[strongSwan] PSK Failing

Ubaidul Khan ukhangmu at gmail.com
Sat Mar 24 15:02:37 CET 2018


Hello,

I am running strongswan 5.5.1 on ubuntu 17.10 on the server and trying to
connect a Mac OS-X HighSierra using both PSK and XAUTH.  I am getting the
following error:

Mar 24 09:40:08 alpha charon: 11[ENC] generating INFORMATIONAL_V1 request
1358223450 [ HASH N(AUTH_FAILED) ]

Detailed Log File Excerpt
----------------------------------
Mar 24 09:41:06 alpha charon: 07[NET] received packet: from
192.168.5.69[500] to 192.168.5.11[500] (788 bytes)
Mar 24 09:41:06 alpha charon: 07[ENC] parsed ID_PROT request 0 [ SA V V V V
V V V V V V V V ]
Mar 24 09:41:06 alpha charon: 07[IKE] received NAT-T (RFC 3947) vendor ID
Mar 24 09:41:06 alpha charon: 07[IKE] received draft-ietf-ipsec-nat-t-ike
vendor ID
Mar 24 09:41:06 alpha charon: 07[IKE] received
draft-ietf-ipsec-nat-t-ike-08 vendor ID
Mar 24 09:41:06 alpha charon: 07[IKE] received
draft-ietf-ipsec-nat-t-ike-07 vendor ID
Mar 24 09:41:06 alpha charon: 07[IKE] received
draft-ietf-ipsec-nat-t-ike-06 vendor ID
Mar 24 09:41:06 alpha charon: 07[IKE] received
draft-ietf-ipsec-nat-t-ike-05 vendor ID
Mar 24 09:41:06 alpha charon: 07[IKE] received
draft-ietf-ipsec-nat-t-ike-04 vendor ID
Mar 24 09:41:06 alpha charon: 07[IKE] received
draft-ietf-ipsec-nat-t-ike-03 vendor ID
Mar 24 09:41:06 alpha charon: 07[IKE] received
draft-ietf-ipsec-nat-t-ike-02 vendor ID
Mar 24 09:41:06 alpha charon: 07[IKE] received
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Mar 24 09:41:06 alpha charon: 07[IKE] received FRAGMENTATION vendor ID
Mar 24 09:41:06 alpha charon: 07[IKE] received DPD vendor ID
Mar 24 09:41:06 alpha charon: 07[IKE] 192.168.5.69 is initiating a Main
Mode IKE_SA
Mar 24 09:41:06 alpha charon: 07[ENC] generating ID_PROT response 0 [ SA V
V V V ]
Mar 24 09:41:06 alpha charon: 07[NET] sending packet: from
192.168.5.11[500] to 192.168.5.69[500] (160 bytes)
Mar 24 09:41:06 alpha charon: 08[NET] received packet: from
192.168.5.69[500] to 192.168.5.11[500] (228 bytes)
Mar 24 09:41:06 alpha charon: 08[ENC] parsed ID_PROT request 0 [ KE No
NAT-D NAT-D ]
Mar 24 09:41:06 alpha charon: 08[IKE] remote host is behind NAT
Mar 24 09:41:06 alpha charon: 08[ENC] generating ID_PROT response 0 [ KE No
NAT-D NAT-D ]
Mar 24 09:41:06 alpha charon: 08[NET] sending packet: from
192.168.5.11[500] to 192.168.5.69[500] (244 bytes)
Mar 24 09:41:06 alpha charon: 09[NET] received packet: from
192.168.5.69[4500] to 192.168.5.11[4500] (108 bytes)
Mar 24 09:41:06 alpha charon: 09[ENC] parsed ID_PROT request 0 [ ID HASH
N(INITIAL_CONTACT) ]
Mar 24 09:41:06 alpha charon: 09[CFG] looking for pre-shared key peer
configs matching 192.168.5.11...192.168.5.69[192.168.1.8]
Mar 24 09:41:06 alpha charon: 09[IKE] found 1 matching config, but none
allows pre-shared key authentication using Main Mode
Mar 24 09:41:06 alpha charon: 09[ENC] generating INFORMATIONAL_V1 request
3652931050 [ HASH N(AUTH_FAILED) ]
Mar 24 09:41:06 alpha charon: 09[NET] sending packet: from
192.168.5.11[4500] to 192.168.5.69[4500] (92 bytes)


