<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi <br>
</p>
<p>I'm testing to modify ipsec.secrets without changes, I include "
and spaces between colon.</p>
<p> MyPublicIPA MyPublicIPB : PSK "test1234"
</p>
<p> Thanks<br>
</p>
<br>
<div class="moz-cite-prefix">On 13/07/17 15:48, Marcos Gonzalez
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:820f030b-5123-99e7-957a-2acc5fc487dc@genomcore.com">Hi
<br>
<br>
Im testing Strongwan to setup a vpn tunnel between two debian
servers to
<br>
connect two environments using internet between them. Im using
this configs:
<br>
<br>
Node A:
<br>
Server with Public IP
<br>
<br>
Node B
<br>
Server with private IP with external NAT
<br>
<br>
Config A
<br>
/etc/ipsec.conf/usr/share/applications/thunderbird.desktop
<br>
config setup
<br>
charondebug="all"
<br>
uniqueids=yes
<br>
strictcrlpolicy=no
<br>
conn %default
<br>
<br>
conn ipsec-test
<br>
left=MyPublicIPA
<br>
leftid=MyPublicIPA
<br>
leftsourceip=MyPublicIPA
<br>
right=MyPublicIPB
<br>
rightid=MyPublicIPB
<br>
rightsubnet=10.0.1.0/24
<br>
ike=aes256-sha2_256-modp1024!
<br>
esp=aes256-sha2_256!
<br>
keyingtries=0
<br>
ikelifetime=1h
<br>
lifetime=8h
<br>
dpddelay=30
<br>
dpdtimeout=120
<br>
dpdaction=clear
<br>
authby=secret
<br>
auto=start
<br>
keyexchange=ikev2
<br>
type=tunnel
<br>
<br>
/etc/ipsec.secrets
<br>
<br>
MyPublicIPA MyPublicIPB : PSK test1234
<br>
<br>
Logs:
<br>
Jul 13 15:30:06 vpnserver2 charon: 00[DMN] Starting IKE charon
daemon
<br>
(strongSwan 5.2.1, Linux 3.16.0-4-amd64, x86_64)
<br>
Jul 13 15:30:06 vpnserver2 charon: 00[CFG] loading ca certificates
from
<br>
'/etc/ipsec.d/cacerts'
<br>
Jul 13 15:30:06 vpnserver2 charon: 00[CFG] loading aa certificates
from
<br>
'/etc/ipsec.d/aacerts'
<br>
Jul 13 15:30:06 vpnserver2 charon: 00[CFG] loading ocsp signer
<br>
certificates from '/etc/ipsec.d/ocspcerts'
<br>
Jul 13 15:30:06 vpnserver2 charon: 00[CFG] loading attribute
<br>
certificates from '/etc/ipsec.d/acerts'
<br>
Jul 13 15:30:06 vpnserver2 charon: 00[CFG] loading crls from
<br>
'/etc/ipsec.d/crls'
<br>
Jul 13 15:30:06 vpnserver2 charon: 00[CFG] loading secrets from
<br>
'/etc/ipsec.secrets'
<br>
Jul 13 15:30:06 vpnserver2 charon: 00[CFG] loaded IKE secret for
<br>
MyPublicIPB
<br>
Jul 13 15:30:06 vpnserver2 charon: 00[LIB] loaded plugins: charon
aes
<br>
rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey
pkcs1
<br>
pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp
agent xcbc
<br>
hmac gcm attr kernel-netlink resolve socket-default stroke updown
<br>
Jul 13 15:30:06 vpnserver2 charon: 00[LIB] unable to load 3 plugin
<br>
features (3 due to unmet dependencies)
<br>
Jul 13 15:30:06 vpnserver2 charon: 00[LIB] dropped capabilities,
running
<br>
as uid 0, gid 0
<br>
Jul 13 15:30:06 vpnserver2 charon: 00[JOB] spawning 16 worker
threads
<br>
Jul 13 15:30:06 vpnserver2 charon: 11[CFG] received stroke: add
<br>
connection 'ipsec-test'
<br>
Jul 13 15:30:06 vpnserver2 charon: 11[CFG] added configuration
'ipsec-test'
<br>
Jul 13 15:30:06 vpnserver2 charon: 12[CFG] received stroke:
initiate
<br>
'ipsec-test'
<br>
Jul 13 15:30:06 vpnserver2 charon: 12[IKE] initiating IKE_SA
<br>
ipsec-test[1] to MyPublicIPB
<br>
Jul 13 15:30:06 vpnserver2 charon: 12[ENC] generating IKE_SA_INIT
<br>
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
<br>
Jul 13 15:30:06 vpnserver2 charon: 12[NET] sending packet: from
<br>
MyPublicIPA[500] to MyPublicIPB[500] (304 bytes)
<br>
Jul 13 15:30:06 vpnserver2 charon: 15[NET] received packet: from
<br>
MyPublicIPB[500] to MyPublicIPA[500] (312 bytes)
