[strongSwan] Getting Authentication Failure with swanctl tool using strongswan-5.2.2
Noel Kuntze
noel at familie-kuntze.de
Wed Jun 3 14:30:44 CEST 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Chinmaya,
That is because the "secret" argument of the IKE section is the PSK.
You need to put the ID of the remote side in the "id" argument.
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 03.06.2015 um 09:20 schrieb Chinmaya Dwibedy:
>
> Hi,
> I am using the swanctl (command line interface) tool to configure the Charon daemon at IKE Responder. I have kept all the entries of ipsec.conf and ipsec.secret file ( in /etc directory) under comment. Here goes the configuration.
> /etc/ipsec.secrets (IKE Responder end):
> @srv.strongswan.org %any : PSK 'strongSwan'
> /etc/swanctl/swanctl.conf (IKE Initiator end) :
> connections {
> gw-gw {
> local_addrs = 10.20.20.2
> remote_addrs = 10.20.20.1
> pools =abc
>
> local {
> auth = psk
> }
> remote {
> auth = psk
> }
> children {
> net-net {
> #remote_ts = 50.0.0.1/8
> local_ts = 40.0.0.1/32
> start_action = none
> updown = /usr/local/libexec/ipsec/_updown iptables
> rekey_time = 1000m
> esp_proposals = aes128-sha1
> }
>
>
>
> }
> version = 2
> mobike = no
> reauth_time = 60m
> rekey_time = 20m
> proposals = aes128-sha1-modp1024
> }
> }
>
> secrets {
> ike-GW {
> secret = @srv.strongswan.org %any : PSK ‘strongSwan’
> }
>
> }
>
>
> # Section defining named pools.
> pools {
>
> abc {
>
> addrs = 50.0.0.1/8
>
>
>
>
> }
>
> }
> When I run the scenario, the CHILD SA is not getting established. I get authentication failure message (on IKE Initiator end). Here are the log messages.
>
> 25[NET] received packet: from 10.20.20.1[500] to 10.20.20.2[500] (304 bytes)
> 25[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> 25[IKE] 10.20.20.1 is initiating an IKE_SA
> 25[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
> 25[NET] sending packet: from 10.20.20.2[500] to 10.20.20.1[500] (312 bytes)
> 11[NET] received packet: from 10.20.20.1[500] to 10.20.20.2[500] (300 bytes)
> 11[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
> 11[IKE] received 1 cert requests for an unknown ca
> 11[CFG] looking for peer configs matching 10.20.20.2[srv.strongswan.org]...10.20.20.1[c2-r1.strongswan.org]
> 11[CFG] selected peer config 'gw-gw'
> 11[IKE] tried 1 shared key for 'srv.strongswan.org' - 'c2-r1.strongswan.org', but MAC mismatched
> 11[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>
> But if I keep the following secret i.e., @srv.strongswan.org %any: PSK 'strongSwan' in ipsec.secret file (at IKE Responder end), then it works fine. Can anyone please suggest what might be the wrong? Note that, I have kept dos_protection to no (in strongswan.conf) at both ends.
>
> Regards,
> Chinmaya
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJVbvNxAAoJEDg5KY9j7GZYYjQP/iKDkvw8swYAhW3PXlosmMDX
wEcUp7MgQ8vc0dILiPPZWB6Pk3Us+0Kld6xeEaFAiB7tF3pk0p7KL+c7E2PyHf7f
5ifnZ5TLjIbo4/NWJmChExlbeOSio8/jkYhZcHX/aFMgyVhpES67zsiO54HzSKQI
IGj00Mk9t7OJf9lyaHOLYRbpInmZycz4Ppvr9HAGuJ9cksS8ASe4r7c9Q2mh45VE
2chrR9OurhC5jEKz43EZaiQW1d/mlg0JiwpOtjDSdBTxdMpxfaf0ANG7G7ZKlGs3
OQW9u5jvtoU2TCKtrni0xUQ6SmUL9izDVCw04MnEoRhKzUoOaANGaX3T+nwY8zqn
t3RIhqj+O+hJ5mzK0arhGIDEHJfvY2U6awLYLFULcuXkCnQ0ikwlqQcN3jijxt+1
neMsM2YE8IOrm9fARQZzaWmrflPQAPl/QjlAaTEwP5bpF7qmSS9y4+mBX63WRFeg
70iE1tQEkv6yFtrt75heRsKH7spc8v8ilh29MMvVJ9cZUUgOKsUjOc3x96bX3bs8
WkDKZ7Bocl9fRiNpRt7G0PC/RjuwFsT0GZRMkQhawDyq0Ksq01W2uvvnF3MFQylL
/9N6XWEJjmG/1gb8BJvHTewemq/JoNVU7dh2+2ZP+fsKcsmEm+MkxYocyyxCQeBs
bmjNklY66JbCzjqPUSCL
=WzXH
-----END PGP SIGNATURE-----
More information about the Users
mailing list