<div dir="ltr"><div><div><div><div>Hi<br><br></div>Can somebody take a look and advice and suggest a solution to this issue iam facing.?<br></div>Any other methods to employ to move ahead with solving this issue?<br><br></div>thank you<br></div>-rajiv<br><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Nov 15, 2015 at 10:37 PM, Rajiv Kulkarni <span dir="ltr"><<a href="mailto:rajivkulkarni69@gmail.com" target="_blank">rajivkulkarni69@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div>Hi<br><br></div>Just to set it right..There is a typo in the peer2 config...it should be 2.2.2.5 (and not 2.2.2.25...my mistake while copy-paste editing on the mail page)<br><br></div>thanks & regards<br></div>rajiv<br><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Nov 15, 2015 at 10:27 PM, Rajiv Kulkarni <span dir="ltr"><<a href="mailto:rajivkulkarni69@gmail.com" target="_blank">rajivkulkarni69@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div><div>Hi Strongswan Team<br><br></div>I know this kind of issue (hash mismatch) has been occuring for a long time with users who use PSK, and i know that generally its due to the pre-shared-keys mismatch between the peers. I double-checked all the reported issues and your advice on each of them. <br><br>But i am facing some different issue i guess..i dont know...<br><br>please kindly help and advice...As per my layman's observation...its more to do with how the parsing of the "ipsec.secrets" file contenets or maybe the way the IDs-selectors are used or represented by strongswan. <br><br>iam unable to establish a simple S2S tunnel between 2 peers, when one of the peers (peer1-DUT) has a specific type of configs as shown below. <br><br>Here i have to use PSK (either for the road-warrior connection-entry or for the l2tp-ipsec connection entries)<br><br></div><div>The tunnel is up and works if i remove both the road-warrior and the optional l2tp-ipsec connection entries on the peer1, bcos of which the main S2S tunnel is not coming up and failing with the message as in subject field<br></div><div><br></div>You see, i have the below very simple setup with the configs in each of the peers as shown below:<br><br><br> [pc1]----[DUT](2.2.2.21)-------------(2.2.2.25)[PEER2]----[pc2]<br><a href="http://192.168.33.0/24" target="_blank">192.168.33.0/24</a> <site-to-site-tunnel> <a href="http://192.168.34.0/24" target="_blank">192.168.34.0/24</a><br><br>Note: peer1/DUT will always initiate the S2S tunnel. It also acts as a road-warrior server and a l2tp-server (and more such as pptp-server too)<br><br><br>------------------------------<br>Config on Peer1-GW (the DUT)<br>------------------------------<br><br>root@OpenWrt:/etc# <br>root@OpenWrt:/etc# cat ipsec.conf<br># /etc/ipsec.conf - strongSwan IPsec configuration file<br><br>config setup<br> strictcrlpolicy=no<br> charondebug="ike 4, dmn 4, chd 4, knl 3, cfg 3, net 3, esp 1, enc 4, lib 4, mgr 4"<br><br>conn %default<br> ikelifetime=3h<br> keylife=1h<br> mobike=no<br><br>conn topeergw1<br> aggressive=yes<br> left=2.2.2.21<br> leftid=<a href="http://dut1.ciscosbr.com" target="_blank">dut1.ciscosbr.com</a><br> leftsubnet=<a href="http://192.168.34.0/24" target="_blank">192.168.34.0/24</a><br> right=2.2.2.5<br> rightid=<a href="http://dut2.ciscosbr.com" target="_blank">dut2.ciscosbr.com</a><br> rightsubnet=<a href="http://192.168.33.0/24" target="_blank">192.168.33.0/24</a><br> leftauth=psk<br> rightauth=psk<br> type=tunnel<br> keyexchange=ikev1<br> ike=aes256-sha1-modp1536<br> esp=aes256-sha1-modp1536<br> auto=route<br> <br>conn c2s_GroupName1<br> aggressive=yes<br> left=2.2.2.21<br> leftid=2.2.2.21<br> leftsubnet=<a href="http://192.168.34.0/24" target="_blank">192.168.34.0/24</a><br> right=%any<br> rightid=keyid:GroupName1<br> rightsourceip=<a href="http://10.11.11.0/24" target="_blank">10.11.11.0/24</a><br> leftauth=psk<br> rightauth=psk<br> rightauth2=xauth<br> xauth=server<br> modeconfig=pull<br> type=tunnel<br> keyexchange=ikev1<br> auto=add<br>#<br>#conn l2tp-conns<br># aggressive=yes<br># left=%any<br># leftprotoport=17/1701<br># right=%any<br># rightprotoport=17/1701<br># leftauth=psk<br># rightauth=psk<br># type=transport<br># keyexchange=ikev1<br># auto=add<br>root@OpenWrt:/etc# <br>root@OpenWrt:/etc# <br><br>root@OpenWrt:/etc# cat ipsec.secrets<br># auto-generated config file from /tmp/etc/config/strongswan<br><a href="http://dut1.ciscosbr.com" target="_blank">dut1.ciscosbr.com</a> <a href="http://dut2.ciscosbr.com" target="_blank">dut2.ciscosbr.com</a> : PSK "123456789abc"<br>2.2.2.21 GroupName1 : PSK "config123abc"<br>user2 : XAUTH "config123"<br>#: PSK "hgdgfd$AKHKH$hfgdhsf$#$j6523"<br><br>root@OpenWrt:/etc# <br>================================================<br><br><br>-------------------------------------<br>Config on Peer2-GW (a Ubuntu-Linux PC)<br>-----------------------------------<br><br># /etc/ipsec.conf - strongSwan IPsec configuration file<br><br>config setup<br> strictcrlpolicy=no<br> charondebug="ike 4, dmn 4, chd 4, knl 3, cfg 3, net 3, esp 1, enc 4, lib 4, mgr 4"<br><br>conn %default<br> ikelifetime=3h<br> keylife=1h<br> mobike=no<br><br>conn topeergw1<br> aggressive=yes<br> left=2.2.2.25<br> leftid=<a href="http://dut2.ciscosbr.com" target="_blank">dut2.ciscosbr.com</a><br> leftsubnet=<a href="http://192.168.33.0/24" target="_blank">192.168.33.0/24</a><br> right=%any<br> rightid=<a href="http://dut1.ciscosbr.com" target="_blank">dut1.ciscosbr.com</a><br> rightsubnet=<a href="http://192.168.34.0/24" target="_blank">192.168.34.0/24</a><br> leftauth=psk<br> rightauth=psk<br> type=tunnel<br> keyexchange=ikev1<br> ike=aes256-sha1-modp1536<br> esp=aes256-sha1-modp1536<br> auto=add<br><br>root[/etc]# cat ipsec.secrets<br><a href="http://dut2.ciscosbr.com" target="_blank">dut2.ciscosbr.com</a> <a href="http://dut1.ciscosbr.com" target="_blank">dut1.ciscosbr.com</a> : PSK "123456789abc"<br>==========================================<br><br></div>Please find attached the logs of the IKE/IPSec transaction captured on both the peers. Please Please take a look at the issue iam facing....i maybe doing a very simple mistake somewhere...but iam unable to get it....please advice<br><br></div><div>Also any pointers of info on how the parsing of "ipsec.secrets" file is done...like is it a top-down approach (in which case why does it use the other PSK values in the file rather than the first one that should match?). Thanks in advance.<br><br></div><div>thank you<br></div><div>with regards<br></div><div>rajiv<br><br></div><div><br></div>thanks<br><div><div><div><div><br><br><br><div><br></div></div></div></div></div></div>
</blockquote></div><br></div>
</blockquote></div><br></div>