[strongSwan] How can I allow only specific IP use PSK auth?
Chopin Ngo
consatan at gmail.com
Sun Apr 7 05:05:18 CEST 2013
Hi,
THX!! Andreas Steffen.
I try add rightid = client to ipsec.conf, but it's not work for me.
I just change ipsec.secrets to
user : XAUTH "pass"
2.2.2.2 : PSK "pass"
it's working.
Thank you all the same!!
2013/4/6 Andreas Steffen <andreas.steffen at strongswan.org>
>
> Hi,
>
> you have to add
>
> rightid=client
>
> since this is the ID the peer is sending.
>
> Regards
>
> Andreas
>
> On 04/06/2013 11:41 AM, Chopin Ngo wrote:
> > Hi all,
> >
> > Use below config, it's working.
> >
> > VPN Server strongswan 5.0.2
> > LAN IP: 192.168.100.200/24 <http://192.168.100.200/24> (DG:
> > 192.168.100.1)
> > WAN IP: 1.1.1.1
> >
> > # /etc/ipsec.conf
> > config setup
> > conn psk
> > auto = add
> > authby = secret
> > keyexchange = ike
> > aggressive = yes
> > modeconfig = push
> > left = %defaultroute
> > leftsubnet = 0.0.0.0/0 <http://0.0.0.0/0>
> > leftauth = psk
> > right = %any
> > rightsourceip = 10.0.0.200
> > rightauth = psk
> > rightauth2 = xauth
> >
> > # /etc/ipsec.secrets
> > user : XAUTH "pass"
> > : PSK "pass"
> >
> > # /etc/strongswan.conf
> > charon {
> > threads = 16
> > dns1 = 8.8.8.8
> > dns2 = 8.8.4.4
> > i_dont_care_about_security_and_use_aggressive_mode_psk = yes
> > }
> >
> > VPN Client vpnc 0.5.3
> > LAN IP: 192.168.1.100/24 <http://192.168.1.100/24> (DG: 192.168.1.1)
> > WAN IP: 2.2.2.2
> >
> > # /etc/vpn/config
> > IPSec gateway 1.1.1.1
> > IPSec ID client
> > IPSec secret pass
> > IKE Authmode psk
> > Xauth username user
> > Xauth password pass
> >
> >
> > Now, I want only allow 2.2.2.2 use this PSK auth, I tried change
> > ipsec.conf to
> > conn psk
> > auto = add
> > authby = secret
> > keyexchange = ike
> > aggressive = yes
> > modeconfig = push
> > left = %defaultroute
> > leftsubnet = 0.0.0.0/0 <http://0.0.0.0/0>
> > leftauth = psk
> > right = 2.2.2.2
> > rightsourceip = 10.0.0.200
> > rightauth = psk
> > rightauth2 = xauth
> >
> > than ipsec restart and client not change anything, when connected server
> > it response
> > vpnc: response was invalid [1]: (ISAKMP_N_INVALID_EXCHANGE_TYPE)(7)
> >
> > and server log
> > Apr 6 16:46:59 vpn charon: 08[NET] received packet: from 2.2.2.2[47894]
> > to 192.168.100.200[500] (1282 bytes)
> > Apr 6 16:46:59 vpn charon: 08[ENC] parsed AGGRESSIVE request 0 [ SA KE
> > No ID V V V V V V V V ]
> > Apr 6 16:46:59 vpn charon: 08[IKE] received XAuth vendor ID
> > Apr 6 16:46:59 vpn charon: 08[IKE] received Cisco Unity vendor ID
> > Apr 6 16:46:59 vpn charon: 08[IKE] received NAT-T (RFC 3947) vendor ID
> > Apr 6 16:46:59 vpn charon: 08[IKE] received
> > draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> > Apr 6 16:46:59 vpn charon: 08[IKE] received
> > draft-ietf-ipsec-nat-t-ike-02 vendor ID
> > Apr 6 16:46:59 vpn charon: 08[ENC] received unknown vendor ID:
> > 27:f1:d6:32:df:a5:13:6f:72:25:aa:3f:6a:ef:a8:88
> > Apr 6 16:46:59 vpn charon: 08[IKE] received
> > draft-ietf-ipsec-nat-t-ike-00 vendor ID
> > Apr 6 16:46:59 vpn charon: 08[IKE] received DPD vendor ID
> > Apr 6 16:46:59 vpn charon: 08[IKE] 2.2.2.2 is initiating a Aggressive
> > Mode IKE_SA
> > Apr 6 16:46:59 vpn charon: 08[CFG] looking for XAuthInitPSK peer
> > configs matching 192.168.100.200...2.2.2.2[client]
> > Apr 6 16:46:59 vpn charon: 08[IKE] no peer config found
> > Apr 6 16:46:59 vpn charon: 08[ENC] generating INFORMATIONAL_V1 request
> > 2169293305 [ N(AUTH_FAILED) ]
> > Apr 6 16:46:59 vpn charon: 08[NET] sending packet: from
> > 192.168.100.200[500] to 2.2.2.2[47894] (56 bytes)
> >
> > I tried change ipsec.secrets to
> > user : XAUTH "pass"
> > 192.168.100.200 2.2.2.2 : PSK "pass"
> >
> > It's also response the same error.
> >
> > How can I do?
> >
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
More information about the Users
mailing list