[strongSwan] no connection has been authorized with policy=PSK
Andreas Steffen
andreas.steffen at strongswan.org
Sun Dec 22 19:09:20 CET 2013
Arghhh! Are you sure that pluto supports single DES encryption
(at least without the exclamation mark)?
On 22.12.2013 17:57, Bonato, Stefano wrote:
> Thanks Andreas !
>
> I need to use ikev1 ... :-( ... it's a requirement at this moment ... )
>
>
>
> I use nat_traversal=yes ... but the answer has been practically the same ..
>
> Steve
>
>
>
> IPSEC.SECRETS
>
> %any : PSK "abcd"
>
> ________________________________________________________________
>
> IPSEC.CONF
>
> config setup
>
> # interfaces="ipsec0=eth0"
>
> plutodebug=none
>
> # plutodebug=all
>
> crlcheckinterval=180s
>
> strictcrlpolicy=no
>
> # cachecrls=yes
>
> nat_traversal=yes
>
> charonstart=no
>
> # charonstart=yes
>
> plutostart=yes
>
>
>
> conn %default
>
> type=tunnel
>
> ikelifetime=28800s
>
> keylife=86400s
>
> rekeymargin=3m
>
> keyingtries=%forever
>
> dpdaction=clear
>
> dpddelay=30s
>
> # keyexchange=ikev1
>
> # ike=3des-md5-modp1024
>
> # esp=3des-md5-modp1024
>
> # pfs=no
>
> # compress=no
>
> # authby=psk
>
> # authby=secret
>
> # auth=esp
>
>
>
> conn steve
>
> authby=psk
>
> type=tunnel
>
> ikelifetime=28800s
>
> keylife=86400s
>
> rekeymargin=3m
>
> keyingtries=%forever
>
> keyexchange=ikev1
>
> ike=des-md5-modp1024
>
> esp=des-md5-modp1024
>
> pfs=no
>
> compress=no
>
> auth=esp
>
> leftid=192.168.13.3
>
> left=192.168.13.3
>
> leftsubnet=192.168.13.0/24
>
> leftsourceip=192.168.13.3
>
> leftfirewall=no
>
> rightid=2.40.85.224
>
> right=2.40.85.224
>
> rightsubnet=192.168.0.0/24
>
> rightfirewall=no
>
> rightsourceip=2.40.85.224
>
> dpdaction=hold
>
> dpddelay=60
>
> dpdtimeout=500
>
> auto=add
>
>
>
> ________________________________________________________________
>
>
>
>
>
>
>
> Starting strongSwan 4.5.2 IPsec [starter]...
>
> Dec 22 16:49:08 vpn-steve-gw sudo: pam_unix(sudo:session): session
> closed for user root
>
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: Starting IKEv1 pluto daemon
> (strongSwan 4.5.2) THREADS SMARTCARD VENDORID
>
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: listening on interfaces:
>
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: eth0
>
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: 192.168.13.3
>
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: fe80::f816:3eff:fe3a:9677
>
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: loaded plugins: test-vectors
> curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl
> gmp hmac xauth attr kernel-netlink resolve
>
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: including NAT-Traversal
> patch (Version 0.6c)
>
> Dec 22 16:49:08 vpn-steve-gw ipsec_starter[7596]: pluto (7597) started
> after 20 ms
>
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: no token present in slot
> 18446744073709551615
>
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: loading ca certificates from
> '/etc/ipsec.d/cacerts'
>
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: loading aa certificates from
> '/etc/ipsec.d/aacerts'
>
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: loading ocsp certificates from
> '/etc/ipsec.d/ocspcerts'
>
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: Changing to directory
> '/etc/ipsec.d/crls'
>
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: loading attribute certificates
> from '/etc/ipsec.d/acerts'
>
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: spawning 4 worker threads
>
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: listening for IKE messages
>
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: adding interface eth0/eth0
> 192.168.13.3:500
>
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: adding interface eth0/eth0
> 192.168.13.3:4500
>
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: adding interface lo/lo
> 127.0.0.1:500
>
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: adding interface lo/lo
> 127.0.0.1:4500
>
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: adding interface lo/lo ::1:500
>
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: loading secrets from
> "/etc/ipsec.secrets"
>
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: loaded PSK secret for %any
>
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: added connection description
> "steve"
>
> Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033:
> received Vendor ID payload [strongSwan]
>
> Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033:
> received Vendor ID payload [XAUTH]
>
> Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033:
> received Vendor ID payload [Dead Peer Detection]
>
> Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033:
> received Vendor ID payload [RFC 3947]
>
> Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033:
> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
>
> Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033:
> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
>
> Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033:
> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
>
> Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033:
> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
>
> Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033:
> *initial Main Mode message received on 192.168.13.3:500 but no
> connection has been authorized with policy=PSK*
>
>
>
> __________________________________________________
>
>
>
> -----Original Message-----
> From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
> Sent: domenica 22 dicembre 2013 5:04
> To: Bonato, Stefano; users at lists.strongswan.org
> Subject: Re: [strongSwan] no connection has been authorized with policy=PSK
>
>
>
> Hi Stefano,
>
>
>
> I see that your peer is behind a NAT router
>
>
>
> packet from 2.40.85.224:7076
>
>
>
> so that the IKE source port got translated from UDP 500
>
> to 7076 but you defined
>
>
>
> nat_traversal=no
>
>
>
> which does not allow your source port to float.
>
>
>
> Thus please enable
>
>
>
> nat_traversal=yes
>
>
>
> and if you want to set up a strongSwan-strongSwan connection
>
> rather use IKEv2, not this obsolete and ugly grandma IKEv1 protocol.
>
>
>
> Regards
>
>
>
> Andreas
>
>
>
>
>
>
>
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131222/de76b626/attachment.bin>
More information about the Users
mailing list