[strongSwan] ipsec problem

Gokan Atmaca linux.gokan at gmail.com
Fri Mar 10 16:45:39 CET 2017 

Hello

I started the vpn service as follows. But it gives an authentication
error. (1) (os:ubuntu1604lts)

(1)
Mar 10 17:44:32 ubuntu charon: 02[IKE] Z.Z.Z.Z is initiating a
Aggressive Mode IKE_SA
Mar 10 17:44:32 ubuntu charon: 02[IKE] Aggressive Mode PSK disabled
for security reasons
Mar 10 17:44:32 ubuntu charon: 02[ENC] generating INFORMATIONAL_V1
request 2604966255 [ N(AUTH_FAILED) ]
Mar 10 17:44:32 ubuntu charon: 02[NET] sending packet: from
148.251.173.26[500] to 37.154.177.11[28762] (56 bytes)


> ipsec.conf:
config setup
    plutodebug=control
    crlcheckinterval=180
    strictcrlpolicy=no
    charonstart=no

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev1
    authby=xauthpsk
    xauth=server

conn rw
    leftt=x.x.x.x
    leftid=ipsec.x.net
    leftsubnet=10.1.0.0/16
    leftfirewall=yes
    right=%any
    auto=add

> ipsec.secres
ipsec.x.net %any : PSK 910202aaa
y at ipsec.xnet : XAUTH "1231234"


# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-31-generic, x86_64):
  uptime: 7 minutes, since Mar 10 17:32:15 2017
  malloc: sbrk 1486848, mmap 0, used 325360, free 1161488
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 0
  loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac ccm gcm attr
kernel-netlink resolve socket-default connmark stroke updown
Listening IP addresses:
  148.251.173.26
  10.1.0.100
Connections:
          rw:  x.x.x.x...%any  IKEv1
          rw:   local:  [ipsec.ofisbulutta.net] uses pre-shared key
authentication
          rw:   remote: uses pre-shared key authentication
          rw:   remote: uses XAuth authentication: any
          rw:   child:  10.1.0.0/16 === dynamic TUNNEL
Security Associations (0 up, 0 connecting):
  none

> strongswan.conf
# /etc/strongswan.conf - strongSwan configuration file

pluto {
  load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink
}

# pluto uses optimized DH exponent sizes (RFC 3526)

libstrongswan {
  dh_exponent_ansi_x9_42 = no
}

More information about the Users mailing list