[strongSwan] fail using PSK shared key
Marcos Gonzalez
marcos.gonzalez at genomcore.com
Thu Jul 13 17:10:45 CEST 2017
Hi
I'm testing to modify ipsec.secrets without changes, I include " and
spaces between colon.
MyPublicIPA MyPublicIPB : PSK "test1234"
Thanks
On 13/07/17 15:48, Marcos Gonzalez wrote:
> Hi
>
> Im testing Strongwan to setup a vpn tunnel between two debian servers to
> connect two environments using internet between them. Im using this
> configs:
>
> Node A:
> Server with Public IP
>
> Node B
> Server with private IP with external NAT
>
> Config A
> /etc/ipsec.conf/usr/share/applications/thunderbird.desktop
> config setup
> charondebug="all"
> uniqueids=yes
> strictcrlpolicy=no
> conn %default
>
> conn ipsec-test
> left=MyPublicIPA
> leftid=MyPublicIPA
> leftsourceip=MyPublicIPA
> right=MyPublicIPB
> rightid=MyPublicIPB
> rightsubnet=10.0.1.0/24
> ike=aes256-sha2_256-modp1024!
> esp=aes256-sha2_256!
> keyingtries=0
> ikelifetime=1h
> lifetime=8h
> dpddelay=30
> dpdtimeout=120
> dpdaction=clear
> authby=secret
> auto=start
> keyexchange=ikev2
> type=tunnel
>
> /etc/ipsec.secrets
>
> MyPublicIPA MyPublicIPB : PSK test1234
>
> Logs:
> Jul 13 15:30:06 vpnserver2 charon: 00[DMN] Starting IKE charon daemon
> (strongSwan 5.2.1, Linux 3.16.0-4-amd64, x86_64)
> Jul 13 15:30:06 vpnserver2 charon: 00[CFG] loading ca certificates from
> '/etc/ipsec.d/cacerts'
> Jul 13 15:30:06 vpnserver2 charon: 00[CFG] loading aa certificates from
> '/etc/ipsec.d/aacerts'
> Jul 13 15:30:06 vpnserver2 charon: 00[CFG] loading ocsp signer
> certificates from '/etc/ipsec.d/ocspcerts'
> Jul 13 15:30:06 vpnserver2 charon: 00[CFG] loading attribute
> certificates from '/etc/ipsec.d/acerts'
> Jul 13 15:30:06 vpnserver2 charon: 00[CFG] loading crls from
> '/etc/ipsec.d/crls'
> Jul 13 15:30:06 vpnserver2 charon: 00[CFG] loading secrets from
> '/etc/ipsec.secrets'
> Jul 13 15:30:06 vpnserver2 charon: 00[CFG] loaded IKE secret for
> MyPublicIPB
> Jul 13 15:30:06 vpnserver2 charon: 00[LIB] loaded plugins: charon aes
> rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1
> pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc
> hmac gcm attr kernel-netlink resolve socket-default stroke updown
> Jul 13 15:30:06 vpnserver2 charon: 00[LIB] unable to load 3 plugin
> features (3 due to unmet dependencies)
> Jul 13 15:30:06 vpnserver2 charon: 00[LIB] dropped capabilities, running
> as uid 0, gid 0
> Jul 13 15:30:06 vpnserver2 charon: 00[JOB] spawning 16 worker threads
> Jul 13 15:30:06 vpnserver2 charon: 11[CFG] received stroke: add
> connection 'ipsec-test'
> Jul 13 15:30:06 vpnserver2 charon: 11[CFG] added configuration
> 'ipsec-test'
> Jul 13 15:30:06 vpnserver2 charon: 12[CFG] received stroke: initiate
> 'ipsec-test'
> Jul 13 15:30:06 vpnserver2 charon: 12[IKE] initiating IKE_SA
> ipsec-test[1] to MyPublicIPB
> Jul 13 15:30:06 vpnserver2 charon: 12[ENC] generating IKE_SA_INIT
> request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Jul 13 15:30:06 vpnserver2 charon: 12[NET] sending packet: from
> MyPublicIPA[500] to MyPublicIPB[500] (304 bytes)
> Jul 13 15:30:06 vpnserver2 charon: 15[NET] received packet: from
> MyPublicIPB[500] to MyPublicIPA[500] (312 bytes)
