[strongSwan] multiple ipsec tunnels (multiple ipsec/esp SAs between 2 peer gws with 1 IKE SA)
Rajiv Kulkarni
rajivkulkarni69 at gmail.com
Tue Aug 2 14:55:37 CEST 2011
Hi
>>The problem is not the secret, but that no config matches on your
>>responder. "leftid" defaults to "left" (172.17.10.10), but actually is
>>srv.strongswan.org. Try leftid=srv.strongswan.org, or even leftid=%any.
I did just that, i used leftid=%any on the rw-server. But when i start the
ipsec (ipsec start --nofork) on the load-tester-plugin enabled m/c, i still
get auth failed messages.
Meanwhile on the server i get the following messages:
-----------------------------------------------------------------------------
28[NET] received packet: from 172.17.10.253[500] to 172.17.10.10[500]
28[ENC] parsed IKE_AUTH request 1 [ IDi IDr AUTH CP(ADDR DNS) SA TSi TSr
N(MULT_AUTH) N(EAP_ONLY) ]
28[CFG] looking for peer configs matching 172.17.10.10[srv.strongswan.org
]...172.17.10.253[c6-r1.strongswan.org]
28[CFG] selected peer config 'rw-server'
28[IKE] tried 1 shared key for 'srv.strongswan.org' - 'c6-r1.strongswan.org',
but MAC mismatched
28[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
28[NET] sending packet: from 172.17.10.10[500] to 172.17.10.253[500]
28[NET] received packet: from 172.17.10.253[500] to 172.17.10.10[500]
28[ENC] parsed IKE_AUTH request 1 [ IDi IDr AUTH CP(ADDR DNS) SA TSi TSr
N(MULT_AUTH) N(EAP_ONLY) ]
28[CFG] looking for peer configs matching 172.17.10.10[srv.strongswan.org
]...172.17.10.253[c6-r1.strongswan.org]
28[CFG] selected peer config 'rw-server'
28[IKE] tried 1 shared key for 'srv.strongswan.org' - 'c6-r1.strongswan.org',
but MAC mismatched
28[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
28[NET] sending packet: from 172.17.10.10[500] to 172.17.10.253[500]
------------------------------------------------------------------------------------------
- On the rw-server, iam using the following setting in the "ipsec.secrets"
file
: PSK "default-psk"
- and the ipsec.conf on the rw-server m/c is as below:
-------------------------------------------------------------------------
[root at dvtpc1 etc]# cat ipsec.conf
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
strictcrlpolicy=no
crlcheckinterval=180
plutostart=yes
charonstart=yes
conn %default
ikelifetime=60m
keylife=30m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
mobike=no
conn rw-server
left=172.17.10.10
leftsubnet=192.168.20.0/24
leftid=%any
right=%any
rightsourceip=10.3.0.0/16
authby=psk
keyexchange=ikev2
type=tunnel
auto=add
#
--------------------------------------------
- both the rw-server (with ipaddr 172.17.10.10/24, DGw-IP: 172.17.10.253)
and the rw-client (with load-tester-plugin enabled and with ipaddr
172.17.10.253/24, Dgw-ip: 172.17.10.10) are connected back-to-back and both
are running strongswan4.5.2 on Linux-Fedora13.
so where am i going wrong
thanks & regards
rajiv
On Tue, Aug 2, 2011 at 1:09 PM, Martin Willi <martin at strongswan.org> wrote:
>
>
> > 15[CFG] looking for peer configs matching 172.17.10.10[
> srv.strongswan.org]...172.17.10.253[c5-1.strongswan.org]
> > 15[CFG] no matching peer config found
> > 15[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>
>
> > conn rw-server
> > left=172.17.10.10
> > leftsubnet=192.168.20.0/24
> > right=%any
>
> The problem is not the secret, but that no config matches on your
> responder. "leftid" defaults to "left" (172.17.10.10), but actually is
> srv.strongswan.org. Try leftid=srv.strongswan.org, or even leftid=%any.
>
> Regards
> Martin
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110802/e2f60778/attachment.html>
More information about the Users
mailing list