Re: [Swan] no (wildcard) connection has been configured with policy PSK+AGGRESSIVE+IKEV1_ALLOW (fwd)

Wed, 16 Mar 2022 11:26:37 -0700 

Dear Paul,
Thank you for the suggestions. Unfortunately after setting pfs=no and fixing ike=3des-md5;modp1536, libreswan still outputs "no (wildcard) connection has been configured with policy PSK+AGGRESSIVE+IKEV1_ALLOW" in the log. 


Using adb logcat, I got this output from the android app, which seems to 
confirm that libreswan couldn't find a matching policy to proceed:


   I FORTIKE : 2022-03-16 12:05:11.426 192.168.12.87[1500] used as
   isakmp port (fd=5)
   I FORTIKE : 2022-03-16 12:05:11.433 192.168.12.87[4500] used as
   isakmp port (fd=8)
   I FORTIKE : 2022-03-16 12:05:11.435  (proto_id=ESP spisize=4
   spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)
   I FORTIKE : 2022-03-16 12:05:11.435   (trns_id=AES encklen=128
   authtype=hmac-sha)
   I FORTIKE : 2022-03-16 12:05:11.435   (trns_id=AES encklen=128
   authtype=hmac-md5)
   I FORTIKE : 2022-03-16 12:05:11.435   (trns_id=3DES encklen=0
   authtype=hmac-sha)
   I FORTIKE : 2022-03-16 12:05:11.435   (trns_id=3DES encklen=0
   authtype=hmac-md5)
   I FORTIKE : 2022-03-16 12:05:11.435 IPsec-SA request for
   <server.address.redacted> queued due to no phase1 found.
   I FORTIKE : 2022-03-16 12:05:11.435 initiate new phase 1
   negotiation: 192.168.12.87<=><server.address.redacted>[500]
   I FORTIKE : 2022-03-16 12:05:11.435 begin Aggressive mode.
   E FORTIKE : 2022-03-16 12:05:26.486 phase1 negotiation failed due to
   time up. e343368acb0535af:0000000000000000
   I FORTIKE : 2022-03-16 12:05:26.486 Phase 1 negotiation failed due
   to connection timeout or proposal mismatch.

Thanks,
Wolf


On 15/03/2022 23:55, Paul Wouters wrote:

On Tue, 15 Mar 2022, 1one.w01f wrote:


Thank you very much for the suggestion. Unfortunately the client 
doesn't have options for choosing the

algorithms. I then added
ike=3des-md5;modp1536,3des-sha1;modp1536,aes-sha1;modp1536,aes-md5;modp1536


Only use ike=3des-md5;modp1536 as that is the only proposal they are
sending you. Aggressive mode is a bit tricky in you needing to get it
all exactly right. If that by itself does not work, try adding pfs=no

If you can see logs of the fortinet device that would be best, it might
tell you what it does not like.

Paul

_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan






















					Reply via email to