[strongSwan] no psk found, but works on openswan
Andreas Steffen
andreas.steffen at strongswan.org
Wed Jan 5 01:24:08 CET 2011
Hello Omar,
since only a single common PSK can be used with IKEv1 Main Mode
and dynamic IP addresses, why don't you just define
: PSK "temporal"
Regards
Andreas
On 01/05/2011 12:31 AM, Omar Armas wrote:
> Hi, I have a debian box with static public IP and remote sites using
> Sonicwall devices and want to establish a tunnel between them.
> I use PSK for auth and I have a case where the tunnel is established
> with Openswan, but not with Strongswan(which I´d prefer to use)
>
> This is my ipsec.conf:
>
> ----------
> version 2.0
> config setup
> plutodebug=all
> klipsdebug=all
> #charondebug=all
> nat_traversal=no
> #charonstart=yes
> #plutostart=yes
>
> conn %default
> type=tunnel
> leftsubnet=192.168.230.0/24 <http://192.168.230.0/24>
> left=LeftIP
> leftid=LeftP
> leftnexthop=LeftGW
> #keyexchange=ikev2
> leftsourceip=192.168.230.50
> authby=secret
>
> conn to-federalismo
> auth=esp
> ike=3des-sha1-modp1024!
> ikelifetime=28800s
> esp=null-sha1
> dpdaction=clear
> leftsourceip=192.168.230.1
> pfs=no
> keyingtries=1
> authby=secret
> #right=domain1.dyndns.org <http://domain1.dyndns.org>
> right=%any
> rightsubnet=192.168.110.0/24 <http://192.168.110.0/24>
> rightid=@domain1.dyndns.org <http://domain1.dyndns.org>
> auto=add
>
> include /etc/ipsec.d/examples/no_oe.conf
> ----------
>
>
> And ipsec.secrets:
>
> ------
> #@domain1.dyndns.org <http://domain1.dyndns.org>IPLocal : PSK "temporal"
> %anyIPLocal :PSK "temporal"
> ------
>
>
> Using exactly the same config files, the tunnel works with Openswan, but
> with Strongswan I get:
>
> "Jan 4 16:34:08 debian pluto[22010]: "to-federalismo"[3] IPRemote #3:
> Can't authenticate: no preshared key found for `IPLocal' and `%any'.
> Attribute OAKLEY_AUTHENTICATION_METHOD"
>
> even though the ipsec.secrets files is confirmed with "ipsec
> rereadsecrets" succesfully.
>
> If I change the right parameter to "right=domain1.dyndns.org
> <http://domain1.dyndns.org>" and uncomment the corresponding
> ipsec.secrets file, it works with Strongswan, but only for the first
> tunnel, the second (anoterh sonicwall device with dyndns) fails to work.
> What can I do for Strongswan to accept the "right=%any" option? I tried
> enabling charon and didn´t work either.
>
> Regards,
>
>
> Omar
>
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list