Re: [Swan] After upgrade, "No connection has been authorized with policy PSK+IKEV1_ALLOW" [SOLVED]
Sorry to propagate misinformation: this expression (suggested to support android) works fine: esp=aes256-sha2_512,aes256-sha1,aes256-sha2_256,3des-sha1 On my first attempt to try this, I put in a typo that kept my connection from loading from: /etc/ipsec.d/mything.conf But the parent /etc/ipsec.conf loads a default libreswan.conf that kept things from working as expected. So this connection supports iPhone, Windows, and Android with L2TP and PSK: conn L2TP-PSK pfs=no auto=add ikev2=no ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024 esp=esp=aes256-sha2_512,aes256-sha1,aes256-sha2_256,3des-sha1 authby=secret type=transport left=a.b.c.d leftprotoport=17/1701 right=%any rightprotoport=17/%any dpddelay=30 dpdtimeout=120 dpdaction=clear Thanks again. ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
Re: [Swan] After upgrade, "No connection has been authorized with policy PSK+IKEV1_ALLOW" [SOLVED]
For the sake of discussion and to rule out misunderstanding, here's my complete and working ipsec configuration file: conn L2TP-PSK pfs=no auto=add ikev2=no ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024 esp=aes256-sha256,aes256-sha1,3des-sha1 authby=secret type=transport left=24.196.53.220 leftprotoport=17/1701 right=%any rightprotoport=17/%any dpddelay=30 dpdtimeout=120 dpdaction=clear I tried the suggested esp change: esp=aes256-sha2_512,aes256-sha1,aes256-sha2_256,3des-sha1 The connection loaded without error, but when I tested with both Windows and iPhone, the dread message returned: ...no connection has been authorized with policy PSK+IKEV1_ALLOW I don't have an Android device on hand to test right now, but it would be great to have a "one-size-fits-all" solution. (At least for common consumer devices.) Thanks to all, -Hugh Sparks ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
Re: [Swan] After upgrade, "No connection has been authorized with policy PSK+IKEV1_ALLOW"
On Fri, 20 Sep 2019 at 17:05, Hugh Sparks wrote:
>
> I tried adding "ikev2=no" and got this error:
>
> Failed to add connection "L2TP-PSK": ike string error: IKE encryption
> algorithm 'aes_gcm256' is not supported by IKEv1
IKEv1 doesn't support AES GCM for IKE (only ESP). One way to get this error is:
- force IKEv1, and
- include ike=aes_gcm256 in the config file
but I didn't notice ike=... in the config? So I'm a little puzzled.
For reference, the code leading into the error is:
if (!LIN(POLICY_AUTH_NEVER, wm->policy) &&
(wm->ike != NULL || c->ike_version == IKEv2)) {
const struct proposal_policy proposal_policy = {
.
.ignore_parser_errors = (wm->ike == NULL),
};
struct proposal_parser *parser =
ike_proposal_parser(_policy);
c->ike_proposals.p =
proposals_from_str(parser, wm->ike);
if (c->ike_proposals.p == NULL) {
pexpect(parser->error[0]); /* something */
loglog(RC_FATAL, "Failed to add
connection \"%s\": ike string error: %s",
wm->name, parser->error);
Notice how it should ignore errors when there's no lke= line.
Andrew
> Perhaps closer...
>
> Thanks again.
>
>
> On 9/20/2019 3:39 PM, Paul Wouters wrote:
> > Add ikev2=no
> >
> > The default changed from v1 to v2
> >
> > Paul
> >
> > Sent from my iPhone
> >
> >> On Sep 20, 2019, at 15:39, Hugh Sparks wrote:
> >>
> >> New list member here.
> >>
> >> I have a server running Libreswan to allow iphone and Windows clients
> >> access to the office LAN. This has worked for many years.
> >> (I never needed to join this list.)
> >>
> >> Recently, I did three server upgrades in quick succession going from
> >> fedora 27 to fedora 30. Something along the way broke the
> >> VPN service.
