[strongSwan] virtual ip

Andreas Steffen andreas.steffen at strongswan.org
Sat Sep 14 08:36:24 CEST 2013


Hi Naveen,

due to a syntax error in your ipsec.secrets, the responder doesn't
find a matching PSK an aborts:

> /******** Server side log **********/
...
> loading secrets from "/etc/ipsec.secrets"
>   loaded PSK secret for 10.73.127.45 10.43.135.221
> "/etc/ipsec.secrets" line 12: PSK data malformed (input does not begin
> with format prefix): 1234567890

The PSK must be of the form:

10.73.127.45 10.43.135.221 : PSK "1234567890"

if it is to be treated as a text string or

10.73.127.45 10.43.135.221 : PSK 0x1234567890abcdef

if it is to be a HEX value or

10.73.127.45 10.43.135.221 : PSK 0s123456789abcxyzABCXYZ+/

it it is to be interpreted as a Base64-encoded value.

Regards

Andreas

On 09/14/2013 05:47 AM, Naveen Neelakanta wrote:
> Hi All,
> 
> I have installed both strongswan server and client .
> I am trying the virtual ip scenario with PSK auth method, but the i am
> not able to get it working with the  attached configuration files used.
> Please find the attached server and client configuration file.
> I have installed the strongswan 5.1.0 version with the below
> confguration to reduce the size.
> 
> "--disable-rc2 --disable-md5 --disable-sha1 --disable-sha2
> --disable-fips-prf \
> --disable-aes--disable-des --enable-openssl --disable-pkcs1
> --disable-pkcs7 --disable-pkcs8 \
> --disable-pkcs12--disable-pgp --disable-dnskey --disable-sshkey
> --disable-hmac --disable-cmac \
> --disable-xcbc --disable-gmp --disable-scripts --disable-ikev1
> --disable-tools --enable-monolithic"
> 
> these below logs are collect from the command #ipsec start --nofork
> 
> /******** Client side log **********/
> ipsec up host
> initiating IKE_SA host[1] to 10.73.127.45
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> sending packet: from 10.43.135.221[500] to 10.73.127.45[500] (752 bytes)
> received packet: from 10.73.127.45[500] to 10.43.135.221[500] (440 bytes)
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(MULT_AUTH)
> ]
> authentication of '10.43.135.221' (myself) with pre-shared key
> establishing CHILD_SA host
> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CP(ADDR
> DNS) SA TSi
>  TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> sending packet: from 10.43.135.221[4500] to 10.73.127.45[4500] (412 bytes)
> received packet: from 10.73.127.45[4500] to 10.43.135.221[4500] (76 bytes)
> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> received AUTHENTICATION_FAILED notify error
> establishing connection 'host' failed
> /***************************************************/
> 
> 
> /******** Server side log **********/
> 11[CFG] adding virtual IP address pool 'rw': 10.3.0.0/28
> <http://10.3.0.0/28>
> loading ca certificates from '/etc/ipsec.d/cacerts'
> loading aa certificates from '/etc/ipsec.d/aacerts'
> loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
> Changing to directory '/etc/ipsec.d/crls'
> loading attribute certificates from '/etc/ipsec.d/acerts'
> spawning 4 worker threads
> listening for IKE messages
> adding interface wlan0/wlan0 10.73.127.45:500 <http://10.73.127.45:500>
> adding interface lo/lo 127.0.0.1:500 <http://127.0.0.1:500>
> adding interface lo/lo ::1:500
> loading secrets from "/etc/ipsec.secrets"
>   loaded PSK secret for 10.73.127.45 10.43.135.221
> "/etc/ipsec.secrets" line 12: PSK data malformed (input does not begin
> with format prefix): 1234567890
> added connection description "rw"
> 06[NET] received packet: from 10.43.135.221[500] to 10.73.127.45[500]
> 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> 06[IKE] 10.43.135.221 is initiating an IKE_SA
> 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) N(MULT_AUTH) ]
> 06[NET] sending packet: from 10.73.127.45[500] to 10.43.135.221[500]
> 05[NET] received packet: from 10.43.135.221[4500] to 10.73.127.45[4500]
> 05[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CP(ADDR
> DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> 05[CFG] looking for peer configs matching
> 10.73.127.45[10.73.127.45]...10.43.135.221[10.43.135.221]
> 05[CFG] no matching peer config found
> 05[IKE] peer supports MOBIKE
> 05[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> 05[NET] sending packet: from 10.73.127.45[4500] to 10.43.135.221[4500]
> /**********************************************************************************/
> 
> Thanks
> Naveen
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130914/edcca8a3/attachment.bin>


More information about the Users mailing list