[strongSwan] NAT-T/IKEV1/PSK question

Jakob Curdes jc at info-systems.de
Thu Sep 25 16:29:28 CEST 2014 

Hello, I am struggling to setup a connection between a strongswan 5.1.3 
sitting in a NAT-T situation and a peer with external IP. We use IKEv1 
and PreShard Keys.
The problem is that strongswan keeps telling me there is no matching 
config although the key is there.
Here is what I have (details anonymized):
conn client-test
         keyexchange=ikev1
         left=172.17.123.1
         leftsubnet=172.24.123.0/24
         leftid=@local-id
         right=a.b.c.d
         rightsubnet=10.1.1.0/30
         rightid=@remote-id
         auto=start

and the secrets
@local-id @remote-id : PSK "..."

Upon connection initiation, I get the following:
Sep 25 14:20:18 ipsec-srv charon: 09[CFG] looking for an ike config for 
172.17.123.1...a.b.c.d
Sep 25 14:20:18 ipsec-srv charon: 09[CFG]   candidate: 
172.17.123.1...a.b.c.d, prio 3100
Sep 25 14:20:18 ipsec-srv charon: 09[CFG] found matching ike config: 
172.17.123.1...a.b.c.d with prio 3100
(...)
Sep 25 14:20:18 ipsec-srv charon: 09[IKE] a.b.c.d is initiating a Main 
Mode IKE_SA
Sep 25 14:20:18 ipsec-srv charon: 09[IKE] IKE_SA (unnamed)[15] state 
change: CREATED => CONNECTING
(...)
Sep 25 14:20:18 ipsec-srv charon: 09[CFG] selected proposal: 
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
(...)
Sep 25 14:20:18 ipsec-srv charon: 11[ENC] parsed ID_PROT request 0 [ KE No ]
Sep 25 14:20:18 ipsec-srv charon: 11[CFG]   candidate "client-test", 
match: 1/1/3100 (me/other/ike)
Sep 25 14:20:18 ipsec-srv charon: 11[ENC] generating ID_PROT response 0 
[ KE No ]
Sep 25 14:20:18 ipsec-srv charon: 11[NET] sending packet: from 
172.17.123.1[500] to a.b.c.d[500] (196 bytes)
Sep 25 14:20:18 ipsec-srv charon: 08[NET] received packet: from 
a.b.c.d[500] to 172.17.123.1[500] (76 bytes)
Sep 25 14:20:18 ipsec-srv charon: 08[ENC] parsed ID_PROT request 0 [ ID 
HASH ]
Sep 25 14:20:18 ipsec-srv charon: 08[CFG] looking for pre-shared key 
peer configs matching 172.17.123.1...a.b.c.d[remote-id]
Sep 25 14:20:18 ipsec-srv charon: 08[CFG]   candidate "client-test", 
match: 1/20/3100 (me/other/ike)
Sep 25 14:20:18 ipsec-srv charon: 08[IKE] no peer config found

So it is looking for a PSK using the internal address although I 
configured a local ID !?
The reason I use IDs is that I could not get it to work with IPs in 
IKEv1; regardless what I use as IP (%any, internal IP, external IP) it 
would not find the PSK although it is present.

Any hints? Thanks for reading,
Jakob Curdes

More information about the Users mailing list