> >>
> >> When either type of client tries to make a connection, I see this message
> >> in the server journal:
> >>
> >> pluto[16000]: packet from p.q.r.s:t: \
> >> initial Main Mode message received on a.b.c.d:500
> >> but no connection has been authorized with policy PSK+IKEV1_ALLOW
> >>
> >> Working:
> >>
> >> Fedora 27 with libreswan-3.27-1.fc27.x86_64
> >>
> >> Not working:
> >>
> >> Fedora 30 with libreswan-3.29-1.fc30.x86_64
> >>
> >> This command shows everything [OK]
> >>
> >> ipsec verify
> >>
> >> This command adds the connection with no errors reported:
> >>
> >> ipsec auto --add L2TP-PSK
> >>
> >> Some configuration files:
> >>
> >> /etc/ipsec.d/myvpn.conf:
> >>
> >> conn L2TP-PSK
> >> type=transport
> >> authby=secret
> >> pfs=no
> >> auto=add
> >> left=a.b.c.d
> >> right=%any
> >> leftprotoport=17/1701
> >> rightprotoport=17/%any
> >> dpddelay=15
> >> dpdtimeout=30
> >> dpdaction=clear
> >>
> >> ("a.b.c.d" is the public IP address of my server)
> >>
> >> /etc/ipsec.d/myvpn.secrets
> >>
> >> : PSK "some long key phrase"
> >>
> >> I can send more files if necessary, but it appears that the connection
> >> process never gets past "pluto"
> >>
> >> Clients tested are "Windows 10 version 1903" and "iOS 12.4.1"
> >>
> >> The client settings are for L2TP/IPSEC with PSK.
> >>
> >> I have downloaded and searched the mailing list archives.
> >> I found two threads, but none with any clear resolution.
> >>
> >> All suggestions appreciated.
> >>
> >>
> >> Thanks!
> >>
> >>
> >>
> >> --
> >>
> >> Mail: h...@csparks.com Office: 952-955-2800
> >> Mobile: 612-247-2714
> >>
> >> ___
> >> Swan mailing list
> >> Swan@lists.libreswan.org
> >> https://lists.libreswan.org/mailman/listinfo/swan
>
>
> --
>
> Mail: h...@csparks.com Office: 952-955-2800
> Mobile: 612-247-2714
>
> ___
> Swan mailing list
> Swan@lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
Re: [Swan] After upgrade, "No connection has been authorized with policy PSK+IKEV1_ALLOW" [SOLVED]
On Fri, 20 Sep 2019, Hugh Sparks wrote: Subject: Re: [Swan] After upgrade, "No connection has been authorized with policy PSK+IKEV1_ALLOW" [SOLVED] The Wizard Wooters got me close enough: I added these incantations: ikev2=no ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024\ esp=aes256-sha256,aes256-sha1,3des-sha1 Now Windows and iphone clients work perfectly. Note Android clients will fail, because of their sha2_256 bug. I would recommend: esp=aes256-sha2_512,aes256-sha1,aes256-sha2_256,3des-sha1 That causes us to prefer sha2_512 and sha1 over sha2_256, and should work will Windows. iphone and Android clients. I spent 10 hours on this before I gave up and asked a question. What a great group! Glad we could help! Paul ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
Re: [Swan] After upgrade, "No connection has been authorized with policy PSK+IKEV1_ALLOW" [SOLVED]
The Wizard Wooters got me close enough: I added these incantations:
ikev2=no
ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024\
esp=aes256-sha256,aes256-sha1,3des-sha1
Now Windows and iphone clients work perfectly.
I spent 10 hours on this before I gave up and asked a question. What a great
group!
Thanks,
-Hugh Sparks
On 9/20/2019 4:05 PM, Hugh Sparks wrote:
I tried adding "ikev2=no" and got this error:
Failed to add connection "L2TP-PSK": ike string error: IKE
encryption algorithm 'aes_gcm256' is not supported by IKEv1
Perhaps closer...
Thanks again.
On 9/20/2019 3:39 PM, Paul Wouters wrote:
Add ikev2=no
The default changed from v1 to v2
Paul
Sent from my iPhone
On Sep 20, 2019, at 15:39, Hugh Sparks wrote:
New list member here.
