[strongSwan] virtual ip

Naveen Neelakanta nbnopenswan at gmail.com
Sun Sep 15 01:16:31 CEST 2013 

Hi Andreas,
I have changed the ipsec.secrets file and saw that secret values where read
properly by both client and server,
I still get the authentication Failure, but i am not sure why EAP_ONLY is
been sent, i that the cause for failure.

/*****Client *******/
13[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH
CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH)
N(EAP_ONLY) ]

/**********servre ******/
05[NET] received packet: from 10.43.135.221[4500] to 10.73.127.45[4500]
05[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CP(ADDR
DNS) SA                              TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR)
N(MULT_AUTH) N(EAP_ONLY) ]
05[CFG] looking for peer configs matching
10.73.127.45[10.73.127.45]...10.43.135.
221[10.43.135.221]
05[CFG] selected peer config 'rw'
05[IKE] no shared key found for '10.73.127.45' - '10.43.135.221'
05[IKE] peer supports MOBIKE
05[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
05[NET] sending packet: from 10.73.127.45[4500] to 10.43.135.221[4500]
/************************************/

I appreciate your response.

Thanks
Naveen


On Fri, Sep 13, 2013 at 11:36 PM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:

> Hi Naveen,
>
> due to a syntax error in your ipsec.secrets, the responder doesn't
> find a matching PSK an aborts:
>
> > /******** Server side log **********/
> ...
> > loading secrets from "/etc/ipsec.secrets"
> >   loaded PSK secret for 10.73.127.45 10.43.135.221
> > "/etc/ipsec.secrets" line 12: PSK data malformed (input does not begin
> > with format prefix): 1234567890
>
> The PSK must be of the form:
>
> 10.73.127.45 10.43.135.221 : PSK "1234567890"
>
> if it is to be treated as a text string or
>
> 10.73.127.45 10.43.135.221 : PSK 0x1234567890abcdef
>
> if it is to be a HEX value or
>
> 10.73.127.45 10.43.135.221 : PSK 0s123456789abcxyzABCXYZ+/
>
> it it is to be interpreted as a Base64-encoded value.
>
> Regards
>
> Andreas
>
> On 09/14/2013 05:47 AM, Naveen Neelakanta wrote:
> > Hi All,
> >
> > I have installed both strongswan server and client .
> > I am trying the virtual ip scenario with PSK auth method, but the i am
> > not able to get it working with the  attached configuration files used.
> > Please find the attached server and client configuration file.
> > I have installed the strongswan 5.1.0 version with the below
> > confguration to reduce the size.
> >
> > "--disable-rc2 --disable-md5 --disable-sha1 --disable-sha2
> > --disable-fips-prf \
> > --disable-aes--disable-des --enable-openssl --disable-pkcs1
> > --disable-pkcs7 --disable-pkcs8 \
> > --disable-pkcs12--disable-pgp --disable-dnskey --disable-sshkey
> > --disable-hmac --disable-cmac \
> > --disable-xcbc --disable-gmp --disable-scripts --disable-ikev1
> > --disable-tools --enable-monolithic"
> >
> > these below logs are collect from the command #ipsec start --nofork
> >
> > /******** Client side log **********/
> > ipsec up host
> > initiating IKE_SA host[1] to 10.73.127.45
> > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> > sending packet: from 10.43.135.221[500] to 10.73.127.45[500] (752 bytes)
> > received packet: from 10.73.127.45[500] to 10.43.135.221[500] (440 bytes)
> > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> > N(MULT_AUTH)
> > ]
> > authentication of '10.43.135.221' (myself) with pre-shared key
> > establishing CHILD_SA host
> > generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CP(ADDR
> > DNS) SA TSi
> >  TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> > sending packet: from 10.43.135.221[4500] to 10.73.127.45[4500] (412
> bytes)
> > received packet: from 10.73.127.45[4500] to 10.43.135.221[4500] (76
> bytes)
> > parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> > received AUTHENTICATION_FAILED notify error
> > establishing connection 'host' failed
> > /***************************************************/
> >
> >
> > /******** Server side log **********/
> > 11[CFG] adding virtual IP address pool 'rw': 10.3.0.0/28
> > <http://10.3.0.0/28>
> > loading ca certificates from '/etc/ipsec.d/cacerts'
> > loading aa certificates from '/etc/ipsec.d/aacerts'
> > loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
> > Changing to directory '/etc/ipsec.d/crls'
> > loading attribute certificates from '/etc/ipsec.d/acerts'
> > spawning 4 worker threads
> > listening for IKE messages
> > adding interface wlan0/wlan0 10.73.127.45:500 <http://10.73.127.45:500>
> > adding interface lo/lo 127.0.0.1:500 <http://127.0.0.1:500>
> > adding interface lo/lo ::1:500
> > loading secrets from "/etc/ipsec.secrets"
> >   loaded PSK secret for 10.73.127.45 10.43.135.221
> > "/etc/ipsec.secrets" line 12: PSK data malformed (input does not begin
> > with format prefix): 1234567890
> > added connection description "rw"
> > 06[NET] received packet: from 10.43.135.221[500] to 10.73.127.45[500]
> > 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) ]
> > 06[IKE] 10.43.135.221 is initiating an IKE_SA
> > 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> > N(NATD_D_IP) N(MULT_AUTH) ]
> > 06[NET] sending packet: from 10.73.127.45[500] to 10.43.135.221[500]
> > 05[NET] received packet: from 10.43.135.221[4500] to 10.73.127.45[4500]
> > 05[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CP(ADDR
> > DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> > 05[CFG] looking for peer configs matching
> > 10.73.127.45[10.73.127.45]...10.43.135.221[10.43.135.221]
> > 05[CFG] no matching peer config found
> > 05[IKE] peer supports MOBIKE
> > 05[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> > 05[NET] sending packet: from 10.73.127.45[4500] to 10.43.135.221[4500]
> >
> /**********************************************************************************/
> >
> > Thanks
> > Naveen
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution!          www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130914/0b4a5e95/attachment.html>

More information about the Users mailing list