<div dir="ltr"><div><div><div><div>Hi<br><br></div>Yes!!! that was a stupid mistake from me. Thanks for the pointer. I configured as below (ipsec.conf and ipsec.secrets) to make it work correctly (as far as the ike tunnel coming up without any issues...the quickmode tunnel is another issue which i will post separately for your kind help)<br>==============================================<br></div>ipsec.secrets on the server<br><br>#/etc/ipsec.secrets - strongSwan IPsec secrets file<br>#: PSK "123456789"<br>@<a href="http://vpnsrv1.svt.com">vpnsrv1.svt.com</a> clientgrp1 : PSK "123456789"<br>#@<a href="http://vpnsrv1.svt.com">vpnsrv1.svt.com</a> @<a href="http://remotclient.svt.com">remotclient.svt.com</a> : PSK "123456"<br>@<a href="http://vpnsrv2.svt.com">vpnsrv2.svt.com</a> @<a href="http://genclient.svt.com">genclient.svt.com</a> : PSK "123456"<br>user1 : XAUTH "config1234"<br>user2 : XAUTH "config1234"<br>user3 : XAUTH "config1234"<br>testuser1 : XAUTH "4iChxLT3"<br>testuser2 : XAUTH "ryftzG4A"<br><br>------------------------------------<br></div>ipsec.conf on the server<br>--------------------------------<br>#/etc/ipsec.conf - strongSwan IPsec configuration file<br><br>config setup<br> strictcrlpolicy=no<br> charondebug="ike 3, knl 3, cfg 3"<br> <br>conn %default<br> ikelifetime=8h<br> keylife=3h<br> rekeymargin=9m<br> keyingtries=1<br> mobike=no<br> dpddelay=30s<br> dpdtimeout=120s<br> dpdaction=clear<br><br>conn ezvpnclient1<br> aggressive=yes<br> left=10.232.90.116<br> leftsubnet=<a href="http://192.168.2.0/24,172.16.0.0/16">192.168.2.0/24,172.16.0.0/16</a><br> leftid=@<a href="http://vpnsrv1.svt.com">vpnsrv1.svt.com</a><br> leftauth=psk<br> modeconfig=push<br> right=%any<br> rightsourceip=<a href="http://192.168.219.0/24">192.168.219.0/24</a><br> rightauth=psk<br> rightauth2=xauth<br> keyexchange=ikev1<br> ike=aes256-sha1-modp1024<br> esp=aes128-sha1<br> auto=add<br><br>conn otherclients1<br> left=10.232.90.116<br> leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a><br> leftid=@<a href="http://vpnsrv2.svt.com">vpnsrv2.svt.com</a><br> leftauth=psk<br> modeconfig=push<br> right=%any<br> rightsourceip=<a href="http://192.168.220.0/24">192.168.220.0/24</a><br> rightauth=psk<br> rightauth2=xauth<br> keyexchange=ikev1<br> ike=aes128-sha1-modp1024<br> esp=aes128-sha1<br> auto=add<br><br></div>- all other configs hold true as mentioned in my previous post<br><br><div>============================================<br><br><div><div>the addition of " leftid=@<a href="http://vpnsrv1.svt.com">vpnsrv1.svt.com</a>" and the mention of "clientgrp1" without @ prefix solved the "no peer config found" error when using with cisco-clients (using group-id authentication info)<br></div><div><br>>>Please note that Aggressive Mode PSK authentication is discouraged<br>>>because of its security issues<br><br>Yes..i agree with you completely, that aggressive-mode is not to be used if it can be helped. But i have to deploy a setup with a Strongswan_VPN_Server (on a Ubuntu/Fedora..whichever works effectively) for a number of VPN clients to connect to at the Corp-office. These clients are spread across Cisco-VPN-Client-v5.x, Cisco_AnyConnect_Ipsec_VPN Client, ShrewSoft_VPN Clients, some GreenBow Clients and some branches with Cisco_BranchRouters running EzVPN_Remote_Client. Now a major part of these clients use aggressive-mode with psk and xauth. So iam kind of stuck with no options in the short-term to migrate to main-mode only access.<br><br></div><div>thanks for your time and help<br><br></div><div>regards<br></div><div>rajiv<br><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Nov 19, 2014 at 3:11 PM, Martin Willi <span dir="ltr"><<a href="mailto:martin@strongswan.org" target="_blank">martin@strongswan.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi,<br>
<br>
> Nothing seems to be working with PSK (if i use RSA certificates for first<br>
> level auth ...then everything works as expected)<br>
<br>
> 13[NET] received packet: from 172.29.1.2[1293] to 1.1.1.30[500] (870 bytes)<br>
> 13[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V ]<br>
> 13[IKE] received XAuth vendor ID<br>
> 13[IKE] received DPD vendor ID<br>
> 13[IKE] received FRAGMENTATION vendor ID<br>
> 13[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID<br>
> 13[IKE] received Cisco Unity vendor ID<br>
> 13[IKE] 172.29.1.2 is initiating a Aggressive Mode IKE_SA<br>
> 13[CFG] looking for XAuthInitPSK peer configs matching 1.1.1.30...172.29.1.2[clientgrp1]<br>
> 13[IKE] no peer config found<br>
<br>
Your client uses Aggressive Mode when using PSK authentication. You'll<br>
have to configure that in your configuration as well, using<br>
<br>
aggressive=yes.<br>
<br>
Please note that Aggressive Mode PSK authentication is discouraged<br>
because of its security issues, and is disabled by default in strongSwan<br>
as responder. You'll have to enable "weakSwan" mode by setting the<br>
i_dont_care_about_security_and_use_aggressive_mode_psk option, refer to<br>
[1] for details. You should do that only if you actually do not care<br>
about security, or if you really understand the implications.<br>
<br>
Regards<br>
Martin<br>
<br>
[1]<a href="https://wiki.strongswan.org/projects/strongswan/wiki/StrongswanConf" target="_blank">https://wiki.strongswan.org/projects/strongswan/wiki/StrongswanConf</a><br>
<br>
</blockquote></div><br></div></div>