I have a server running Libreswan to allow iphone and Windows
clients access to the office LAN. This has worked for many years.
(I never needed to join this list.)
Recently, I did three server upgrades in quick succession going from
fedora 27 to fedora 30. Something along the way broke the
VPN service.
When either type of client tries to make a connection, I see this
message in the server journal:
pluto[16000]: packet from p.q.r.s:t: \
initial Main Mode message received on a.b.c.d:500
but no connection has been authorized with policy
PSK+IKEV1_ALLOW
Working:
Fedora 27 with libreswan-3.27-1.fc27.x86_64
Not working:
Fedora 30 with libreswan-3.29-1.fc30.x86_64
This command shows everything [OK]
ipsec verify
This command adds the connection with no errors reported:
ipsec auto --add L2TP-PSK
Some configuration files:
/etc/ipsec.d/myvpn.conf:
conn L2TP-PSK
type=transport
authby=secret
pfs=no
auto=add
left=a.b.c.d
right=%any
leftprotoport=17/1701
rightprotoport=17/%any
dpddelay=15
dpdtimeout=30
dpdaction=clear
("a.b.c.d" is the public IP address of my server)
/etc/ipsec.d/myvpn.secrets
: PSK "some long key phrase"
I can send more files if necessary, but it appears that the
connection process never gets past "pluto"
Clients tested are "Windows 10 version 1903" and "iOS 12.4.1"
The client settings are for L2TP/IPSEC with PSK.
I have downloaded and searched the mailing list archives.
I found two threads, but none with any clear resolution.
All suggestions appreciated.
Thanks!
--
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
Re: [Swan] After upgrade, "No connection has been authorized with policy PSK+IKEV1_ALLOW"
I tried adding "ikev2=no" and got this error:
Failed to add connection "L2TP-PSK": ike string error: IKE encryption
algorithm 'aes_gcm256' is not supported by IKEv1
Perhaps closer...
Thanks again.
On 9/20/2019 3:39 PM, Paul Wouters wrote:
Add ikev2=no
The default changed from v1 to v2
Paul
Sent from my iPhone
On Sep 20, 2019, at 15:39, Hugh Sparks wrote:
New list member here.
I have a server running Libreswan to allow iphone and Windows clients access to
the office LAN. This has worked for many years.
(I never needed to join this list.)
Recently, I did three server upgrades in quick succession going from fedora 27
to fedora 30. Something along the way broke the
VPN service.
When either type of client tries to make a connection, I see this message in
the server journal:
pluto[16000]: packet from p.q.r.s:t: \
initial Main Mode message received on a.b.c.d:500
but no connection has been authorized with policy PSK+IKEV1_ALLOW
Working:
Fedora 27 with libreswan-3.27-1.fc27.x86_64
Not working:
Fedora 30 with libreswan-3.29-1.fc30.x86_64
This command shows everything [OK]
ipsec verify
This command adds the connection with no errors reported:
ipsec auto --add L2TP-PSK
Some configuration files:
/etc/ipsec.d/myvpn.conf:
conn L2TP-PSK
type=transport
authby=secret
pfs=no
auto=add
left=a.b.c.d
right=%any
leftprotoport=17/1701
rightprotoport=17/%any
dpddelay=15
dpdtimeout=30
dpdaction=clear
("a.b.c.d" is the public IP address of my server)
/etc/ipsec.d/myvpn.secrets
: PSK "some long key phrase"
I can send more files if necessary, but it appears that the connection process never gets
past "pluto"
Clients tested are "Windows 10 version 1903" and "iOS 12.4.1"
The client settings are for L2TP/IPSEC with PSK.
I have downloaded and searched the mailing list archives.
I found two threads, but none with any clear resolution.
All suggestions appreciated.
Thanks!
