[strongSwan] no connection has been authorized with policy=PSK

Ariel ariel at bidcactus.com
Tue Sep 13 21:44:07 CEST 2011 

You are awesome, that fixed my trouble.  Thank you very much for the help!

-a


On Sep 13, 2011, at 3:13 PM, Andreas Steffen wrote:

> Hello Ariel,
> 
> if you want an IKEv1 connection then please define
> 
>  keyexchange=ikev1
> 
> since ikev2 is the default.
> 
> Andreas
> 
> On 09/13/2011 08:35 PM, Ariel wrote:
>> I've updated my /etc/ipsec.conf to some more general settings:
>> conn L2TP
>>        authby=psk
>>        type=tunnel
>>        left=%defaultroute
>>        leftauth=psk
>>        leftnexthop=%defaultroute
>>        right=%any
>>        rightauth=psk
>>        auto=start
>> 
>> 
>> I am setting default authby to PSK (for IKEv1), and leftauth/rightauth both to PSK (for IKEv2, even though OSX seems to use IKEv1 only since pluto is picking up all connection attempts).  This conn definition should be catching *all* requests because left is defined as %defaultroute (ipsec.conf manpage says this means "any interface"), and right is defined as %any which means it can originate from any IP address.  With `ipsec statusall` I see:
>> Listening IP addresses:
>>  72.14.xxx.xx
>>  192.168.146.52
>> Connections:
>>        L2TP:  72.14.xxx.xx...%any
>>        L2TP:   local:  [72.14.xxx.xx] uses pre-shared key authentication
>>        L2TP:   remote: [%any] uses pre-shared key authentication
>>        L2TP:   child:  dynamic[udp/l2f] === 0.0.0.0/0[udp]
>> 
>> 
>> So it appears that it is properly identifying "left" as the local computer, and right as any remote host.  Both sides are hard set to using PSK.  But when I try to connect, in my pluto.log I still see:
>> packet from 96.57.xxx.xxx:500: initial Main Mode message received on 72.14.xxx.xx:500 but no connection has been authorized with policy=PSK
>> 
>> 
>> This... seems wrong.  Does no one have any advice, or maybe something I could look at for further debugging on my own?
>> 
>> -a
>> 
>> 
>> 
>> On Sep 12, 2011, at 4:36 PM, Ariel wrote:
>> 
>>> I'm setting up L2TP/IPSec on a Debian server for OSX clients and I am coming into a little trouble with the IPSec side with strongswan 4.5.2 (from the Debian testing repo).
>>> 
>>> My /etc/ipsec.conf
>>> config setup
>>>       charonstart=yes
>>>       plutostart=yes
>>>       nat_traversal=yes
>>>       plutodebug=all
>>>       plutostderrlog=/var/log/pluto.log
>>>       charondebug=4
>>> 
>>> conn L2TP
>>>       authby=psk
>>>       pfs=no
>>>       rekey=no
>>>       type=tunnel
>>>       esp=aes128-sha1
>>>       ike=aes128-sha-modp1024
>>>       left=72.14.xxx.xx
>>>       leftnexthop=%defaultroute
>>>       leftprotoport=17/1701
>>>       right=%any
>>>       rightprotoport=17/%any
>>>       rightsubnetwithin=0.0.0.0/0
>>>       auto=add
>>> 
>>> 
>>> My /etc/ipsec.secrets
>>> 72.14.xxx.xx    %any:     PSK   "password"
>>> 
>>> 
>>> # ipsec statusall
>>> 000 Status of IKEv1 pluto daemon (strongSwan 4.5.2):
>>> 000 interface lo/lo ::1:500
>>> 000 interface lo/lo 127.0.0.1:4500
>>> 000 interface lo/lo 127.0.0.1:500
>>> 000 interface eth0/eth0 72.14.xxx.xx:4500
>>> 000 interface eth0/eth0 72.14.xxx.xx:500
>>> 000 interface eth0:0/eth0:0 192.168.146.52:4500
>>> 000 interface eth0:0/eth0:0 192.168.146.52:500
>>> 000 %myid = '%any'
>>> 000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve 
>>> 000 debug options: raw+crypt+parsing+emitting+control+lifecycle+kernel+dns+natt+oppo+controlmore
>>> 000 
>>> Status of IKEv2 charon daemon (strongSwan 4.5.2):
>>> uptime: 10 minutes, since Sep 12 16:07:23 2011
>>> malloc: sbrk 138668, mmap 0, used 135444, free 3224
>>> worker threads: 7 idle of 16, job queue load: 0, scheduled events: 0
>>> loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock 
>>> Listening IP addresses:
>>> 72.14.xxx.xx
>>> 192.168.146.52
>>> Connections:
>>>       L2TP:  72.14.xxx.xx...%any
>>>       L2TP:   local:  [72.14.xxx.xx] uses pre-shared key authentication
>>>       L2TP:   remote: [%any] uses any authentication
>>>       L2TP:   child:  dynamic[udp/l2f] === 0.0.0.0/0[udp] 
>>> Security Associations:
>>> none
>>> 
>>> 
>>> When I try to do a VPN connection, it times out, in my OSX /var/log/ppp.log
>>> Mon Sep 12 16:08:47 2011 : L2TP connecting to server 'domain.org' (72.14.xxx.xx)...
>>> Mon Sep 12 16:08:47 2011 : IPSec connection started
>>> Mon Sep 12 16:08:57 2011 : IPSec connection failed
>>> 
>>> 
>>> On the Debian IPSec server in /var/log/pluto.log
>>> added connection description "L2TP"
>>> ...
>>> packet from 96.57.xxx.xx:500: initial Main Mode message received on 72.14.xxx.xx:500 but no connection has been authorized with policy=PSK
>>> 
>>> 
>>> I can't help but feel like I am very close but missing something very basic.  With my configuration above, I don't see how there is "no connection has been authorized with policy=PSK" because `ipsec statusall` seems to be telling a different story.  But maybe I am reading it wrong.  Any advice?
>>> 
>>> -a
> 
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==

More information about the Users mailing list