[strongSwan] no connection has been authorized with policy=PSK
Andreas Steffen
andreas.steffen at strongswan.org
Sun Dec 22 17:04:24 CET 2013
Hi Stefano,
I see that your peer is behind a NAT router
packet from 2.40.85.224:7076
so that the IKE source port got translated from UDP 500
to 7076 but you defined
nat_traversal=no
which does not allow your source port to float.
Thus please enable
nat_traversal=yes
and if you want to set up a strongSwan-strongSwan connection
rather use IKEv2, not this obsolete and ugly grandma IKEv1 protocol.
Regards
Andreas
On 22.12.2013 14:53, Bonato, Stefano wrote:
> Hi !
>
> I have a strange situation ... PSK error … :
>
> “ but no connection has been authorized with policy=PSK”
>
>
>
> THANKS A LOT FOR ANY suggestion …
>
>
>
> Steve.
>
> Stefano.Bonato at hp.com
>
>
>
>
>
> AUTH.LOG:
>
> Dec 22 13:50:26 vpn-steve-gw pluto[5656]: packet from 2.40.85.224:7076:
> received Vendor ID payload [strongSwan]
>
> Dec 22 13:50:26 vpn-steve-gw pluto[5656]: packet from 2.40.85.224:7076:
> received Vendor ID payload [XAUTH]
>
> Dec 22 13:50:26 vpn-steve-gw pluto[5656]: packet from 2.40.85.224:7076:
> received Vendor ID payload [Dead Peer Detection]
>
> Dec 22 13:50:26 vpn-steve-gw pluto[5656]: packet from 2.40.85.224:7076:
> initial Main Mode message received on 192.168.13.3:500 but no connection
> has been authorized with policy=PSK
>
> * *
>
> AUTH.LOG
>
> Dec 22 13:48:25 vpn-steve-gw ipsec_starter[5637]: Starting strongSwan
> 4.5.2 IPsec [starter]...
>
> Dec 22 13:48:25 vpn-steve-gw sudo: pam_unix(sudo:session): session
> closed for user root
>
> Dec 22 13:48:25 vpn-steve-gw pluto[5656]: Starting IKEv1 pluto daemon
> (strongSwan 4.5.2) THREADS SMARTCARD VENDORID
>
> Dec 22 13:48:25 vpn-steve-gw pluto[5656]: listening on interfaces:
>
> Dec 22 13:48:25 vpn-steve-gw pluto[5656]: eth0
>
> Dec 22 13:48:25 vpn-steve-gw pluto[5656]: 192.168.13.3
>
> Dec 22 13:48:25 vpn-steve-gw pluto[5656]: fe80::f816:3eff:fe3a:9677
>
> Dec 22 13:48:25 vpn-steve-gw pluto[5656]: loaded plugins: test-vectors
> curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl
> gmp hmac xauth attr kernel-netlink resolve
>
> Dec 22 13:48:25 vpn-steve-gw pluto[5656]: including NAT-Traversal
> patch (Version 0.6c) [disabled]
>
> Dec 22 13:48:25 vpn-steve-gw ipsec_starter[5655]: pluto (5656) started
> after 20 ms
>
> Dec 22 13:48:25 vpn-steve-gw pluto[5656]: no token present in slot
> 18446744073709551615
>
> Dec 22 13:48:25 vpn-steve-gw pluto[5656]: loading ca certificates from
> '/etc/ipsec.d/cacerts'
>
> Dec 22 13:48:25 vpn-steve-gw pluto[5656]: loading aa certificates from
> '/etc/ipsec.d/aacerts'
>
> Dec 22 13:48:25 vpn-steve-gw pluto[5656]: loading ocsp certificates from
> '/etc/ipsec.d/ocspcerts'
>
> Dec 22 13:48:25 vpn-steve-gw pluto[5656]: Changing to directory
> '/etc/ipsec.d/crls'
>
> Dec 22 13:48:25 vpn-steve-gw pluto[5656]: loading attribute certificates
> from '/etc/ipsec.d/acerts'
>
> Dec 22 13:48:25 vpn-steve-gw pluto[5656]: spawning 4 worker threads
>
> Dec 22 13:48:25 vpn-steve-gw pluto[5656]: listening for IKE messages
>
> Dec 22 13:48:25 vpn-steve-gw pluto[5656]: adding interface eth0/eth0
> 192.168.13.3:500
>
> Dec 22 13:48:25 vpn-steve-gw pluto[5656]: adding interface lo/lo
> 127.0.0.1:500
>
> Dec 22 13:48:25 vpn-steve-gw pluto[5656]: adding interface lo/lo ::1:500
>
> Dec 22 13:48:25 vpn-steve-gw pluto[5656]: loading secrets from
> "/etc/ipsec.secrets"
>
> Dec 22 13:48:25 vpn-steve-gw pluto[5656]: loaded PSK secret for
> 2.40.85.224 15.126.251.57 192.168.13.3 192.168.0.4
>
> Dec 22 13:48:25 vpn-steve-gw pluto[5656]: added connection description
> "steve"
>
> Dec 22 13:48:36 vpn-steve-gw pluto[5656]: packet from 2.40.85.224:7076:
> received Vendor ID payload [strongSwan]
>
