>From aggr_inI1_outR1():
const lset_t policy = preparse_isakmp_sa_body(sa_pd->pbs) |
POLICY_AGGRESSIVE | POLICY_IKEV1_ALLOW;
const lset_t policy_exact_mask = POLICY_XAUTH |
POLICY_AGGRESSIVE | POLICY_IKEV1_ALLOW;
struct connection *c = find_host_connection(
&md->iface->ip_addr, md->iface->port,
&md->sender, hportof(&md->sender),
policy, policy_exact_mask);
which, in find_host_connection(), logs:
> > | find_host_connection me=<server.address.redacted>:500
> > him=192.168.12.87:1500 policy=PSK+AGGRESSIVE+IKEV1_ALLOW
and calls find_next_host_connection(xauth-psk), which logs req_policy:
> > | find_next_host_connection policy=PSK+AGGRESSIVE+IKEV1_ALLOW
and the connection's policy, aka c->policy:
> > | found policy =
> > PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
> > (xauth-psk)
(and we know policy_exact_mask == XAUTH+AGGRESSIVE+IKEV1_ALLOW)
and then checks:
if (NEVER_NEGOTIATE(c->policy)) {
if ((req_policy ^ c->policy) & policy_exact_mask) continue
(PSK+AGGRESSIVE+IKEV1_ALLOW) ^
(PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO)
& (XAUTH+AGGRESSIVE+IKEV1_ALLOW)
If my math is right, this lacks XAUTH, which should have come from
preparse_isakmp_sa_body(sa_pd->pbs); is something missing in the
payload?
if ((req_policy & ~c->policy) == LEMPTY) break (i.e., good)
(PSK+AGGRESSIVE+IKEV1_ALLOW) &
~(PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO)
== LEMPTY
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
