[strongSwan] multiple ipsec tunnels (multiple ipsec/esp SAs between 2 peer gws with 1 IKE SA)

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Tue Aug 2 14:55:37 CEST 2011


Hi

>>The problem is not the secret, but that no config matches on your
>>responder. "leftid" defaults to "left" (172.17.10.10), but actually is
>>srv.strongswan.org. Try leftid=srv.strongswan.org, or even leftid=%any.
I did just that, i used leftid=%any on the rw-server. But when i start the
ipsec (ipsec start --nofork) on the load-tester-plugin enabled m/c, i still
get auth failed messages.

Meanwhile on the server i get the following messages:
-----------------------------------------------------------------------------
28[NET] received packet: from 172.17.10.253[500] to 172.17.10.10[500]
28[ENC] parsed IKE_AUTH request 1 [ IDi IDr AUTH CP(ADDR DNS) SA TSi TSr
N(MULT_AUTH) N(EAP_ONLY) ]
28[CFG] looking for peer configs matching 172.17.10.10[srv.strongswan.org
]...172.17.10.253[c6-r1.strongswan.org]
28[CFG] selected peer config 'rw-server'
28[IKE] tried 1 shared key for 'srv.strongswan.org' - 'c6-r1.strongswan.org',
but MAC mismatched
28[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
28[NET] sending packet: from 172.17.10.10[500] to 172.17.10.253[500]
28[NET] received packet: from 172.17.10.253[500] to 172.17.10.10[500]
28[ENC] parsed IKE_AUTH request 1 [ IDi IDr AUTH CP(ADDR DNS) SA TSi TSr
N(MULT_AUTH) N(EAP_ONLY) ]
28[CFG] looking for peer configs matching 172.17.10.10[srv.strongswan.org
]...172.17.10.253[c6-r1.strongswan.org]
28[CFG] selected peer config 'rw-server'
28[IKE] tried 1 shared key for 'srv.strongswan.org' - 'c6-r1.strongswan.org',
but MAC mismatched
28[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
28[NET] sending packet: from 172.17.10.10[500] to 172.17.10.253[500]

------------------------------------------------------------------------------------------

- On the rw-server, iam using the following setting in the "ipsec.secrets"
file
: PSK "default-psk"

- and the ipsec.conf on the rw-server m/c is as below:
-------------------------------------------------------------------------
[root at dvtpc1 etc]# cat ipsec.conf
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
        strictcrlpolicy=no
        crlcheckinterval=180
        plutostart=yes
        charonstart=yes
conn %default
        ikelifetime=60m
        keylife=30m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
        mobike=no
conn rw-server
        left=172.17.10.10
        leftsubnet=192.168.20.0/24
        leftid=%any
        right=%any
        rightsourceip=10.3.0.0/16
        authby=psk
        keyexchange=ikev2
        type=tunnel
        auto=add
#
--------------------------------------------

- both the rw-server (with ipaddr 172.17.10.10/24, DGw-IP: 172.17.10.253)
and the rw-client (with load-tester-plugin enabled and with ipaddr
172.17.10.253/24, Dgw-ip: 172.17.10.10) are connected back-to-back and both
are running strongswan4.5.2 on Linux-Fedora13.


so where am i going wrong
thanks & regards
rajiv

On Tue, Aug 2, 2011 at 1:09 PM, Martin Willi <martin at strongswan.org> wrote:

>
>
> > 15[CFG] looking for peer configs matching 172.17.10.10[
> srv.strongswan.org]...172.17.10.253[c5-1.strongswan.org]
> > 15[CFG] no matching peer config found
> > 15[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>
>
> > conn rw-server
> >         left=172.17.10.10
> >         leftsubnet=192.168.20.0/24
> >         right=%any
>
> The problem is not the secret, but that no config matches on your
> responder. "leftid" defaults to "left" (172.17.10.10), but actually is
> srv.strongswan.org. Try leftid=srv.strongswan.org, or even leftid=%any.
>
> Regards
> Martin
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110802/e2f60778/attachment.html>


More information about the Users mailing list