<br>
Jul 13 15:30:06 vpnserver2 charon: 15[ENC] parsed IKE_SA_INIT
response 0
<br>
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
<br>
Jul 13 15:30:06 vpnserver2 charon: 15[IKE] remote host is behind
NAT
<br>
Jul 13 15:30:06 vpnserver2 charon: 15[IKE] authentication of
<br>
'MyPublicIPA' (myself) with pre-shared key
<br>
Jul 13 15:30:06 vpnserver2 charon: 15[IKE] establishing CHILD_SA
ipsec-test
<br>
Jul 13 15:30:06 vpnserver2 charon: 15[ENC] generating IKE_AUTH
request 1
<br>
[ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS) SA TSi TSr
N(MOBIKE_SUP)
<br>
N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
<br>
Jul 13 15:30:06 vpnserver2 charon: 15[NET] sending packet: from
<br>
MyPublicIPA[4500] to MyPublicIPB[4500] (288 bytes)
<br>
Jul 13 15:30:06 vpnserver2 charon: 06[NET] received packet: from
<br>
MyPublicIPB[4500] to MyPublicIPA[4500] (80 bytes)
<br>
Jul 13 15:30:06 vpnserver2 charon: 06[ENC] parsed IKE_AUTH
response 1 [
<br>
N(AUTH_FAILED) ]
<br>
Jul 13 15:30:06 vpnserver2 charon: 06[IKE] received
<br>
AUTHENTICATION_FAILED notify error
<br>
<br>
<br>
Config B:
<br>
<br>
/etc/ipsec.conf
<br>
config setup
<br>
charondebug="all"
<br>
uniqueids=yes
<br>
strictcrlpolicy=no
<br>
conn %default
<br>
<br>
conn ipsec-test
<br>
left=10.0.1.5
<br>
leftid=10.0.1.5
<br>
leftsubnet=10.0.1.0/24
<br>
right=MyPublicIPA
<br>
rightid=MyPublicIPA
<br>
ike=aes256-sha2_256-modp1024!
<br>
esp=aes256-sha2_256!
<br>
keyingtries=0
<br>
ikelifetime=1h
<br>
lifetime=8h
<br>
dpddelay=30
<br>
dpdtimeout=120
<br>
dpdaction=clear
<br>
authby=secret
<br>
auto=start
<br>
keyexchange=ikev2
<br>
type=tunnel
<br>
/etc/ipsec.secrets
<br>
MyPublicIPA : PSK test1234
<br>
<br>
Logs:
<br>
Jul 13 15:30:06 vpnserver charon: 16[NET] received packet: from
<br>
MyPublicIPA[500] to 10.0.1.5[500] (304 bytes)
<br>
Jul 13 15:30:06 vpnserver charon: 16[ENC] parsed IKE_SA_INIT
request 0 [
<br>
SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
<br>
Jul 13 15:30:06 vpnserver charon: 16[IKE] MyPublicIPA is
initiating an
<br>
IKE_SA
<br>
Jul 13 15:30:06 vpnserver charon: 16[IKE] local host is behind
NAT,
<br>
sending keep alives
<br>
Jul 13 15:30:06 vpnserver charon: 16[ENC] generating IKE_SA_INIT
<br>
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
<br>
Jul 13 15:30:06 vpnserver charon: 16[NET] sending packet: from
<br>
10.0.1.5[500] to MyPublicIPA[500] (312 bytes)
<br>
Jul 13 15:30:06 vpnserver charon: 05[NET] received packet: from
<br>
MyPublicIPA[4500] to 10.0.1.5[4500] (288 bytes)
<br>
Jul 13 15:30:06 vpnserver charon: 05[ENC] parsed IKE_AUTH request
1 [
<br>
IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS) SA TSi TSr
N(MOBIKE_SUP)
<br>
N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
<br>
Jul 13 15:30:06 vpnserver charon: 05[CFG] looking for peer configs
<br>
matching 10.0.1.5[MyPublicIPB]...MyPublicIPA[MyPublicIPA]
<br>
Jul 13 15:30:06 vpnserver charon: 05[CFG] no matching peer config
found
<br>
Jul 13 15:30:06 vpnserver charon: 05[IKE] peer supports MOBIKE
<br>
Jul 13 15:30:06 vpnserver charon: 05[ENC] generating IKE_AUTH
response 1
<br>
[ N(AUTH_FAILED) ]
<br>
Jul 13 15:30:06 vpnserver charon: 05[NET] sending packet: from
<br>
10.0.1.5[4500] to MyPublicIPA[4500] (80 bytes)
<br>
<br>
How you can see returns same error in both sides. Any suggestion
where
<br>
is the problem?
<br>
<br>
Thanks!
<br>
<br>
</blockquote>
<br>
<p style="font-family: Helvetica, Arial, sans-serif; color: rgb(57,
57, 57); font-size: 9px; line-height: 12px;"><br>
</p>
</body>
</html>