[strongSwan] no connection has been authorized with policy=PSK

Andreas Steffen andreas.steffen at strongswan.org
Sun Dec 22 19:09:20 CET 2013 

Arghhh! Are you sure that pluto supports single DES encryption
(at least without the exclamation mark)?

On 22.12.2013 17:57, Bonato, Stefano wrote:
> Thanks Andreas !
> 
> I need to use ikev1 ... :-( ... it's a requirement at this moment ... )
> 
>  
> 
> I use nat_traversal=yes ... but the answer has been practically the same ..
> 
> Steve
> 
>  
> 
> IPSEC.SECRETS
> 
> %any : PSK "abcd"
> 
> ________________________________________________________________
> 
> IPSEC.CONF
> 
> config setup
> 
>         # interfaces="ipsec0=eth0"
> 
>         plutodebug=none
> 
>         # plutodebug=all
> 
>         crlcheckinterval=180s
> 
>         strictcrlpolicy=no
> 
>         # cachecrls=yes
> 
>         nat_traversal=yes
> 
>         charonstart=no
> 
>         # charonstart=yes
> 
>         plutostart=yes
> 
>  
> 
> conn %default
> 
>       type=tunnel
> 
>       ikelifetime=28800s
> 
>       keylife=86400s
> 
>       rekeymargin=3m
> 
>       keyingtries=%forever
> 
>       dpdaction=clear
> 
>       dpddelay=30s
> 
>       # keyexchange=ikev1
> 
>       # ike=3des-md5-modp1024
> 
>       # esp=3des-md5-modp1024
> 
>       # pfs=no
> 
>       # compress=no
> 
>       # authby=psk
> 
>       # authby=secret
> 
>       # auth=esp
> 
>  
> 
> conn steve
> 
>       authby=psk
> 
>       type=tunnel
> 
>       ikelifetime=28800s
> 
>       keylife=86400s
> 
>       rekeymargin=3m
> 
>       keyingtries=%forever
> 
>       keyexchange=ikev1
> 
>       ike=des-md5-modp1024
> 
>       esp=des-md5-modp1024
> 
>       pfs=no
> 
>       compress=no
> 
>       auth=esp
> 
>       leftid=192.168.13.3
> 
>       left=192.168.13.3
> 
>       leftsubnet=192.168.13.0/24
> 
>       leftsourceip=192.168.13.3
> 
>       leftfirewall=no
> 
>       rightid=2.40.85.224
> 
>       right=2.40.85.224
> 
>       rightsubnet=192.168.0.0/24
> 
>       rightfirewall=no
> 
>       rightsourceip=2.40.85.224
> 
>       dpdaction=hold
> 
>       dpddelay=60
> 
>       dpdtimeout=500
> 
>       auto=add
> 
>  
> 
> ________________________________________________________________
> 
>  
> 
>  
> 
>  
> 
> Starting strongSwan 4.5.2 IPsec [starter]...
> 
> Dec 22 16:49:08 vpn-steve-gw sudo: pam_unix(sudo:session): session
> closed for user root
> 
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: Starting IKEv1 pluto daemon
> (strongSwan 4.5.2) THREADS SMARTCARD VENDORID
> 
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: listening on interfaces:
> 
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]:   eth0
> 
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]:     192.168.13.3
> 
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]:     fe80::f816:3eff:fe3a:9677
> 
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: loaded plugins: test-vectors
> curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl
> gmp hmac xauth attr kernel-netlink resolve
> 
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]:   including NAT-Traversal
> patch (Version 0.6c)
> 
> Dec 22 16:49:08 vpn-steve-gw ipsec_starter[7596]: pluto (7597) started
> after 20 ms
> 
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: no token present in slot
> 18446744073709551615
> 
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: loading ca certificates from
> '/etc/ipsec.d/cacerts'
> 
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: loading aa certificates from
> '/etc/ipsec.d/aacerts'
> 
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: loading ocsp certificates from
> '/etc/ipsec.d/ocspcerts'
> 
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: Changing to directory
> '/etc/ipsec.d/crls'
> 
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: loading attribute certificates
> from '/etc/ipsec.d/acerts'
> 
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: spawning 4 worker threads
> 
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: listening for IKE messages
> 
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: adding interface eth0/eth0
> 192.168.13.3:500
> 
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: adding interface eth0/eth0
> 192.168.13.3:4500
> 
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: adding interface lo/lo
> 127.0.0.1:500
> 
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: adding interface lo/lo
> 127.0.0.1:4500
> 
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: adding interface lo/lo ::1:500
> 
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: loading secrets from
> "/etc/ipsec.secrets"
> 
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]:   loaded PSK secret for %any
> 
> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: added connection description
> "steve"
> 
> Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033:
> received Vendor ID payload [strongSwan]
> 
> Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033:
> received Vendor ID payload [XAUTH]
> 
> Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033:
> received Vendor ID payload [Dead Peer Detection]
> 
> Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033:
> received Vendor ID payload [RFC 3947]
> 
> Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033:
> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
> 
> Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033:
> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
> 
> Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033:
> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
> 
> Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033:
> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
> 
> Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033:
> *initial Main Mode message received on 192.168.13.3:500 but no
> connection has been authorized with policy=PSK*
> 
>  
> 
> __________________________________________________
> 
>  
> 
> -----Original Message-----
> From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
> Sent: domenica 22 dicembre 2013 5:04
> To: Bonato, Stefano; users at lists.strongswan.org
> Subject: Re: [strongSwan] no connection has been authorized with policy=PSK
> 
>  
> 
> Hi Stefano,
> 
>  
> 
> I see that your peer is behind a NAT router
> 
>  
> 
>   packet from 2.40.85.224:7076
> 
>  
> 
> so that the IKE source port got translated from UDP 500
> 
> to 7076 but you defined
> 
>  
> 
>   nat_traversal=no
> 
>  
> 
> which does not allow your source port to float.
> 
>  
> 
> Thus please enable
> 
>  
> 
>   nat_traversal=yes
> 
>  
> 
> and if you want to set up a strongSwan-strongSwan connection
> 
> rather use IKEv2, not this obsolete and ugly grandma IKEv1 protocol.
> 
>  
> 
> Regards
> 
>  
> 
> Andreas
> 
>  
> 
>  
> 
>  
> 

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131222/de76b626/attachment.bin>

More information about the Users mailing list