> Jul 13 15:30:06 vpnserver2 charon: 15[ENC] parsed IKE_SA_INIT response 0
> [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
> Jul 13 15:30:06 vpnserver2 charon: 15[IKE] remote host is behind NAT
> Jul 13 15:30:06 vpnserver2 charon: 15[IKE] authentication of
> 'MyPublicIPA' (myself) with pre-shared key
> Jul 13 15:30:06 vpnserver2 charon: 15[IKE] establishing CHILD_SA
> ipsec-test
> Jul 13 15:30:06 vpnserver2 charon: 15[ENC] generating IKE_AUTH request 1
> [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP)
> N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> Jul 13 15:30:06 vpnserver2 charon: 15[NET] sending packet: from
> MyPublicIPA[4500] to MyPublicIPB[4500] (288 bytes)
> Jul 13 15:30:06 vpnserver2 charon: 06[NET] received packet: from
> MyPublicIPB[4500] to MyPublicIPA[4500] (80 bytes)
> Jul 13 15:30:06 vpnserver2 charon: 06[ENC] parsed IKE_AUTH response 1 [
> N(AUTH_FAILED) ]
> Jul 13 15:30:06 vpnserver2 charon: 06[IKE] received
> AUTHENTICATION_FAILED notify error
>
>
> Config B:
>
> /etc/ipsec.conf
> config setup
> charondebug="all"
> uniqueids=yes
> strictcrlpolicy=no
> conn %default
>
> conn ipsec-test
> left=10.0.1.5
> leftid=10.0.1.5
> leftsubnet=10.0.1.0/24
> right=MyPublicIPA
> rightid=MyPublicIPA
> ike=aes256-sha2_256-modp1024!
> esp=aes256-sha2_256!
> keyingtries=0
> ikelifetime=1h
> lifetime=8h
> dpddelay=30
> dpdtimeout=120
> dpdaction=clear
> authby=secret
> auto=start
> keyexchange=ikev2
> type=tunnel
> /etc/ipsec.secrets
> MyPublicIPA : PSK test1234
>
> Logs:
> Jul 13 15:30:06 vpnserver charon: 16[NET] received packet: from
> MyPublicIPA[500] to 10.0.1.5[500] (304 bytes)
> Jul 13 15:30:06 vpnserver charon: 16[ENC] parsed IKE_SA_INIT request 0 [
> SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Jul 13 15:30:06 vpnserver charon: 16[IKE] MyPublicIPA is initiating an
> IKE_SA
> Jul 13 15:30:06 vpnserver charon: 16[IKE] local host is behind NAT,
> sending keep alives
> Jul 13 15:30:06 vpnserver charon: 16[ENC] generating IKE_SA_INIT
> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
> Jul 13 15:30:06 vpnserver charon: 16[NET] sending packet: from
> 10.0.1.5[500] to MyPublicIPA[500] (312 bytes)
> Jul 13 15:30:06 vpnserver charon: 05[NET] received packet: from
> MyPublicIPA[4500] to 10.0.1.5[4500] (288 bytes)
> Jul 13 15:30:06 vpnserver charon: 05[ENC] parsed IKE_AUTH request 1 [
> IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP)
> N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> Jul 13 15:30:06 vpnserver charon: 05[CFG] looking for peer configs
> matching 10.0.1.5[MyPublicIPB]...MyPublicIPA[MyPublicIPA]
> Jul 13 15:30:06 vpnserver charon: 05[CFG] no matching peer config found
> Jul 13 15:30:06 vpnserver charon: 05[IKE] peer supports MOBIKE
> Jul 13 15:30:06 vpnserver charon: 05[ENC] generating IKE_AUTH response 1
> [ N(AUTH_FAILED) ]
> Jul 13 15:30:06 vpnserver charon: 05[NET] sending packet: from
> 10.0.1.5[4500] to MyPublicIPA[4500] (80 bytes)
>
> How you can see returns same error in both sides. Any suggestion where
> is the problem?
>
> Thanks!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170713/bef87782/attachment.html>
More information about the Users
mailing list