[strongSwan] Strongswan sends PSK+XAUTH, but XAUTH is not configured

Michael Righter m at righter.ch
Tue Nov 29 15:45:52 CET 2016


Hi 

We are using strong swan on a box which should connect to another
Firewall.
The strongswan initiates the connection. We have wiresharked the packets
on the receiving site and we see that strongswan is sending XAUTH and
PSK but I have only configured to use xauth.
I've also disabled XAUTH (shows not up by starting in loading modules). 

What could be the problem, that strongswan sends PSK+XAUTH instead of
only PSK:?? 

ERROR:
initial Main Mode message received on X.X.X.X:500 but no connection has
been authorized with policy=PSK+XAUTH 

ipsec.secrets:
%any X.X.X.X : PSK XXXXX 

ipsec.conf:
conn con1000
    fragmentation = yes
    keyexchange = ikev1
    reauth = yes
    forceencaps = no
    mobike = no
    rekey = yes
    installpolicy = yes
    type = tunnel
    dpdaction = restart
    dpddelay = 10s
    dpdtimeout = 60s
    auto = route
    left = X.X.X.X
    right = Y.Y.Y.Y
    leftid = X.X.X.X
    ikelifetime = 28800s
    lifetime = 3600s
    ike = aes256-sha1-modp1024!
    esp =
aes256-md5,aes256-sha1,aes256-sha256,aes256-sha384,aes256-sha512,aes256-aesxcbc,aes192-md5,aes192-sha1,aes192-sha256,aes192-sha384,aes192-sha512,aes192-aesxcbc,aes128-md5,aes128-sha1,aes128-sha256,aes128-sha384,aes128-sha512,aes128-aesxcbc,aes128gcm128-md5,aes128gcm128-sha1,aes128gcm128-sha256,aes128gcm128-sha384,aes128gcm128-sha512,aes128gcm128-aesxcbc,aes128gcm96-md5,aes128gcm96-sha1,aes128gcm96-sha256,aes128gcm96-sha384,aes128gcm96-sha512,aes128gcm96-aesxcbc,aes128gcm64-md5,aes128gcm64-sha1,aes128gcm64-sha256,aes128gcm64-sha384,aes128gcm64-sha512,aes128gcm64-aesxcbc,aes192gcm128-md5,aes192gcm128-sha1,aes192gcm128-sha256,aes192gcm128-sha384,aes192gcm128-sha512,aes192gcm128-aesxcbc,aes192gcm96-md5,aes192gcm96-sha1,aes192gcm96-sha256,aes192gcm96-sha384,aes192gcm96-sha512,aes192gcm96-aesxcbc,aes192gcm64-md5,aes192gcm64-sha1,aes192gcm64-sha256,aes192gcm64-sha384,aes192gcm64-sha512,aes192gcm64-aesxcbc,aes256gcm128-md5,aes256gcm128-sha1,aes256gcm128-sha256,aes256gcm128-sha384,aes256gcm12
8-sha512,aes256gcm128-aesxcbc,aes256gcm96-md5,aes256gcm96-sha1,aes256gcm96-sha256,aes256gcm96-sha384,aes256gcm96-sha512,aes256gcm96-aesxcbc,aes256gcm64-md5,aes256gcm64-sha1,aes256gcm64-sha256,aes256gcm64-sha384,aes256gcm64-sha512,aes256gcm64-aesxcbc,blowfish256-md5,blowfish256-sha1,blowfish256-sha256,blowfish256-sha384,blowfish256-sha512,blowfish256-aesxcbc,blowfish192-md5,blowfish192-sha1,blowfish192-sha256,blowfish192-sha384,blowfish192-sha512,blowfish192-aesxcbc,blowfish128-md5,blowfish128-sha1,blowfish128-sha256,blowfish128-sha384,blowfish128-sha512,blowfish128-aesxcbc,3des-md5,3des-sha1,3des-sha256,3des-sha384,3des-sha512,3des-aesxcbc,cast128-md5,cast128-sha1,cast128-sha256,cast128-sha384,cast128-sha512,cast128-aesxcbc!
    leftauth = psk
    rightauth = psk
    rightid = Y.Y.Y.Y
    aggressive = no
    rightsubnet = A.A.A.A/26
    leftsubnet = B.B.B.B/24
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161129/0ccde514/attachment.html>


More information about the Users mailing list