[strongSwan] IKEv1 PSK with group name?

Tony Zhou tonytzhou at gmail.com
Fri May 3 16:46:36 CEST 2013 

Hi all,

I'm using xauth-psk with IKEv1 and trying to setup a connection as 
following:
conn IPSec-IKEv1
         keyexchange=ikev1
         auto=add
         left=my.server.ip.address
         leftsubnet=0.0.0.0/0
         leftauth=psk
         right=%any
         rightsourceip=client.ip.address/24
         rightid=group
         rightauth=psk
         rightauth2=xauth-eap

Ideally, I want the clients who connects have a group name (IPSec ID) of 
group. However, if I use group name on clients and enable aggressive 
mode PSK, the server gives the following error:
May  3 23:44:18 area11 charon: 12[NET] received packet: from 
client.ip.address[18759] to server.ip.address[500] (737 bytes)
May  3 23:44:18 area11 charon: 12[ENC] parsed AGGRESSIVE request 0 [ SA 
KE No ID V V V V V V V V V V V V V ]
May  3 23:44:18 area11 charon: 12[IKE] received NAT-T (RFC 3947) vendor ID
May  3 23:44:18 area11 charon: 12[IKE] received 
draft-ietf-ipsec-nat-t-ike vendor ID
May  3 23:44:18 area11 charon: 12[IKE] received 
draft-ietf-ipsec-nat-t-ike-08 vendor ID
May  3 23:44:18 area11 charon: 12[IKE] received 
draft-ietf-ipsec-nat-t-ike-07 vendor ID
May  3 23:44:18 area11 charon: 12[IKE] received 
draft-ietf-ipsec-nat-t-ike-06 vendor ID
May  3 23:44:18 area11 charon: 12[IKE] received 
draft-ietf-ipsec-nat-t-ike-05 vendor ID
May  3 23:44:18 area11 charon: 12[IKE] received 
draft-ietf-ipsec-nat-t-ike-04 vendor ID
May  3 23:44:18 area11 charon: 12[IKE] received 
draft-ietf-ipsec-nat-t-ike-03 vendor ID
May  3 23:44:18 area11 charon: 12[IKE] received 
draft-ietf-ipsec-nat-t-ike-02 vendor ID
May  3 23:44:18 area11 charon: 12[IKE] received 
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
May  3 23:44:18 area11 charon: 12[IKE] received XAuth vendor ID
May  3 23:44:18 area11 charon: 12[IKE] received Cisco Unity vendor ID
May  3 23:44:18 area11 charon: 12[IKE] received DPD vendor ID
May  3 23:44:18 area11 charon: 12[IKE] client.ip.address is initiating a 
Aggressive Mode IKE_SA

May  3 23:44:18 area11 charon: 12[CFG] looking for XAuthInitPSK peer 
configs matching server.ip.address...client.ip.address[group]
May  3 23:44:18 area11 charon: 12[IKE] no peer config found

May  3 23:44:18 area11 charon: 12[ENC] generating INFORMATIONAL_V1 
request 1284657805 [ N(AUTH_FAILED) ]
May  3 23:44:18 area11 charon: 12[NET] sending packet: from 
server.ip.address[500] to client.ip.address[18759] (56 bytes)

Seems that Strongswan cannot match the group name with the rightid. And 
someone seemingly has this error before with no answer:
https://lists.strongswan.org/pipermail/users/2012-December/008583.html

Any help will be appreciated.

Best,
TZ

More information about the Users mailing list