[strongSwan] no connection has been authorized with policy=PSK

Bonato, Stefano stefano.bonato at hp.com
Sun Dec 22 17:57:11 CET 2013 

Thanks Andreas !

I need to use ikev1 ... :-( ... it's a requirement at this moment ... )



I use nat_traversal=yes ... but the answer has been practically the same ..

Steve



IPSEC.SECRETS

%any : PSK "abcd"

________________________________________________________________

IPSEC.CONF
config setup
        # interfaces="ipsec0=eth0"
        plutodebug=none
        # plutodebug=all
        crlcheckinterval=180s
        strictcrlpolicy=no
        # cachecrls=yes
        nat_traversal=yes
        charonstart=no
        # charonstart=yes
        plutostart=yes

conn %default
      type=tunnel
      ikelifetime=28800s
      keylife=86400s
      rekeymargin=3m
      keyingtries=%forever
      dpdaction=clear
      dpddelay=30s
      # keyexchange=ikev1
      # ike=3des-md5-modp1024
      # esp=3des-md5-modp1024
      # pfs=no
      # compress=no
      # authby=psk
      # authby=secret
      # auth=esp

conn steve
      authby=psk
      type=tunnel
      ikelifetime=28800s
      keylife=86400s
      rekeymargin=3m
      keyingtries=%forever
      keyexchange=ikev1
      ike=des-md5-modp1024
      esp=des-md5-modp1024
      pfs=no
      compress=no
      auth=esp
      leftid=192.168.13.3
      left=192.168.13.3
      leftsubnet=192.168.13.0/24
      leftsourceip=192.168.13.3
      leftfirewall=no
      rightid=2.40.85.224
      right=2.40.85.224
      rightsubnet=192.168.0.0/24
      rightfirewall=no
      rightsourceip=2.40.85.224
      dpdaction=hold
      dpddelay=60
      dpdtimeout=500
      auto=add



________________________________________________________________







Starting strongSwan 4.5.2 IPsec [starter]...

Dec 22 16:49:08 vpn-steve-gw sudo: pam_unix(sudo:session): session closed for user root

Dec 22 16:49:08 vpn-steve-gw pluto[7597]: Starting IKEv1 pluto daemon (strongSwan 4.5.2) THREADS SMARTCARD VENDORID

Dec 22 16:49:08 vpn-steve-gw pluto[7597]: listening on interfaces:

Dec 22 16:49:08 vpn-steve-gw pluto[7597]:   eth0

Dec 22 16:49:08 vpn-steve-gw pluto[7597]:     192.168.13.3

Dec 22 16:49:08 vpn-steve-gw pluto[7597]:     fe80::f816:3eff:fe3a:9677

Dec 22 16:49:08 vpn-steve-gw pluto[7597]: loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve

Dec 22 16:49:08 vpn-steve-gw pluto[7597]:   including NAT-Traversal patch (Version 0.6c)

Dec 22 16:49:08 vpn-steve-gw ipsec_starter[7596]: pluto (7597) started after 20 ms

Dec 22 16:49:08 vpn-steve-gw pluto[7597]: no token present in slot 18446744073709551615

Dec 22 16:49:08 vpn-steve-gw pluto[7597]: loading ca certificates from '/etc/ipsec.d/cacerts'

Dec 22 16:49:08 vpn-steve-gw pluto[7597]: loading aa certificates from '/etc/ipsec.d/aacerts'

Dec 22 16:49:08 vpn-steve-gw pluto[7597]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'

Dec 22 16:49:08 vpn-steve-gw pluto[7597]: Changing to directory '/etc/ipsec.d/crls'

Dec 22 16:49:08 vpn-steve-gw pluto[7597]: loading attribute certificates from '/etc/ipsec.d/acerts'

Dec 22 16:49:08 vpn-steve-gw pluto[7597]: spawning 4 worker threads

Dec 22 16:49:08 vpn-steve-gw pluto[7597]: listening for IKE messages

Dec 22 16:49:08 vpn-steve-gw pluto[7597]: adding interface eth0/eth0 192.168.13.3:500

Dec 22 16:49:08 vpn-steve-gw pluto[7597]: adding interface eth0/eth0 192.168.13.3:4500

Dec 22 16:49:08 vpn-steve-gw pluto[7597]: adding interface lo/lo 127.0.0.1:500

Dec 22 16:49:08 vpn-steve-gw pluto[7597]: adding interface lo/lo 127.0.0.1:4500

Dec 22 16:49:08 vpn-steve-gw pluto[7597]: adding interface lo/lo ::1:500

Dec 22 16:49:08 vpn-steve-gw pluto[7597]: loading secrets from "/etc/ipsec.secrets"

Dec 22 16:49:08 vpn-steve-gw pluto[7597]:   loaded PSK secret for %any

Dec 22 16:49:08 vpn-steve-gw pluto[7597]: added connection description "steve"

Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033: received Vendor ID payload [strongSwan]

Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033: received Vendor ID payload [XAUTH]

Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033: received Vendor ID payload [Dead Peer Detection]

Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033: received Vendor ID payload [RFC 3947]

Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]

Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]

Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]

Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]

Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033: initial Main Mode message received on 192.168.13.3:500 but no connection has been authorized with policy=PSK



__________________________________________________



-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
Sent: domenica 22 dicembre 2013 5:04
To: Bonato, Stefano; users at lists.strongswan.org
Subject: Re: [strongSwan] no connection has been authorized with policy=PSK



Hi Stefano,



I see that your peer is behind a NAT router



  packet from 2.40.85.224:7076



so that the IKE source port got translated from UDP 500

to 7076 but you defined



  nat_traversal=no



which does not allow your source port to float.



Thus please enable



  nat_traversal=yes



and if you want to set up a strongSwan-strongSwan connection

rather use IKEv2, not this obsolete and ugly grandma IKEv1 protocol.



Regards



Andreas






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131222/b562e509/attachment.html>

More information about the Users mailing list