[strongSwan] Problems connecting with NAT-T, aggressive mode and PSK

Martin Willi martin at strongswan.org
Mon May 26 13:07:53 CEST 2014


Jakob,

> 13[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
> 13[CFG] looking for an ike config for w.x.y.z...a.b.c.d
> 13[CFG] found matching ike config: w.x.y.z...%any with prio 1052

> 13[CFG] looking for pre-shared key peer configs matching w.x.y.z...a.b.c.d[test_id]
> 13[IKE] no peer config found*

> So the peer sends its ID and charon finds the matching config section 
> but then decides it does not actually match ?

It finds a matching ike config, which is the internal sub-configuration
used for proposal selection in the early IKE exchange. It does not find
a peer config, the complete configuration selected once the peer
identity is known.

> What is wrong here?

As your client is using aggressive mode, have you tried to set
aggressive=yes in ipsec.conf?

As responder, you also have to set the strongswan.conf option
charon.i_dont_care_about_security_and_use_aggressive_mode_psk=yes
to confirm you understand the security implications of such a setup, see
[1].

Regards
Martin

[1]http://wiki.strongswan.org/projects/strongswan/wiki/FAQ#IKEv1



More information about the Users mailing list