[strongSwan] received AUTHENTICATION_FAILED notify error

Wed Mar 31 14:03:51 CEST 2010

Hey Andreas, Daniel  thanks a lot, I have it up now.

plm61:~ # ipsec up charontest
initiating IKE_SA charontest[1] to 9.182.176.56
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 9.182.176.61[500] to 9.182.176.56[500]
received packet: from 9.182.176.56[500] to 9.182.176.61[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(MULT_AUTH) ]
authentication of '9.182.176.61' (myself) with pre-shared key
establishing CHILD_SA charontest
generating IKE_AUTH request 1 [ IDi IDr AUTH N(USE_TRANSP) SA TSi TSr
N(MULT_AUTH) ]
sending packet: from 9.182.176.61[500] to 9.182.176.56[500]
received packet: from 9.182.176.56[500] to 9.182.176.61[500]
parsed IKE_AUTH response 1 [ IDr AUTH N(USE_TRANSP) SA TSi TSr N(AUTH_LFT) ]
authentication of '9.182.176.56' with pre-shared key successful
scheduling reauthentication in 10132s
maximum IKE_SA lifetime 10672s
IKE_SA charontest[1] established between
9.182.176.61[9.182.176.61]...9.182.176.56[9.182.176.56]
plm61:~ #
plm61:~ #
plm61:~ # ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.3.4):
  uptime: 3 minutes, since Mar 31 22:45:19 2010
  worker threads: 9 idle of 16, job queue load: 0, scheduled events: 3
  loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 hmac xcbc
stroke kernel-netlink updown
Listening IP addresses:
  9.182.176.61
Connections:
  charontest:  9.182.176.61...9.182.176.56
  charontest:   local:  [9.182.176.61] uses pre-shared key authentication
  charontest:   remote: [9.182.176.56] uses any authentication
  charontest:   child:  dynamic === dynamic
Security Associations:
  charontest[1]: ESTABLISHED 86 seconds ago,
9.182.176.61[9.182.176.61]...9.182.176.56[9.182.176.56]
  charontest[1]: IKE SPIs: c2a4740954e41f44_i* a48a5549e9fb821c_r,
pre-shared key reauthentication in 2 hours
  charontest[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
  charontest{1}:  INSTALLED, TRANSPORT, ESP SPIs: c55aee0c_i c5bd7eb8_o
  charontest{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
rekeying in 42 minutes
  charontest{1}:   9.182.176.61/32 === 9.182.176.56/32

Below I'll  list my configs.

plm61:~ # cat /etc/ipsec.conf
# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
        crlcheckinterval=600
        strictcrlpolicy=no
	plutostart=no
	charondebug=all
        cachecrls=yes
        nat_traversal=yes

conn charontest
        left=9.182.176.61
        right=9.182.176.56
        type=transport
        keyexchange=ikev2
        mobike=no
        auto=add
        authby=secret
	ike=aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024

plm61:~ #
plm61:~ # cat /etc/ipsec.secrets
# /etc/ipsec.secrets - strongSwan IPsec secrets file

9.182.176.61 9.182.176.56 : PSK "abcdefg12345"
plm61:~ #

I see a connection with same config on both machines as well as with
ip of left and right reversed.

for now I'm happy but may be I'll have to look deeper looks at Daniel
advice as I continue with my setup.

Thanks a lot everyone, will get back to you with more.

regards
Abhishek