<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"> <font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">Hi,</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">I am using
the swanctl (command line interface) tool to configure the Charon daemon at IKE
Responder. I have kept all the entries of <span style="mso-spacerun: yes;"> </span>ipsec.conf and ipsec.secret file ( in /etc
directory) <span style="mso-spacerun: yes;"> </span>under comment. Here goes the
configuration. </font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">/etc/ipsec.secrets
(IKE Responder end): </font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">@srv.strongswan.org
%any : PSK 'strongSwan'</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">/etc/swanctl/swanctl.conf
(IKE Initiator end) : </font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">connections
{</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"><span style="mso-spacerun: yes;"> </span>gw-gw {</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"><span style="mso-spacerun: yes;"> </span>local_addrs<span style="mso-spacerun: yes;"> </span>= 10.20.20.2</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"><span style="mso-spacerun: yes;"> </span>remote_addrs = 10.20.20.1</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"><span style="mso-spacerun: yes;"> </span>pools =abc</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"> </font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"><span style="mso-spacerun: yes;"> </span>local {</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"><span style="mso-spacerun: yes;"> </span><span style="mso-spacerun: yes;"> </span>auth = psk</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"><span style="mso-spacerun: yes;"> </span>}</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"><span style="mso-spacerun: yes;"> </span>remote {</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"><span style="mso-spacerun: yes;"> </span>auth = psk</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"><span style="mso-spacerun: yes;"> </span>}</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">children {</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"><span style="mso-spacerun: yes;"> </span>net-net {</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"><span style="mso-spacerun: yes;"> </span>#remote_ts<span style="mso-spacerun: yes;"> </span>= 50.0.0.1/8</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"><span style="mso-spacerun: yes;"> </span>local_ts = 40.0.0.1/32</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"><span style="mso-spacerun: yes;"> </span>start_action = none</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"><span style="mso-spacerun: yes;"> </span>updown =
/usr/local/libexec/ipsec/_updown iptables</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"><span style="mso-spacerun: yes;"> </span>rekey_time = 1000m</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"><span style="mso-spacerun: yes;"> </span>esp_proposals = aes128-sha1</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"><span style="mso-spacerun: yes;"> </span>}</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"> </font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"> </font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"> </font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"><span style="mso-spacerun: yes;"> </span>}</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"><span style="mso-spacerun: yes;"> </span>version = 2</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"><span style="mso-spacerun: yes;"> </span>mobike = no</font></span></div><font face="Times New Roman">
</font><div id="yui_3_16_0_1_1433315917717_2211" style="margin: 0in 0in 10pt;"><span id="yui_3_16_0_1_1433315917717_2210" style="line-height: 115%; font-size: 12pt;"><font id="yui_3_16_0_1_1433315917717_2209" face="Calibri"><span style="mso-spacerun: yes;"> </span>reauth_time = 60m</font></span></div><font face="Times New Roman">
</font><div id="yui_3_16_0_1_1433315917717_2180" style="margin: 0in 0in 10pt;"><span id="yui_3_16_0_1_1433315917717_2179" style="line-height: 115%; font-size: 12pt;"><font id="yui_3_16_0_1_1433315917717_2178" face="Calibri"><span style="mso-spacerun: yes;"> </span>rekey_time =<span id="yui_3_16_0_1_1433315917717_2177" style="mso-spacerun: yes;"> </span>20m</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"><span style="mso-spacerun: yes;"> </span><span style="mso-spacerun: yes;"> </span>proposals
= aes128-sha1-modp1024 </font></span></div><font face="Times New Roman">
</font><div id="yui_3_16_0_1_1433315917717_2176" style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"><span style="mso-spacerun: yes;"> </span>}</font></span></div><font face="Times New Roman">
</font><div id="yui_3_16_0_1_1433315917717_2175" style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">}</font></span></div><font face="Times New Roman">
</font><div id="yui_3_16_0_1_1433315917717_2174" style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"> </font></span></div><font face="Times New Roman">
