[strongSwan] NAT-T/IKEV1/PSK question
Jakob Curdes
jc at info-systems.de
Thu Sep 25 17:17:00 CEST 2014
AARGH -I knew it was somethin simple... sometimes you don't see the obvious... thank you for your hint!
Jc
Martin Willi <martin at strongswan.org> hat geschrieben:
Hi Jakob,
> 08[CFG] looking for pre-shared key peer configs matching 172.17.123.1...a.b.c.d[remote-id]
> 08[CFG] candidate "client-test", match: 1/20/3100 (me/other/ike)
> 08[IKE] no peer config found
> So it is looking for a PSK using the internal address although I
> configured a local ID !?
The daemon is not looking for a PSK, but a configuration using PSK
authentication it can use for that client. The lookup is for the local
IP address, the remote IP address and the remote Identity received over
IKE.
A match for that selector is found, but the configuration is not usable,
because it does not allow PSK authentication. The default is public key
authentication. Use authby=psk (or the never leftauth/rightauth options)
to allow PSK authentication on that configuration. man ipsec.conf for
details.
I agree that the log is not very clear in what is wrong here, I'll see
if we can improve that.
Regards
Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140925/8c08b200/attachment.html>
More information about the Users
mailing list