Hi there,
I have an old client app that only does IKEv1 aggressive mode and XAUTH
with PSK. I know it's not ideal, but we're interested in testing that
client and we're not planning on letting it have access to anything
sensitive.
Anyway, I am using libreswan 3.29 (from apt) on Ubuntu 20.04, and
followed the example on the libreswan Wiki
(https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH_with_PSK)
and used the following config on the server:
# libreswan /etc/ipsec.conf configuration file
config setup
protostack=netkey
# exclude networks used on server side by adding %v4:!a.b.c.0/24
virtual-private=%v4:!10.231.247.0/24,%v4:!10.231.246.0/24
# PSK clients can have the same ID if they send it based on IP
address.
uniqueids=no
logfile="/var/log/ipsec.log"
plutodebug="all"
conn xauth-psk
authby=secret
pfs=no
auto=add
rekey=no
left=<server.address.redacted>
leftsubnet=0.0.0.0/0
rightaddresspool=10.231.247.10-10.231.247.254
right=%any
# make cisco clients happy
cisco-unity=yes
# address of your internal DNS server
#modecfgdns=10.231.247.1
# versions up to 3.22 used modecfgdns1 and modecfgdns2
#modecfgdns1=10.231.247.1
leftxauthserver=yes
rightxauthclient=yes
#leftmodecfgserver=yes
#rightmodecfgclient=yes
#modecfgpull=yes
xauthby=file
aggressive=yes
#configure pam via /etc/pam.d/pluto
#xauthby=pam
# xauthby=alwaysok MUST NOT be used with PSK
# Can be played with below
dpddelay=30
dpdtimeout=120
dpdaction=clear
# xauthfail=soft
ikev2=never
ike-frag=yes
The PSK is stored in /etc/ipsec.secrets like this:
# /etc/ipsec.secrets
: PSK "NotTheRealPSK"
Unfortunately, I keep getting this in the libreswan log:
Mar 13 16:19:44.370045: | find_host_connection
me=<server.address.redacted>:500 him=%any:1500
policy=PSK+AGGRESSIVE+IKEV1_ALLOW
Mar 13 16:19:44.370061: | find_host_pair: comparing
<server.address.redacted>:500 to 0.0.0.0:500
Mar 13 16:19:44.370087: | find_next_host_connection
policy=PSK+AGGRESSIVE+IKEV1_ALLOW
Mar 13 16:19:44.370105: | found policy =
PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
(xauth-psk)
Mar 13 16:19:44.370117: | find_next_host_connection returns empty
Mar 13 16:19:44.370135: packet from 192.168.12.87:1500: initial
Aggressive Mode message from 192.168.12.87 but no (wildcard)
connection has been configured with policy PSK+AGGRESSIVE+IKEV1_ALLOW
Which is quite odd as the policy found seems to be a match? And this
seems to be quite similar to the problem discussed in a 7-year old
thread
(https://www.mail-archive.com/[email protected]/msg00581.html),
but I don't see a way to fix this problem in that discussion.
Any thoughts on this would be highly appreciated.
Thanks.
Cheers,
Wolf
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