</font><div id="yui_3_16_0_1_1433315917717_2214" style="margin: 0in 0in 10pt;"><span id="yui_3_16_0_1_1433315917717_2213" style="line-height: 115%; font-size: 12pt;"><font id="yui_3_16_0_1_1433315917717_2212" face="Calibri">secrets {</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">ike-GW {</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><font face="Calibri"><span style="line-height: 115%; font-size: 12pt;"><span style="mso-spacerun: yes;"> </span>secret =</span> <span style="line-height: 115%; font-size: 12pt;">@srv.strongswan.org %any : PSK ‘strongSwan’</span></font></div><font face="Times New Roman">
</font><div id="yui_3_16_0_1_1433315917717_2215" style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"><span style="mso-spacerun: yes;"> </span>}</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"> </font></span></div><font face="Times New Roman">
</font><div id="yui_3_16_0_1_1433315917717_2216" style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">}</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"> </font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><span style="mso-spacerun: yes;"><font face="Calibri"> </font></span></span></div><font face="Times New Roman">
</font><div id="yui_3_16_0_1_1433315917717_2219" style="margin: 0in 0in 10pt;"><span id="yui_3_16_0_1_1433315917717_2218" style="line-height: 115%; font-size: 12pt;"><font id="yui_3_16_0_1_1433315917717_2217" face="Calibri"># Section
defining named pools.</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"><span style="mso-spacerun: yes;"> </span>pools {</font></span></div><font face="Times New Roman">
</font><div id="yui_3_16_0_1_1433315917717_2220" style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"> </font></span></div><font face="Times New Roman">
</font><div id="yui_3_16_0_1_1433315917717_2221" style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"><span style="mso-spacerun: yes;"> </span><span style="mso-spacerun: yes;"> </span>abc {</font></span></div><font face="Times New Roman">
</font><div id="yui_3_16_0_1_1433315917717_2222" style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"> </font></span></div><font face="Times New Roman">
</font><div id="yui_3_16_0_1_1433315917717_2225" style="margin: 0in 0in 10pt;"><span id="yui_3_16_0_1_1433315917717_2224" style="line-height: 115%; font-size: 12pt;"><font id="yui_3_16_0_1_1433315917717_2223" face="Calibri"><span style="mso-spacerun: yes;"> </span><span style="mso-spacerun: yes;"> </span>addrs = 50.0.0.1/8</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"> </font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"> </font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"> </font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"> </font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"><span style="mso-spacerun: yes;"> </span>}</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"> </font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"><span style="mso-spacerun: yes;"> </span>}</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">When I run
the scenario, the CHILD SA is not getting established. I get authentication failure
message (on IKE Initiator end). Here are the log messages. </font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"> </font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">25[NET]
received packet: from 10.20.20.1[500] to 10.20.20.2[500] (304 bytes)</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">25[ENC]
parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">25[IKE]
10.20.20.1 is initiating an IKE_SA</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">25[ENC]
generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(MULT_AUTH) ]</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">25[NET]
sending packet: from 10.20.20.2[500] to 10.20.20.1[500] (312 bytes)</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">11[NET]
received packet: from 10.20.20.1[500] to 10.20.20.2[500] (300 bytes)</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">11[ENC]
parsed IKE_AUTH request 1 [ IDi CERTREQ IDr AUTH CPRQ(ADDR DNS) SA TSi TSr
N(MULT_AUTH) N(EAP_ONLY) ]</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">11[IKE]
received 1 cert requests for an unknown ca</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">11[CFG]
looking for peer configs matching
10.20.20.2[srv.strongswan.org]...10.20.20.1[c2-r1.strongswan.org]</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">11[CFG]
selected peer config 'gw-gw'</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">11[IKE]
tried 1 shared key for 'srv.strongswan.org' - 'c2-r1.strongswan.org', but MAC
mismatched</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">11[ENC]
generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"> </font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">But if I
keep the following secret i.e., @srv.strongswan.org %any: PSK 'strongSwan' in
ipsec.secret file (at IKE Responder end), then it works fine. Can anyone please
suggest what might be the wrong? Note that, I have kept dos_protection to no
(in strongswan.conf) at both ends.</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"> </font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">Regards,</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;" dir="ltr"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">Chinmaya</font></span></div><font face="Times New Roman">
</font></div></body></html>