[strongSwan] auth fails with "no peer config found...cisco-vpn-client to strongswan-v5.0.4-server (with cisco unity plugin enabled)
rajivkulkarni69 at gmail.com
Sun Nov 30 10:23:46 CET 2014
Yes!!! that was a stupid mistake from me. Thanks for the pointer. I
configured as below (ipsec.conf and ipsec.secrets) to make it work
correctly (as far as the ike tunnel coming up without any issues...the
quickmode tunnel is another issue which i will post separately for your
ipsec.secrets on the server
#/etc/ipsec.secrets - strongSwan IPsec secrets file
#: PSK "123456789"
@vpnsrv1.svt.com clientgrp1 : PSK "123456789"
#@vpnsrv1.svt.com @remotclient.svt.com : PSK "123456"
@vpnsrv2.svt.com @genclient.svt.com : PSK "123456"
user1 : XAUTH "config1234"
user2 : XAUTH "config1234"
user3 : XAUTH "config1234"
testuser1 : XAUTH "4iChxLT3"
testuser2 : XAUTH "ryftzG4A"
ipsec.conf on the server
#/etc/ipsec.conf - strongSwan IPsec configuration file
charondebug="ike 3, knl 3, cfg 3"
- all other configs hold true as mentioned in my previous post
the addition of " firstname.lastname@example.org" and the mention of "clientgrp1"
without @ prefix solved the "no peer config found" error when using with
cisco-clients (using group-id authentication info)
>>Please note that Aggressive Mode PSK authentication is discouraged
>>because of its security issues
Yes..i agree with you completely, that aggressive-mode is not to be used if
it can be helped. But i have to deploy a setup with a Strongswan_VPN_Server
(on a Ubuntu/Fedora..whichever works effectively) for a number of VPN
clients to connect to at the Corp-office. These clients are spread across
Cisco-VPN-Client-v5.x, Cisco_AnyConnect_Ipsec_VPN Client, ShrewSoft_VPN
Clients, some GreenBow Clients and some branches with Cisco_BranchRouters
running EzVPN_Remote_Client. Now a major part of these clients use
aggressive-mode with psk and xauth. So iam kind of stuck with no options in
the short-term to migrate to main-mode only access.
thanks for your time and help
On Wed, Nov 19, 2014 at 3:11 PM, Martin Willi <martin at strongswan.org> wrote:
> > Nothing seems to be working with PSK (if i use RSA certificates for first
> > level auth ...then everything works as expected)
> > 13[NET] received packet: from 172.29.1.2 to 18.104.22.168 (870
> > 13[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
> > 13[IKE] received XAuth vendor ID
> > 13[IKE] received DPD vendor ID
> > 13[IKE] received FRAGMENTATION vendor ID
> > 13[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> > 13[IKE] received Cisco Unity vendor ID
> > 13[IKE] 172.29.1.2 is initiating a Aggressive Mode IKE_SA
> > 13[CFG] looking for XAuthInitPSK peer configs matching
> > 13[IKE] no peer config found
> Your client uses Aggressive Mode when using PSK authentication. You'll
> have to configure that in your configuration as well, using
> Please note that Aggressive Mode PSK authentication is discouraged
> because of its security issues, and is disabled by default in strongSwan
> as responder. You'll have to enable "weakSwan" mode by setting the
> i_dont_care_about_security_and_use_aggressive_mode_psk option, refer to
>  for details. You should do that only if you actually do not care
> about security, or if you really understand the implications.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users