[strongSwan] no connection has been authorized with policy=PSK

Ariel ariel at bidcactus.com
Mon Sep 12 22:36:25 CEST 2011 

I'm setting up L2TP/IPSec on a Debian server for OSX clients and I am coming into a little trouble with the IPSec side with strongswan 4.5.2 (from the Debian testing repo).

My /etc/ipsec.conf
config setup
        charonstart=yes
        plutostart=yes
        nat_traversal=yes
        plutodebug=all
        plutostderrlog=/var/log/pluto.log
        charondebug=4

conn L2TP
        authby=psk
        pfs=no
        rekey=no
        type=tunnel
        esp=aes128-sha1
        ike=aes128-sha-modp1024
        left=72.14.xxx.xx
        leftnexthop=%defaultroute
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any
        rightsubnetwithin=0.0.0.0/0
        auto=add


My /etc/ipsec.secrets
72.14.xxx.xx    %any:     PSK   "password"


# ipsec statusall
000 Status of IKEv1 pluto daemon (strongSwan 4.5.2):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:4500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 72.14.xxx.xx:4500
000 interface eth0/eth0 72.14.xxx.xx:500
000 interface eth0:0/eth0:0 192.168.146.52:4500
000 interface eth0:0/eth0:0 192.168.146.52:500
000 %myid = '%any'
000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve 
000 debug options: raw+crypt+parsing+emitting+control+lifecycle+kernel+dns+natt+oppo+controlmore
000 
Status of IKEv2 charon daemon (strongSwan 4.5.2):
  uptime: 10 minutes, since Sep 12 16:07:23 2011
  malloc: sbrk 138668, mmap 0, used 135444, free 3224
  worker threads: 7 idle of 16, job queue load: 0, scheduled events: 0
  loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock 
Listening IP addresses:
  72.14.xxx.xx
  192.168.146.52
Connections:
        L2TP:  72.14.xxx.xx...%any
        L2TP:   local:  [72.14.xxx.xx] uses pre-shared key authentication
        L2TP:   remote: [%any] uses any authentication
        L2TP:   child:  dynamic[udp/l2f] === 0.0.0.0/0[udp] 
Security Associations:
  none


When I try to do a VPN connection, it times out, in my OSX /var/log/ppp.log
Mon Sep 12 16:08:47 2011 : L2TP connecting to server 'domain.org' (72.14.xxx.xx)...
Mon Sep 12 16:08:47 2011 : IPSec connection started
Mon Sep 12 16:08:57 2011 : IPSec connection failed


On the Debian IPSec server in /var/log/pluto.log
added connection description "L2TP"
...
packet from 96.57.xxx.xx:500: initial Main Mode message received on 72.14.xxx.xx:500 but no connection has been authorized with policy=PSK


I can't help but feel like I am very close but missing something very basic.  With my configuration above, I don't see how there is "no connection has been authorized with policy=PSK" because `ipsec statusall` seems to be telling a different story.  But maybe I am reading it wrong.  Any advice?

-a

More information about the Users mailing list