[strongSwan] Getting Authentication Failure with swanctl tool using strongswan-5.2.2

Wed Jun 3 09:20:14 CEST 2015

  Hi,I am usingthe swanctl (command line interface) tool to configure the Charon daemon at IKEResponder. I have kept all the entries of  ipsec.conf and ipsec.secret file ( in /etcdirectory)  under comment. Here goes theconfiguration. /etc/ipsec.secrets(IKE Responder end): @srv.strongswan.org%any : PSK 'strongSwan'/etc/swanctl/swanctl.conf(IKE Initiator end) : connections{   gw-gw {      local_addrs  = 10.20.20.2      remote_addrs = 10.20.20.1       pools =abc       local {         auth = psk      }      remote {         auth = psk      }children {         net-net {                 #remote_ts  = 50.0.0.1/8                 local_ts = 40.0.0.1/32                 start_action = none                 updown =/usr/local/libexec/ipsec/_updown iptables                 rekey_time = 1000m                 esp_proposals = aes128-sha1         }         }  version = 2      mobike = no      reauth_time = 60m      rekey_time =  20m      proposals= aes128-sha1-modp1024   }} secrets {ike-GW {        secret = @srv.strongswan.org %any : PSK ‘strongSwan’     } }  # Sectiondefining named pools. pools {        abc {             addrs = 50.0.0.1/8         }  }When I runthe scenario, the CHILD SA is not getting established. I get authentication failuremessage (on IKE Initiator end). Here are the log messages.  25[NET]received packet: from 10.20.20.1[500] to 10.20.20.2[500] (304 bytes)25[ENC]parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]25[IKE]10.20.20.1 is initiating an IKE_SA25[ENC]generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)N(MULT_AUTH) ]25[NET]sending packet: from 10.20.20.2[500] to 10.20.20.1[500] (312 bytes)11[NET]received packet: from 10.20.20.1[500] to 10.20.20.2[500] (300 bytes)11[ENC]parsed IKE_AUTH request 1 [ IDi CERTREQ IDr AUTH CPRQ(ADDR DNS) SA TSi TSrN(MULT_AUTH) N(EAP_ONLY) ]11[IKE]received 1 cert requests for an unknown ca11[CFG]looking for peer configs matching10.20.20.2[srv.strongswan.org]...10.20.20.1[c2-r1.strongswan.org]11[CFG]selected peer config 'gw-gw'11[IKE]tried 1 shared key for 'srv.strongswan.org' - 'c2-r1.strongswan.org', but MACmismatched11[ENC]generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] But if Ikeep the following secret i.e., @srv.strongswan.org %any: PSK 'strongSwan' inipsec.secret file (at IKE Responder end), then it works fine. Can anyone pleasesuggest what might be the wrong? Note that, I have kept dos_protection to no(in strongswan.conf) at both ends. Regards,Chinmaya
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150603/f2542746/attachment-0001.html>