[strongSwan] Problems connecting with NAT-T, aggressive mode and PSK
Martin Willi
martin at strongswan.org
Mon May 26 13:07:53 CEST 2014
Jakob,
> 13[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
> 13[CFG] looking for an ike config for w.x.y.z...a.b.c.d
> 13[CFG] found matching ike config: w.x.y.z...%any with prio 1052
> 13[CFG] looking for pre-shared key peer configs matching w.x.y.z...a.b.c.d[test_id]
> 13[IKE] no peer config found*
> So the peer sends its ID and charon finds the matching config section
> but then decides it does not actually match ?
It finds a matching ike config, which is the internal sub-configuration
used for proposal selection in the early IKE exchange. It does not find
a peer config, the complete configuration selected once the peer
identity is known.
> What is wrong here?
As your client is using aggressive mode, have you tried to set
aggressive=yes in ipsec.conf?
As responder, you also have to set the strongswan.conf option
charon.i_dont_care_about_security_and_use_aggressive_mode_psk=yes
to confirm you understand the security implications of such a setup, see
[1].
Regards
Martin
[1]http://wiki.strongswan.org/projects/strongswan/wiki/FAQ#IKEv1
More information about the Users
mailing list