[strongSwan] How can I allow only specific IP use PSK auth?
Andreas Steffen
andreas.steffen at strongswan.org
Sat Apr 6 12:17:01 CEST 2013
Hi,
you have to add
rightid=client
since this is the ID the peer is sending.
Regards
Andreas
On 04/06/2013 11:41 AM, Chopin Ngo wrote:
> Hi all,
>
> Use below config, it's working.
>
> VPN Server strongswan 5.0.2
> LAN IP: 192.168.100.200/24 <http://192.168.100.200/24> (DG: 192.168.100.1)
> WAN IP: 1.1.1.1
>
> # /etc/ipsec.conf
> config setup
> conn psk
> auto = add
> authby = secret
> keyexchange = ike
> aggressive = yes
> modeconfig = push
> left = %defaultroute
> leftsubnet = 0.0.0.0/0 <http://0.0.0.0/0>
> leftauth = psk
> right = %any
> rightsourceip = 10.0.0.200
> rightauth = psk
> rightauth2 = xauth
>
> # /etc/ipsec.secrets
> user : XAUTH "pass"
> : PSK "pass"
>
> # /etc/strongswan.conf
> charon {
> threads = 16
> dns1 = 8.8.8.8
> dns2 = 8.8.4.4
> i_dont_care_about_security_and_use_aggressive_mode_psk = yes
> }
>
> VPN Client vpnc 0.5.3
> LAN IP: 192.168.1.100/24 <http://192.168.1.100/24> (DG: 192.168.1.1)
> WAN IP: 2.2.2.2
>
> # /etc/vpn/config
> IPSec gateway 1.1.1.1
> IPSec ID client
> IPSec secret pass
> IKE Authmode psk
> Xauth username user
> Xauth password pass
>
>
> Now, I want only allow 2.2.2.2 use this PSK auth, I tried change
> ipsec.conf to
> conn psk
> auto = add
> authby = secret
> keyexchange = ike
> aggressive = yes
> modeconfig = push
> left = %defaultroute
> leftsubnet = 0.0.0.0/0 <http://0.0.0.0/0>
> leftauth = psk
> right = 2.2.2.2
> rightsourceip = 10.0.0.200
> rightauth = psk
> rightauth2 = xauth
>
> than ipsec restart and client not change anything, when connected server
> it response
> vpnc: response was invalid [1]: (ISAKMP_N_INVALID_EXCHANGE_TYPE)(7)
>
> and server log
> Apr 6 16:46:59 vpn charon: 08[NET] received packet: from 2.2.2.2[47894]
> to 192.168.100.200[500] (1282 bytes)
> Apr 6 16:46:59 vpn charon: 08[ENC] parsed AGGRESSIVE request 0 [ SA KE
> No ID V V V V V V V V ]
> Apr 6 16:46:59 vpn charon: 08[IKE] received XAuth vendor ID
> Apr 6 16:46:59 vpn charon: 08[IKE] received Cisco Unity vendor ID
> Apr 6 16:46:59 vpn charon: 08[IKE] received NAT-T (RFC 3947) vendor ID
> Apr 6 16:46:59 vpn charon: 08[IKE] received
> draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> Apr 6 16:46:59 vpn charon: 08[IKE] received
> draft-ietf-ipsec-nat-t-ike-02 vendor ID
> Apr 6 16:46:59 vpn charon: 08[ENC] received unknown vendor ID:
> 27:f1:d6:32:df:a5:13:6f:72:25:aa:3f:6a:ef:a8:88
> Apr 6 16:46:59 vpn charon: 08[IKE] received
> draft-ietf-ipsec-nat-t-ike-00 vendor ID
> Apr 6 16:46:59 vpn charon: 08[IKE] received DPD vendor ID
> Apr 6 16:46:59 vpn charon: 08[IKE] 2.2.2.2 is initiating a Aggressive
> Mode IKE_SA
> Apr 6 16:46:59 vpn charon: 08[CFG] looking for XAuthInitPSK peer
> configs matching 192.168.100.200...2.2.2.2[client]
> Apr 6 16:46:59 vpn charon: 08[IKE] no peer config found
> Apr 6 16:46:59 vpn charon: 08[ENC] generating INFORMATIONAL_V1 request
> 2169293305 [ N(AUTH_FAILED) ]
> Apr 6 16:46:59 vpn charon: 08[NET] sending packet: from
> 192.168.100.200[500] to 2.2.2.2[47894] (56 bytes)
>
> I tried change ipsec.secrets to
> user : XAUTH "pass"
> 192.168.100.200 2.2.2.2 : PSK "pass"
>
> It's also response the same error.
>
> How can I do?
>
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130406/405a6a5c/attachment.bin>
More information about the Users
mailing list