (proto_id=ESP spisize=4
spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)<br>
I FORTIKE : 2022-03-16 12:05:11.435 (trns_id=AES encklen=128
authtype=hmac-sha)<br>
I FORTIKE : 2022-03-16 12:05:11.435 (trns_id=AES encklen=128
authtype=hmac-md5)<br>
I FORTIKE : 2022-03-16 12:05:11.435 (trns_id=3DES encklen=0
authtype=hmac-sha)<br>
I FORTIKE : 2022-03-16 12:05:11.435 (trns_id=3DES encklen=0
authtype=hmac-md5)<br>
I FORTIKE : 2022-03-16 12:05:11.435 IPsec-SA request for
<server.address.redacted> queued due to no phase1 found.<br>
I FORTIKE : 2022-03-16 12:05:11.435 initiate new phase 1
negotiation:
192.168.12.87<=><server.address.redacted>[500]<br>
I FORTIKE : 2022-03-16 12:05:11.435 begin Aggressive mode.<br>
E FORTIKE : 2022-03-16 12:05:26.486 phase1 negotiation failed
due to time up. e343368acb0535af:0000000000000000<br>
I FORTIKE : 2022-03-16 12:05:26.486 Phase 1 negotiation failed
due to connection timeout or proposal mismatch.<br>
</font></blockquote>
<font face="monospace">Thanks,<br>
Wolf</font><br>
<br>
<br>
<div class="moz-cite-prefix">On 15/03/2022 23:55, Paul Wouters
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:3584d181-9650-7b6-e96d-ef9f55ead0bc@nohats.ca">On Tue,
15 Mar 2022, 1one.w01f wrote:
<br>
<br>
<blockquote type="cite">Thank you very much for the suggestion.
Unfortunately the client doesn't have options for choosing the
<br>
algorithms. I then added
<br>
ike=3des-md5;modp1536,3des-sha1;modp1536,aes-sha1;modp1536,aes-md5;modp1536<br>
</blockquote>
<br>
Only use ike=3des-md5;modp1536 as that is the only proposal they
are
<br>
sending you. Aggressive mode is a bit tricky in you needing to get
it
<br>
all exactly right. If that by itself does not work, try adding
pfs=no
<br>
<br>
If you can see logs of the fortinet device that would be best, it
might
<br>
tell you what it does not like.
<br>
<br>
Paul
<br>
</blockquote>
<br>
</body>
</html>