> Dec 22 13:48:36 vpn-steve-gw pluto[5656]: packet from 2.40.85.224:7076:
> received Vendor ID payload [XAUTH]
>
> Dec 22 13:48:36 vpn-steve-gw pluto[5656]: packet from 2.40.85.224:7076:
> received Vendor ID payload [Dead Peer Detection]
>
> Dec 22 13:48:36 vpn-steve-gw pluto[5656]: packet from 2.40.85.224:7076:
> initial Main Mode message received on 192.168.13.3:500 but no connection
> has been authorized with policy=PSK
>
> Dec 22 13:48:46 vpn-steve-gw pluto[5656]: packet from 2.40.85.224:7076:
> received Vendor ID payload [strongSwan]
>
> Dec 22 13:48:46 vpn-steve-gw pluto[5656]: packet from 2.40.85.224:7076:
> received Vendor ID payload [XAUTH]
>
> Dec 22 13:48:46 vpn-steve-gw pluto[5656]: packet from 2.40.85.224:7076:
> received Vendor ID payload [Dead Peer Detection]
>
> Dec 22 13:48:46 vpn-steve-gw pluto[5656]: packet from 2.40.85.224:7076:
> initial Main Mode message received on 192.168.13.3:500 but no connection
> has been authorized with policy=PSK
>
> Dec 22 13:49:06 vpn-steve-gw pluto[5656]: packet from 2.40.85.224:7076:
> received Vendor ID payload [strongSwan]
>
> Dec 22 13:49:06 vpn-steve-gw pluto[5656]: packet from 2.40.85.224:7076:
> received Vendor ID payload [XAUTH]
>
> Dec 22 13:49:06 vpn-steve-gw pluto[5656]: packet from 2.40.85.224:7076:
> received Vendor ID payload [Dead Peer Detection]
>
> Dec 22 13:49:06 vpn-steve-gw pluto[5656]: packet from 2.40.85.224:7076:
> initial Main Mode message received on 192.168.13.3:500 but no connection
> has been authorized with policy=PSK
>
>
>
>
>
> IPSEC.CONF:
>
>
>
> config setup
>
> # interfaces="ipsec0=eth0"
>
> plutodebug=none
>
> # plutodebug=all
>
> crlcheckinterval=180s
>
> strictcrlpolicy=no
>
> # cachecrls=yes
>
> nat_traversal=no
>
> charonstart=no
>
> # charonstart=yes
>
> plutostart=yes
>
>
>
> conn %default
>
> type=tunnel
>
> ikelifetime=28800s
>
> keylife=86400s
>
> rekeymargin=3m
>
> keyingtries=%forever
>
> dpdaction=clear
>
> dpddelay=30s
>
> keyexchange=ikev1
>
> ike=3des-md5-modp1024
>
> esp=3des-md5-modp1024
>
> pfs=yes
>
> compress=no
>
> # authby=secret
>
> auth=esp
>
>
>
> conn steve
>
> authby=psk
>
> leftauth=psk
>
> rightauth=psk
>
> type=tunnel
>
> ikelifetime=28800s
>
> keylife=86400s
>
> rekeymargin=3m
>
> keyingtries=%forever
>
> keyexchange=ikev1
>
> ike=3des-md5-modp1024
>
> esp=3des-md5-modp1024
>
> pfs=yes
>
> compress=no
>
> auth=esp
>
> leftid=192.168.13.3
>
> left=192.168.13.3
>
> leftsubnet=192.168.13.0/24
>
> leftsourceip=192.168.13.3
>
> leftfirewall=no
>
> rightid=2.40.85.224
>
> right=2.40.85.224
>
> rightsubnet=192.168.0.0/24
>
> rightfirewall=no
>
> rightsourceip=192.168.0.4
>
> dpdaction=hold
>
> dpddelay=60
>
> dpdtimeout=500
>
> auto=add
>
>
>
>
>
>
>
>
>
> cid:image001.png at 01CD29FE.2E354F10
>
>
>
>
> Stefano Bonato
>
> ALM Managing Consultant
>
> HP Software Professional Services
> <http://www8.hp.com/us/en/software-solutions/software.html?compURI=1173876>
>
> Hewlett-Packard Company
>
> email: stefano.bonato at hp.com <mailto:stefano.bonato at hp.com> phone:
> + 39 348 8513451
>
> http://www.hp.com/
>
>
>
> Follow HP Italia on:
>
> http://blog.privacychoice.org/wp-content/uploads/2013/03/LinkedIn-Logo-022.png
> <http://www.linkedin.com/company/hewlett-packard>http://3.bp.blogspot.com/-avfQU90rrXE/UQC8FI_oi8I/AAAAAAAAEvQ/sMsHyJe6dQA/s1600/fb.png
> <https://www.facebook.com/HPItalia>http://www.psicologialavoro.it/wp-content/uploads/marketing-psicologo-su-slideshare.png
> <http://www.slideshare.net/HPEnterpriseIT>http://icons.iconarchive.com/icons/fasticon/web-2/256/Twitter-icon.png
> <https://twitter.com/HPEnterpriseIT>cid:image011.png at 01CEDB1E.56C53670
>
>
>
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131222/ffc6d624/attachment.bin>
More information about the Users
mailing list