[strongSwan] virtual ip

Naveen Neelakanta nbnopenswan at gmail.com
Sun Sep 15 02:12:01 CEST 2013


Thanks Anderas,
I got it working.

Thanks
Naveen


On Sat, Sep 14, 2013 at 4:16 PM, Naveen Neelakanta <nbnopenswan at gmail.com>wrote:

> Hi Andreas,
> I have changed the ipsec.secrets file and saw that secret values where
> read properly by both client and server,
> I still get the authentication Failure, but i am not sure why EAP_ONLY is
> been sent, i that the cause for failure.
>
> /*****Client *******/
> 13[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH
> CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH)
> N(EAP_ONLY) ]
>
> /**********servre ******/
> 05[NET] received packet: from 10.43.135.221[4500] to 10.73.127.45[4500]
> 05[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CP(ADDR
> DNS) SA                              TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR)
> N(MULT_AUTH) N(EAP_ONLY) ]
> 05[CFG] looking for peer configs matching
> 10.73.127.45[10.73.127.45]...10.43.135.
> 221[10.43.135.221]
> 05[CFG] selected peer config 'rw'
> 05[IKE] no shared key found for '10.73.127.45' - '10.43.135.221'
> 05[IKE] peer supports MOBIKE
> 05[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> 05[NET] sending packet: from 10.73.127.45[4500] to 10.43.135.221[4500]
> /************************************/
>
> I appreciate your response.
>
> Thanks
> Naveen
>
>
> On Fri, Sep 13, 2013 at 11:36 PM, Andreas Steffen <
> andreas.steffen at strongswan.org> wrote:
>
>> Hi Naveen,
>>
>> due to a syntax error in your ipsec.secrets, the responder doesn't
>> find a matching PSK an aborts:
>>
>> > /******** Server side log **********/
>> ...
>> > loading secrets from "/etc/ipsec.secrets"
>> >   loaded PSK secret for 10.73.127.45 10.43.135.221
>> > "/etc/ipsec.secrets" line 12: PSK data malformed (input does not begin
>> > with format prefix): 1234567890
>>
>> The PSK must be of the form:
>>
>> 10.73.127.45 10.43.135.221 : PSK "1234567890"
>>
>> if it is to be treated as a text string or
>>
>> 10.73.127.45 10.43.135.221 : PSK 0x1234567890abcdef
>>
>> if it is to be a HEX value or
>>
>> 10.73.127.45 10.43.135.221 : PSK 0s123456789abcxyzABCXYZ+/
>>
>> it it is to be interpreted as a Base64-encoded value.
>>
>> Regards
>>
>> Andreas
>>
>> On 09/14/2013 05:47 AM, Naveen Neelakanta wrote:
>> > Hi All,
>> >
>> > I have installed both strongswan server and client .
>> > I am trying the virtual ip scenario with PSK auth method, but the i am
>> > not able to get it working with the  attached configuration files used.
>> > Please find the attached server and client configuration file.
>> > I have installed the strongswan 5.1.0 version with the below
>> > confguration to reduce the size.
>> >
>> > "--disable-rc2 --disable-md5 --disable-sha1 --disable-sha2
>> > --disable-fips-prf \
>> > --disable-aes--disable-des --enable-openssl --disable-pkcs1
>> > --disable-pkcs7 --disable-pkcs8 \
>> > --disable-pkcs12--disable-pgp --disable-dnskey --disable-sshkey
>> > --disable-hmac --disable-cmac \
>> > --disable-xcbc --disable-gmp --disable-scripts --disable-ikev1
>> > --disable-tools --enable-monolithic"
>> >
>> > these below logs are collect from the command #ipsec start --nofork
>> >
>> > /******** Client side log **********/
>> > ipsec up host
>> > initiating IKE_SA host[1] to 10.73.127.45
>> > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> > sending packet: from 10.43.135.221[500] to 10.73.127.45[500] (752 bytes)
>> > received packet: from 10.73.127.45[500] to 10.43.135.221[500] (440
>> bytes)
>> > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
>> > N(MULT_AUTH)
>> > ]
>> > authentication of '10.43.135.221' (myself) with pre-shared key
>> > establishing CHILD_SA host
>> > generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CP(ADDR
>> > DNS) SA TSi
>> >  TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
>> > sending packet: from 10.43.135.221[4500] to 10.73.127.45[4500] (412
>> bytes)
>> > received packet: from 10.73.127.45[4500] to 10.43.135.221[4500] (76
>> bytes)
>> > parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>> > received AUTHENTICATION_FAILED notify error
>> > establishing connection 'host' failed
>> > /***************************************************/
>> >
>> >
>> > /******** Server side log **********/
>> > 11[CFG] adding virtual IP address pool 'rw': 10.3.0.0/28
>> > <http://10.3.0.0/28>
>> > loading ca certificates from '/etc/ipsec.d/cacerts'
>> > loading aa certificates from '/etc/ipsec.d/aacerts'
>> > loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
>> > Changing to directory '/etc/ipsec.d/crls'
>> > loading attribute certificates from '/etc/ipsec.d/acerts'
>> > spawning 4 worker threads
>> > listening for IKE messages
>> > adding interface wlan0/wlan0 10.73.127.45:500 <http://10.73.127.45:500>
>> > adding interface lo/lo 127.0.0.1:500 <http://127.0.0.1:500>
>> > adding interface lo/lo ::1:500
>> > loading secrets from "/etc/ipsec.secrets"
>> >   loaded PSK secret for 10.73.127.45 10.43.135.221
>> > "/etc/ipsec.secrets" line 12: PSK data malformed (input does not begin
>> > with format prefix): 1234567890
>> > added connection description "rw"
>> > 06[NET] received packet: from 10.43.135.221[500] to 10.73.127.45[500]
>> > 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
>> N(NATD_D_IP) ]
>> > 06[IKE] 10.43.135.221 is initiating an IKE_SA
>> > 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
>> > N(NATD_D_IP) N(MULT_AUTH) ]
>> > 06[NET] sending packet: from 10.73.127.45[500] to 10.43.135.221[500]
>> > 05[NET] received packet: from 10.43.135.221[4500] to 10.73.127.45[4500]
>> > 05[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CP(ADDR
>> > DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
>> > 05[CFG] looking for peer configs matching
>> > 10.73.127.45[10.73.127.45]...10.43.135.221[10.43.135.221]
>> > 05[CFG] no matching peer config found
>> > 05[IKE] peer supports MOBIKE
>> > 05[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>> > 05[NET] sending packet: from 10.73.127.45[4500] to 10.43.135.221[4500]
>> >
>> /**********************************************************************************/
>> >
>> > Thanks
>> > Naveen
>> ======================================================================
>> Andreas Steffen                         andreas.steffen at strongswan.org
>> strongSwan - the Open Source VPN Solution!          www.strongswan.org
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil
>> CH-8640 Rapperswil (Switzerland)
>> ===========================================================[ITA-HSR]==
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130914/f8d6a295/attachment.html>


More information about the Users mailing list