[strongSwan] no connection has been authorized with policy=PSK

Bonato, Stefano stefano.bonato at hp.com
Sun Dec 22 19:47:22 CET 2013 

Yu are right:

1.  It was my fault : I forgot 3des.  I used  3des-md5-modp1024  and  IKEV2 ==> it works

2.  With 3DES and  IKEV1 it does'n works ( :( )

I'will try moving the requirement from IKEv1 to IKEv2



THANKS.

Steve



-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
Sent: domenica 22 dicembre 2013 7:09
To: Bonato, Stefano; users at lists.strongswan.org
Subject: Re: [strongSwan] no connection has been authorized with policy=PSK



Arghhh! Are you sure that pluto supports single DES encryption

(at least without the exclamation mark)?



On 22.12.2013 17:57, Bonato, Stefano wrote:

> Thanks Andreas !

>

> I need to use ikev1 ... :-( ... it's a requirement at this moment ... )

>

>

>

> I use nat_traversal=yes ... but the answer has been practically the same ..

>

> Steve

>

>

>

> IPSEC.SECRETS

>

> %any : PSK "abcd"

>

> ________________________________________________________________

>

> IPSEC.CONF

>

> config setup

>

>         # interfaces="ipsec0=eth0"

>

>         plutodebug=none

>

>         # plutodebug=all

>

>         crlcheckinterval=180s

>

>         strictcrlpolicy=no

>

>         # cachecrls=yes

>

>         nat_traversal=yes

>

>         charonstart=no

>

>         # charonstart=yes

>

>         plutostart=yes

>

>

>

> conn %default

>

>       type=tunnel

>

>       ikelifetime=28800s

>

>       keylife=86400s

>

>       rekeymargin=3m

>

>       keyingtries=%forever

>

>       dpdaction=clear

>

>       dpddelay=30s

>

>       # keyexchange=ikev1

>

>       # ike=3des-md5-modp1024

>

>       # esp=3des-md5-modp1024

>

>       # pfs=no

>

>       # compress=no

>

>       # authby=psk

>

>       # authby=secret

>

>       # auth=esp

>

>

>

> conn steve

>

>       authby=psk

>

>       type=tunnel

>

>       ikelifetime=28800s

>

>       keylife=86400s

>

>       rekeymargin=3m

>

>       keyingtries=%forever

>

>       keyexchange=ikev1

>

>       ike=des-md5-modp1024

>

>       esp=des-md5-modp1024

>

>       pfs=no

>

>       compress=no

>

>       auth=esp

>

>       leftid=192.168.13.3

>

>       left=192.168.13.3

>

>       leftsubnet=192.168.13.0/24

>

>       leftsourceip=192.168.13.3

>

>       leftfirewall=no

>

>       rightid=2.40.85.224

>

>       right=2.40.85.224

>

>       rightsubnet=192.168.0.0/24

>

>       rightfirewall=no

>

>       rightsourceip=2.40.85.224

>

>       dpdaction=hold

>

>       dpddelay=60

>

>       dpdtimeout=500

>

>       auto=add

>

>

>

> ________________________________________________________________

>

>

>

>

>

>

>

> Starting strongSwan 4.5.2 IPsec [starter]...

>

> Dec 22 16:49:08 vpn-steve-gw sudo: pam_unix(sudo:session): session

> closed for user root

>

> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: Starting IKEv1 pluto daemon

> (strongSwan 4.5.2) THREADS SMARTCARD VENDORID

>

> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: listening on interfaces:

>

> Dec 22 16:49:08 vpn-steve-gw pluto[7597]:   eth0

>

> Dec 22 16:49:08 vpn-steve-gw pluto[7597]:     192.168.13.3

>

> Dec 22 16:49:08 vpn-steve-gw pluto[7597]:     fe80::f816:3eff:fe3a:9677

>

> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: loaded plugins: test-vectors

> curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl

> gmp hmac xauth attr kernel-netlink resolve

>

> Dec 22 16:49:08 vpn-steve-gw pluto[7597]:   including NAT-Traversal

> patch (Version 0.6c)

>

> Dec 22 16:49:08 vpn-steve-gw ipsec_starter[7596]: pluto (7597) started

> after 20 ms

>

> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: no token present in slot

> 18446744073709551615

>

> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: loading ca certificates from

> '/etc/ipsec.d/cacerts'

>

> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: loading aa certificates from

> '/etc/ipsec.d/aacerts'

>

> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: loading ocsp certificates from

> '/etc/ipsec.d/ocspcerts'

>

> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: Changing to directory

> '/etc/ipsec.d/crls'

>

> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: loading attribute certificates

> from '/etc/ipsec.d/acerts'

>

> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: spawning 4 worker threads

>

> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: listening for IKE messages

>

> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: adding interface eth0/eth0

> 192.168.13.3:500

>

> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: adding interface eth0/eth0

> 192.168.13.3:4500

>

> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: adding interface lo/lo

> 127.0.0.1:500

>

> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: adding interface lo/lo

> 127.0.0.1:4500

>

> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: adding interface lo/lo ::1:500

>

> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: loading secrets from

> "/etc/ipsec.secrets"

>

> Dec 22 16:49:08 vpn-steve-gw pluto[7597]:   loaded PSK secret for %any

>

> Dec 22 16:49:08 vpn-steve-gw pluto[7597]: added connection description

> "steve"

>

> Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033:

> received Vendor ID payload [strongSwan]

>

> Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033:

> received Vendor ID payload [XAUTH]

>

> Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033:

> received Vendor ID payload [Dead Peer Detection]

>

> Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033:

> received Vendor ID payload [RFC 3947]

>

> Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033:

> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]

>

> Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033:

> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]

>

> Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033:

> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]

>

> Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033:

> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]

>

> Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033:

> *initial Main Mode message received on 192.168.13.3:500 but no

> connection has been authorized with policy=PSK*

>

>

>

> __________________________________________________

>

>

>

> -----Original Message-----

> From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]

> Sent: domenica 22 dicembre 2013 5:04

> To: Bonato, Stefano; users at lists.strongswan.org

> Subject: Re: [strongSwan] no connection has been authorized with policy=PSK

>

>

>

> Hi Stefano,

>

>

>

> I see that your peer is behind a NAT router

>

>

>

>   packet from 2.40.85.224:7076

>

>

>

> so that the IKE source port got translated from UDP 500

>

> to 7076 but you defined

>

>

>

>   nat_traversal=no

>

>

>

> which does not allow your source port to float.

>

>

>

> Thus please enable

>

>

>

>   nat_traversal=yes

>

>

>

> and if you want to set up a strongSwan-strongSwan connection

>

> rather use IKEv2, not this obsolete and ugly grandma IKEv1 protocol.

>

>

>

> Regards

>

>

>

> Andreas

>

>

>

>

>

>

>



--

======================================================================

Andreas Steffen                         andreas.steffen at strongswan.org

strongSwan - the Open Source VPN Solution!          www.strongswan.org

Institute for Internet Technologies and Applications

University of Applied Sciences Rapperswil

CH-8640 Rapperswil (Switzerland)

===========================================================[ITA-HSR]==


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131222/28f3c5ca/attachment.html>

More information about the Users mailing list