--
Mail: h...@csparks.com Office: 952-955-2800 Mobile:
612-247-2714
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
--
Mail: h...@csparks.com Office: 952-955-2800
Mobile: 612-247-2714
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
Re: [Swan] After upgrade, "No connection has been authorized with policy PSK+IKEV1_ALLOW"
Add ikev2=no
The default changed from v1 to v2
Paul
Sent from my iPhone
> On Sep 20, 2019, at 15:39, Hugh Sparks wrote:
>
> New list member here.
>
> I have a server running Libreswan to allow iphone and Windows clients access
> to the office LAN. This has worked for many years.
> (I never needed to join this list.)
>
> Recently, I did three server upgrades in quick succession going from fedora
> 27 to fedora 30. Something along the way broke the
> VPN service.
>
> When either type of client tries to make a connection, I see this message in
> the server journal:
>
>pluto[16000]: packet from p.q.r.s:t: \
>initial Main Mode message received on a.b.c.d:500
>but no connection has been authorized with policy PSK+IKEV1_ALLOW
>
> Working:
>
>Fedora 27 with libreswan-3.27-1.fc27.x86_64
>
> Not working:
>
>Fedora 30 with libreswan-3.29-1.fc30.x86_64
>
> This command shows everything [OK]
>
>ipsec verify
>
> This command adds the connection with no errors reported:
>
>ipsec auto --add L2TP-PSK
>
> Some configuration files:
>
> /etc/ipsec.d/myvpn.conf:
>
>conn L2TP-PSK
>type=transport
>authby=secret
>pfs=no
>auto=add
>left=a.b.c.d
>right=%any
>leftprotoport=17/1701
>rightprotoport=17/%any
>dpddelay=15
>dpdtimeout=30
>dpdaction=clear
>
>("a.b.c.d" is the public IP address of my server)
>
> /etc/ipsec.d/myvpn.secrets
>
>: PSK "some long key phrase"
>
> I can send more files if necessary, but it appears that the connection
> process never gets past "pluto"
>
> Clients tested are "Windows 10 version 1903" and "iOS 12.4.1"
>
> The client settings are for L2TP/IPSEC with PSK.
>
> I have downloaded and searched the mailing list archives.
> I found two threads, but none with any clear resolution.
>
> All suggestions appreciated.
>
>
> Thanks!
>
>
>
> --
>
> Mail: h...@csparks.com Office: 952-955-2800 Mobile:
> 612-247-2714
>
> ___
> Swan mailing list
> Swan@lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
[Swan] After upgrade, "No connection has been authorized with policy PSK+IKEV1_ALLOW"
New list member here.
I have a server running Libreswan to allow iphone and Windows clients access to
the office LAN. This has worked for many years.
(I never needed to join this list.)
Recently, I did three server upgrades in quick succession going from fedora 27
to fedora 30. Something along the way broke the
VPN service.
When either type of client tries to make a connection, I see this message in
the server journal:
pluto[16000]: packet from p.q.r.s:t: \
initial Main Mode message received on a.b.c.d:500
but no connection has been authorized with policy
PSK+IKEV1_ALLOW
Working:
Fedora 27 with libreswan-3.27-1.fc27.x86_64
Not working:
Fedora 30 with libreswan-3.29-1.fc30.x86_64
This command shows everything [OK]
ipsec verify
This command adds the connection with no errors reported:
ipsec auto --add L2TP-PSK
Some configuration files:
/etc/ipsec.d/myvpn.conf:
conn L2TP-PSK
type=transport
authby=secret
pfs=no
auto=add
left=a.b.c.d
right=%any
leftprotoport=17/1701
rightprotoport=17/%any
dpddelay=15
dpdtimeout=30
dpdaction=clear
("a.b.c.d" is the public IP address of my server)
/etc/ipsec.d/myvpn.secrets
: PSK "some long key phrase"
I can send more files if necessary, but it appears that the connection process never gets
past "pluto"
Clients tested are "Windows 10 version 1903" and "iOS 12.4.1"
The client settings are for L2TP/IPSEC with PSK.
I have downloaded and searched the mailing list archives.
I found two threads, but none with any clear resolution.
All suggestions appreciated.
Thanks!
--
Mail: h...@csparks.com Office: 952-955-2800
Mobile: 612-247-2714
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
