[strongSwan] How can I allow only specific IP use PSK auth?

Chopin Ngo consatan at gmail.com
Sat Apr 6 11:41:24 CEST 2013 

Hi all,

Use below config, it's working.

VPN Server strongswan 5.0.2
LAN IP: 192.168.100.200/24 (DG: 192.168.100.1)
WAN IP: 1.1.1.1

# /etc/ipsec.conf
config setup
conn psk
        auto = add
        authby = secret
        keyexchange = ike
        aggressive = yes
        modeconfig = push
        left = %defaultroute
        leftsubnet = 0.0.0.0/0
        leftauth = psk
        right = %any
        rightsourceip = 10.0.0.200
        rightauth = psk
        rightauth2 = xauth

# /etc/ipsec.secrets
user : XAUTH "pass"
: PSK "pass"

# /etc/strongswan.conf
charon {
        threads = 16
        dns1 = 8.8.8.8
        dns2 = 8.8.4.4
        i_dont_care_about_security_and_use_aggressive_mode_psk = yes
}

VPN Client vpnc 0.5.3
LAN IP: 192.168.1.100/24 (DG: 192.168.1.1)
WAN IP: 2.2.2.2

# /etc/vpn/config
IPSec gateway 1.1.1.1
IPSec ID client
IPSec secret pass
IKE Authmode psk
Xauth username user
Xauth password pass


Now, I want only allow 2.2.2.2 use this PSK auth, I tried change ipsec.conf
to
conn psk
        auto = add
        authby = secret
        keyexchange = ike
        aggressive = yes
        modeconfig = push
        left = %defaultroute
        leftsubnet = 0.0.0.0/0
        leftauth = psk
        right = 2.2.2.2
        rightsourceip = 10.0.0.200
        rightauth = psk
        rightauth2 = xauth

than ipsec restart and client not change anything, when connected server it
response
vpnc: response was invalid [1]:  (ISAKMP_N_INVALID_EXCHANGE_TYPE)(7)

and server log
Apr  6 16:46:59 vpn charon: 08[NET] received packet: from 2.2.2.2[47894] to
192.168.100.200[500] (1282 bytes)
Apr  6 16:46:59 vpn charon: 08[ENC] parsed AGGRESSIVE request 0 [ SA KE No
ID V V V V V V V V ]
Apr  6 16:46:59 vpn charon: 08[IKE] received XAuth vendor ID
Apr  6 16:46:59 vpn charon: 08[IKE] received Cisco Unity vendor ID
Apr  6 16:46:59 vpn charon: 08[IKE] received NAT-T (RFC 3947) vendor ID
Apr  6 16:46:59 vpn charon: 08[IKE] received
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Apr  6 16:46:59 vpn charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-02
vendor ID
Apr  6 16:46:59 vpn charon: 08[ENC] received unknown vendor ID:
27:f1:d6:32:df:a5:13:6f:72:25:aa:3f:6a:ef:a8:88
Apr  6 16:46:59 vpn charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-00
vendor ID
Apr  6 16:46:59 vpn charon: 08[IKE] received DPD vendor ID
Apr  6 16:46:59 vpn charon: 08[IKE] 2.2.2.2 is initiating a Aggressive Mode
IKE_SA
Apr  6 16:46:59 vpn charon: 08[CFG] looking for XAuthInitPSK peer configs
matching 192.168.100.200...2.2.2.2[client]
Apr  6 16:46:59 vpn charon: 08[IKE] no peer config found
Apr  6 16:46:59 vpn charon: 08[ENC] generating INFORMATIONAL_V1 request
2169293305 [ N(AUTH_FAILED) ]
Apr  6 16:46:59 vpn charon: 08[NET] sending packet: from
192.168.100.200[500] to 2.2.2.2[47894] (56 bytes)

I tried change ipsec.secrets to
user : XAUTH "pass"
192.168.100.200 2.2.2.2 : PSK "pass"

It's also response the same error.

How can I do?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130406/297a2e4b/attachment.html>

More information about the Users mailing list