[strongSwan-dev] IKEV2 PSK issues with strongswan 4.5.3

Ravikumar Chennaparapu ravikumar.ece at gmail.com
Fri Jan 11 08:32:48 CET 2013 

Hi,

We are trying to establish 4 IKE tunnels as below:

         172.29.88.2...172.17.11.56,

          172.29.88.2... 172.16.11.55,

          172.29.88.2... 172.18.11.57,
          172.29.88.2... 10.69.196.246

Initiator Configuration
------------------------------------------------------------------------------------------------------
PSKs in "ipsec.secrets" file

172.29.88.2 172.16.11.55 : PSK
"~zyxwvutsrqponmlkjihgfedcba_][ZYXWVUTSRQPONMLKJIHGFEDCBA@?=;9876"

172.29.88.2 172.17.11.56 : PSK
"~zyxwvutsrqponmlkjihgfedcba_][ZYXWVUTSRQPONMLKJIHGFEDCBA@?=;9876"

172.29.88.2 172.18.11.57 : PSK
"~zyxwvutsrqponmlkjihgfedcba_][ZYXWVUTSRQPONMLKJIHGFEDCBA@?=;9876"

172.29.88.2 10.69.196.246 : PSK
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


Responder Configuration
------------------------------------------------------------------------------------------------------
PSKs in "ipsec.secrets" file


172.29.88.2 172.16.11.55 : PSK
"~zyxwvutsrqponmlkjihgfedcba_][ZYXWVUTSRQPONMLKJIHGFEDCBA@?=;9876"

172.29.88.2 172.17.11.56 : PSK
"~zyxwvutsrqponmlkjihgfedcba_][ZYXWVUTSRQPONMLKJIHGFEDCBA@?=;9876"

172.29.88.2 172.18.11.57 : PSK
"~zyxwvutsrqponmlkjihgfedcba_][ZYXWVUTSRQPONMLKJIHGFEDCBA@?=;9876"
*                #172.29.88.2 10.69.196.246 : PSK
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"*

*
*

*In this case, all IKE tunnels are not getting established due to "MAC
mismatch" error on responder. *


14[NET] received packet: from 172.29.88.2[500] to 172.18.11.57[500]

14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]

14[IKE] 172.29.88.2 is initiating an IKE_SA

14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(MULT_AUTH) ]

14[NET] sending packet: from 172.18.11.57[500] to 172.29.88.2[500]

15[NET] received packet: from 172.29.88.2[500] to 172.18.11.57[500]

15[ENC] parsed IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MULT_AUTH)
N(EAP_ONLY) ]

15[CFG] looking for peer configs matching
172.18.11.57[%any]...172.29.88.2[172.29.88.2]

15[CFG] selected peer config 'conn3'

15[IKE] tried 3 shared keys for '%any' - '172.29.88.2',* but MAC mismatched*

15[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

15[NET] sending packet: from 172.18.11.57[500] to 172.29.88.2[500]

08[NET] received packet: from 172.29.88.2[500] to 172.18.11.57[500]

08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]

08[IKE] 172.29.88.2 is initiating an IKE_SA

08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(MULT_AUTH) ]

08[NET] sending packet: from 172.18.11.57[500] to 172.29.88.2[500]

07[NET] received packet: from 172.29.88.2[500] to 172.18.11.57[500]

07[ENC] parsed IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MULT_AUTH)
N(EAP_ONLY) ]

07[CFG] looking for peer configs matching
172.18.11.57[%any]...172.29.88.2[172.29.88.2]

07[CFG] selected peer config 'conn3'

07[IKE] tried 3 shared keys for '%any' - '172.29.88.2', but MAC mismatched

07[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

07[NET] sending packet: from 172.18.11.57[500] to 172.29.88.2[500]

10[NET] received packet: from 172.29.88.2[500] to 172.18.11.57[500]

10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]

10[IKE] 172.29.88.2 is initiating an IKE_SA

10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(MULT_AUTH) ]

10[NET] sending packet: from 172.18.11.57[500] to 172.29.88.2[500]

09[NET] received packet: from 172.29.88.2[500] to 172.18.11.57[500]

09[ENC] parsed IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MULT_AUTH)
N(EAP_ONLY) ]

09[CFG] looking for peer configs matching
172.18.11.57[%any]...172.29.88.2[172.29.88.2]

09[CFG] selected peer config 'conn3'
09[IKE] tried 3 shared keys for '%any' - '172.29.88.2', but MAC mismatched

*
*

* If we uncomment the last line in "ipsec.secrets" file in responder ,then
all IKE  tunnels are established successfully. we think, initiator is only
using the last PSK for all the IKE tunnles, though different PSK are
configured for each. Could you please help us here.*

*
*

*One more query, how to find the PSK being used during IKE negotiations? *

*
*

*Thanks in Advance.*

*
*

*BR,*

*Ravi*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20130111/564e2cad/attachment.html>

More information about the Dev mailing list