Log Excerpt when it starts
-----------------------------------

Mar 24 09:42:29 alpha systemd[1]: Stopping strongSwan IPsec services...
Mar 24 09:42:29 alpha ipsec[29567]: Stopping strongSwan IPsec...
Mar 24 09:42:29 alpha charon: 00[DMN] signal of type SIGINT received.
Shutting down
Mar 24 09:42:29 alpha systemd[1]: Stopped strongSwan IPsec services.
Mar 24 09:42:29 alpha systemd[1]: Starting strongSwan IPsec services...
Mar 24 09:42:29 alpha ipsec[29580]: Starting strongSwan 5.5.1 IPsec
[starter]...
Mar 24 09:42:29 alpha systemd[1]: Started strongSwan IPsec services.
Mar 24 09:42:29 alpha charon: 00[DMN] Starting IKE charon daemon
(strongSwan 5.5.1, Linux 4.13.0-25-generic, x86_64)
Mar 24 09:42:29 alpha charon: 00[CFG] disabling load-tester plugin, not
configured
Mar 24 09:42:29 alpha charon: 00[LIB] plugin 'load-tester': failed to load
- load_tester_plugin_create returned NULL
Mar 24 09:42:30 alpha charon: 00[CFG] dnscert plugin is disabled
Mar 24 09:42:30 alpha charon: 00[CFG] ipseckey plugin is disabled
Mar 24 09:42:30 alpha charon: 00[CFG] attr-sql plugin: database URI not set
Mar 24 09:42:30 alpha charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Mar 24 09:42:30 alpha charon: 00[CFG]   loaded ca certificate "C=US,
O=StrongSSWAN, CN=StrongSSWAN Root CA" from
'/etc/ipsec.d/cacerts/SSWAN_CA_self_signed_cert.crt'
Mar 24 09:42:30 alpha charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Mar 24 09:42:30 alpha charon: 00[CFG] loading ocsp signer certificates from
'/etc/ipsec.d/ocspcerts'
Mar 24 09:42:30 alpha charon: 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'
Mar 24 09:42:30 alpha charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Mar 24 09:42:30 alpha charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Mar 24 09:42:30 alpha charon: 00[CFG]   loaded IKE secret for %any
Mar 24 09:42:30 alpha charon: 00[CFG]   loaded EAP secret for jdoe
Mar 24 09:42:30 alpha charon: 00[CFG] sql plugin: database URI not set
Mar 24 09:42:30 alpha charon: 00[CFG] read 0 triplets from
/etc/ipsec.d/triplets.dat
Mar 24 09:42:30 alpha charon: 00[CFG] eap-simaka-sql database URI missing
Mar 24 09:42:30 alpha charon: 00[CFG] loaded 0 RADIUS server configurations
Mar 24 09:42:30 alpha charon: 00[CFG] no threshold configured for
systime-fix, disabled
Mar 24 09:42:30 alpha charon: 00[CFG] coupling file path unspecified
Mar 24 09:42:30 alpha charon: 00[LIB] loaded plugins: charon test-vectors
unbound ldap pkcs11 aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509
revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp agent
chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr
kernel-netlink resolve socket-default connmark farp stroke updown
eap-identity eap-sim eap-sim-file eap-sim-pcsc eap-aka eap-aka-3gpp2
eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2
eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic
dhcp whitelist lookip error-notify certexpire led radattr addrblock unity
Mar 24 09:42:30 alpha charon: 00[LIB] dropped capabilities, running as uid
0, gid 0
Mar 24 09:42:30 alpha charon: 00[JOB] spawning 16 worker threads
Mar 24 09:42:30 alpha charon: 05[CFG] received stroke: add connection 'L2TP'
Mar 24 09:42:30 alpha charon: 05[CFG]   loaded certificate "CN=Acme.com,
C=US, O=Acme Technologies Inc, OU=Network Technologies" from
'/etc/ipsec.d/certs/alpha_SSWAN_vpnHost_signed_cert.crt'
Mar 24 09:42:30 alpha charon: 05[CFG]   id 'CN=access.acme.com, C=US,
O=Acme Technologies Inc' not confirmed by certificate, defaulting to 'CN=
acme.com, C=US, O=Acme Technologies Inc, OU=Network Technologies'
Mar 24 09:42:30 alpha charon: 05[CFG] added configuration 'L2TP'


ipsec.conf
--------------

config setup
    cachecrls=yes
    uniqueids=yes
    charondebug=""

conn %default
    keyingtries=%forever
    dpddelay=30s
    dpdtimeout=120s
    authby=secret


conn L2TP
    aggressive=yes
    dpdaction=clear
    #Server IP
    left=192.168.5.11
    #Server default gateway
    # leftnexthop=192.168.5.254
    leftprotoport=17/1701
    rightprotoport=17/%any
    right=%any
    rightsubnet=0.0.0.0/0
    leftauth=psk
    leftauth2=xauth
    rightauth=psk
    # leftid="<insert-the-public-ip-here>"

    leftid="CN=access.acme.com, C=US, O="Acme Technologies Inc""
    leftcert=/etc/ipsec.d/certs/alpha_SSWAN_vpnHost_signed_cert.crt


    ikelifetime=1h
    keylife=8h

ike=aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha1-modp1536,3des-sha1-modp1024,3des-md5-modp1536,3des-md5-modp1024

esp=aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha1-modp1536,3des-sha1-modp1024,3des-md5-modp1536,3des-md5-modp1024
    auto=add
    keyexchange=ike
    type=transport

conn block
    auto=ignore
conn private
    auto=ignore
conn private-or-clear
    auto=ignore
conn clear-or-private
    auto=ignore
conn clear
    auto=ignore
conn packetdefault

    auto=ignore


ipsec.secrets
------------------
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
: PSK "goaway"
jdoe : XAUTH  "fatal123"


Error on the MAC
---------------------------------
The only error shown on screen is:

  "The L2TP-VPN Server did not respond. Try reconnecting. If the problem
continues, verify
  settings and contact your Administrator."


Log entry in /var/log/system.log:
---------------------------------

    Mar 24 10:01:39 falcon racoon[1051]: plogsetfile: about to add racoon
log file: /var/log/racoon.log

  And /var/log/racoon.log is empty


I appreciate the help.  Thank you
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180324/d83e9f01/attachment.html>


More information about the Users mailing list