[strongSwan] fail using PSK shared key
Marcos Gonzalez
marcos.gonzalez at genomcore.com
Thu Jul 13 15:48:56 CEST 2017
Hi
Im testing Strongwan to setup a vpn tunnel between two debian servers to
connect two environments using internet between them. Im using this configs:
Node A:
Server with Public IP
Node B
Server with private IP with external NAT
Config A
/etc/ipsec.conf/usr/share/applications/thunderbird.desktop
config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
conn %default
conn ipsec-test
left=MyPublicIPA
leftid=MyPublicIPA
leftsourceip=MyPublicIPA
right=MyPublicIPB
rightid=MyPublicIPB
rightsubnet=10.0.1.0/24
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=clear
authby=secret
auto=start
keyexchange=ikev2
type=tunnel
/etc/ipsec.secrets
MyPublicIPA MyPublicIPB : PSK test1234
Logs:
Jul 13 15:30:06 vpnserver2 charon: 00[DMN] Starting IKE charon daemon
(strongSwan 5.2.1, Linux 3.16.0-4-amd64, x86_64)
Jul 13 15:30:06 vpnserver2 charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Jul 13 15:30:06 vpnserver2 charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Jul 13 15:30:06 vpnserver2 charon: 00[CFG] loading ocsp signer
certificates from '/etc/ipsec.d/ocspcerts'
Jul 13 15:30:06 vpnserver2 charon: 00[CFG] loading attribute
certificates from '/etc/ipsec.d/acerts'
Jul 13 15:30:06 vpnserver2 charon: 00[CFG] loading crls from
'/etc/ipsec.d/crls'
Jul 13 15:30:06 vpnserver2 charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Jul 13 15:30:06 vpnserver2 charon: 00[CFG] loaded IKE secret for
MyPublicIPB
Jul 13 15:30:06 vpnserver2 charon: 00[LIB] loaded plugins: charon aes
rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1
pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc
hmac gcm attr kernel-netlink resolve socket-default stroke updown
Jul 13 15:30:06 vpnserver2 charon: 00[LIB] unable to load 3 plugin
features (3 due to unmet dependencies)
Jul 13 15:30:06 vpnserver2 charon: 00[LIB] dropped capabilities, running
as uid 0, gid 0
Jul 13 15:30:06 vpnserver2 charon: 00[JOB] spawning 16 worker threads
Jul 13 15:30:06 vpnserver2 charon: 11[CFG] received stroke: add
connection 'ipsec-test'
Jul 13 15:30:06 vpnserver2 charon: 11[CFG] added configuration 'ipsec-test'
Jul 13 15:30:06 vpnserver2 charon: 12[CFG] received stroke: initiate
'ipsec-test'
Jul 13 15:30:06 vpnserver2 charon: 12[IKE] initiating IKE_SA
ipsec-test[1] to MyPublicIPB
Jul 13 15:30:06 vpnserver2 charon: 12[ENC] generating IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jul 13 15:30:06 vpnserver2 charon: 12[NET] sending packet: from
MyPublicIPA[500] to MyPublicIPB[500] (304 bytes)
Jul 13 15:30:06 vpnserver2 charon: 15[NET] received packet: from
MyPublicIPB[500] to MyPublicIPA[500] (312 bytes)
Jul 13 15:30:06 vpnserver2 charon: 15[ENC] parsed IKE_SA_INIT response 0
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Jul 13 15:30:06 vpnserver2 charon: 15[IKE] remote host is behind NAT
Jul 13 15:30:06 vpnserver2 charon: 15[IKE] authentication of
'MyPublicIPA' (myself) with pre-shared key
Jul 13 15:30:06 vpnserver2 charon: 15[IKE] establishing CHILD_SA ipsec-test
Jul 13 15:30:06 vpnserver2 charon: 15[ENC] generating IKE_AUTH request 1
[ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP)
N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Jul 13 15:30:06 vpnserver2 charon: 15[NET] sending packet: from
MyPublicIPA[4500] to MyPublicIPB[4500] (288 bytes)
Jul 13 15:30:06 vpnserver2 charon: 06[NET] received packet: from
MyPublicIPB[4500] to MyPublicIPA[4500] (80 bytes)
Jul 13 15:30:06 vpnserver2 charon: 06[ENC] parsed IKE_AUTH response 1 [
N(AUTH_FAILED) ]
Jul 13 15:30:06 vpnserver2 charon: 06[IKE] received
AUTHENTICATION_FAILED notify error
Config B:
/etc/ipsec.conf
config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
conn %default
conn ipsec-test
left=10.0.1.5
leftid=10.0.1.5
leftsubnet=10.0.1.0/24
right=MyPublicIPA
rightid=MyPublicIPA
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=clear
authby=secret
auto=start
keyexchange=ikev2
type=tunnel
/etc/ipsec.secrets
MyPublicIPA : PSK test1234
Logs:
Jul 13 15:30:06 vpnserver charon: 16[NET] received packet: from
MyPublicIPA[500] to 10.0.1.5[500] (304 bytes)
Jul 13 15:30:06 vpnserver charon: 16[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jul 13 15:30:06 vpnserver charon: 16[IKE] MyPublicIPA is initiating an
IKE_SA
Jul 13 15:30:06 vpnserver charon: 16[IKE] local host is behind NAT,
sending keep alives
Jul 13 15:30:06 vpnserver charon: 16[ENC] generating IKE_SA_INIT
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Jul 13 15:30:06 vpnserver charon: 16[NET] sending packet: from
10.0.1.5[500] to MyPublicIPA[500] (312 bytes)
Jul 13 15:30:06 vpnserver charon: 05[NET] received packet: from
MyPublicIPA[4500] to 10.0.1.5[4500] (288 bytes)
Jul 13 15:30:06 vpnserver charon: 05[ENC] parsed IKE_AUTH request 1 [
IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP)
N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Jul 13 15:30:06 vpnserver charon: 05[CFG] looking for peer configs
matching 10.0.1.5[MyPublicIPB]...MyPublicIPA[MyPublicIPA]
Jul 13 15:30:06 vpnserver charon: 05[CFG] no matching peer config found
Jul 13 15:30:06 vpnserver charon: 05[IKE] peer supports MOBIKE
Jul 13 15:30:06 vpnserver charon: 05[ENC] generating IKE_AUTH response 1
[ N(AUTH_FAILED) ]
Jul 13 15:30:06 vpnserver charon: 05[NET] sending packet: from
10.0.1.5[4500] to MyPublicIPA[4500] (80 bytes)
How you can see returns same error in both sides. Any suggestion where
is the problem?
Thanks!
More information about the Users
mailing list