[strongSwan-dev] IKEV2 PSK issues with strongswan 4.5.3
Ravikumar Chennaparapu
ravikumar.ece at gmail.com
Thu Jan 17 11:57:35 CET 2013
Hi ,
Could you please help here.
Thanks and Regards,
Ravi
On Fri, Jan 11, 2013 at 1:02 PM, Ravikumar Chennaparapu <
ravikumar.ece at gmail.com> wrote:
> Hi,
>
> We are trying to establish 4 IKE tunnels as below:
>
> 172.29.88.2...172.17.11.56,
>
> 172.29.88.2... 172.16.11.55,
>
> 172.29.88.2... 172.18.11.57,
> 172.29.88.2... 10.69.196.246
>
> Initiator Configuration
>
> ------------------------------------------------------------------------------------------------------
> PSKs in "ipsec.secrets" file
>
> 172.29.88.2 172.16.11.55 : PSK
> "~zyxwvutsrqponmlkjihgfedcba_][ZYXWVUTSRQPONMLKJIHGFEDCBA@?=;9876"
>
> 172.29.88.2 172.17.11.56 : PSK
> "~zyxwvutsrqponmlkjihgfedcba_][ZYXWVUTSRQPONMLKJIHGFEDCBA@?=;9876"
>
> 172.29.88.2 172.18.11.57 : PSK
> "~zyxwvutsrqponmlkjihgfedcba_][ZYXWVUTSRQPONMLKJIHGFEDCBA@?=;9876"
>
> 172.29.88.2 10.69.196.246 : PSK
> "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>
>
> Responder Configuration
>
> ------------------------------------------------------------------------------------------------------
> PSKs in "ipsec.secrets" file
>
>
> 172.29.88.2 172.16.11.55 : PSK
> "~zyxwvutsrqponmlkjihgfedcba_][ZYXWVUTSRQPONMLKJIHGFEDCBA@?=;9876"
>
> 172.29.88.2 172.17.11.56 : PSK
> "~zyxwvutsrqponmlkjihgfedcba_][ZYXWVUTSRQPONMLKJIHGFEDCBA@?=;9876"
>
> 172.29.88.2 172.18.11.57 : PSK
> "~zyxwvutsrqponmlkjihgfedcba_][ZYXWVUTSRQPONMLKJIHGFEDCBA@?=;9876"
> * #172.29.88.2 10.69.196.246 : PSK
> "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"*
>
> *
> *
>
> *In this case, all IKE tunnels are not getting established due to "MAC
> mismatch" error on responder. *
>
>
> 14[NET] received packet: from 172.29.88.2[500] to 172.18.11.57[500]
>
> 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>
> 14[IKE] 172.29.88.2 is initiating an IKE_SA
>
> 14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) N(MULT_AUTH) ]
>
> 14[NET] sending packet: from 172.18.11.57[500] to 172.29.88.2[500]
>
> 15[NET] received packet: from 172.29.88.2[500] to 172.18.11.57[500]
>
> 15[ENC] parsed IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MULT_AUTH)
> N(EAP_ONLY) ]
>
> 15[CFG] looking for peer configs matching
> 172.18.11.57[%any]...172.29.88.2[172.29.88.2]
>
> 15[CFG] selected peer config 'conn3'
>
> 15[IKE] tried 3 shared keys for '%any' - '172.29.88.2',* but MAC
> mismatched*
>
> 15[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>
> 15[NET] sending packet: from 172.18.11.57[500] to 172.29.88.2[500]
>
> 08[NET] received packet: from 172.29.88.2[500] to 172.18.11.57[500]
>
> 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>
> 08[IKE] 172.29.88.2 is initiating an IKE_SA
>
> 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) N(MULT_AUTH) ]
>
> 08[NET] sending packet: from 172.18.11.57[500] to 172.29.88.2[500]
>
> 07[NET] received packet: from 172.29.88.2[500] to 172.18.11.57[500]
>
> 07[ENC] parsed IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MULT_AUTH)
> N(EAP_ONLY) ]
>
> 07[CFG] looking for peer configs matching
> 172.18.11.57[%any]...172.29.88.2[172.29.88.2]
>
> 07[CFG] selected peer config 'conn3'
>
> 07[IKE] tried 3 shared keys for '%any' - '172.29.88.2', but MAC mismatched
>
> 07[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>
> 07[NET] sending packet: from 172.18.11.57[500] to 172.29.88.2[500]
>
> 10[NET] received packet: from 172.29.88.2[500] to 172.18.11.57[500]
>
> 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>
> 10[IKE] 172.29.88.2 is initiating an IKE_SA
>
> 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) N(MULT_AUTH) ]
>
> 10[NET] sending packet: from 172.18.11.57[500] to 172.29.88.2[500]
>
> 09[NET] received packet: from 172.29.88.2[500] to 172.18.11.57[500]
>
> 09[ENC] parsed IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MULT_AUTH)
> N(EAP_ONLY) ]
>
> 09[CFG] looking for peer configs matching
> 172.18.11.57[%any]...172.29.88.2[172.29.88.2]
>
> 09[CFG] selected peer config 'conn3'
> 09[IKE] tried 3 shared keys for '%any' - '172.29.88.2', but MAC mismatched
>
> *
> *
>
> * If we uncomment the last line in "ipsec.secrets" file in responder
> ,then all IKE tunnels are established successfully. we think, initiator is
> only using the last PSK for all the IKE tunnles, though different PSK are
> configured for each. Could you please help us here.*
>
> *
> *
>
> *One more query, how to find the PSK being used during IKE negotiations? *
>
> *
> *
>
> *Thanks in Advance.*
>
> *
> *
>
> *BR,*
>
> *Ravi*
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20130117/8c50278e/attachment.html>
More information about the Dev
mailing list