[strongSwan] PSK Failing

Ubaidul Khan ukhangmu at gmail.com
Sun Mar 25 00:38:42 CET 2018


Thank you Noel!  I made some progress, but the Mac client is still not
connecting.  Here is the log file on the StrongSwan server:

Mar 24 18:34:06 alpha charon: 08[NET] received packet: from
192.168.5.69[500] to 192.168.5.11[500] (788 bytes)
Mar 24 18:34:06 alpha charon: 08[ENC] parsed ID_PROT request 0 [ SA V V V V
V V V V V V V V ]
Mar 24 18:34:06 alpha charon: 08[IKE] received NAT-T (RFC 3947) vendor ID
Mar 24 18:34:06 alpha charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike
vendor ID
Mar 24 18:34:06 alpha charon: 08[IKE] received
draft-ietf-ipsec-nat-t-ike-08 vendor ID
Mar 24 18:34:06 alpha charon: 08[IKE] received
draft-ietf-ipsec-nat-t-ike-07 vendor ID
Mar 24 18:34:06 alpha charon: 08[IKE] received
draft-ietf-ipsec-nat-t-ike-06 vendor ID
Mar 24 18:34:06 alpha charon: 08[IKE] received
draft-ietf-ipsec-nat-t-ike-05 vendor ID
Mar 24 18:34:06 alpha charon: 08[IKE] received
draft-ietf-ipsec-nat-t-ike-04 vendor ID
Mar 24 18:34:06 alpha charon: 08[IKE] received
draft-ietf-ipsec-nat-t-ike-03 vendor ID
Mar 24 18:34:06 alpha charon: 08[IKE] received
draft-ietf-ipsec-nat-t-ike-02 vendor ID
Mar 24 18:34:06 alpha charon: 08[IKE] received
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Mar 24 18:34:06 alpha charon: 08[IKE] received FRAGMENTATION vendor ID
Mar 24 18:34:06 alpha charon: 08[IKE] received DPD vendor ID
Mar 24 18:34:06 alpha charon: 08[IKE] 192.168.5.69 is initiating a Main
Mode IKE_SA
Mar 24 18:34:06 alpha charon: 08[ENC] generating ID_PROT response 0 [ SA V
V V V ]
Mar 24 18:34:06 alpha charon: 08[NET] sending packet: from
192.168.5.11[500] to 192.168.5.69[500] (160 bytes)
Mar 24 18:34:06 alpha charon: 09[NET] received packet: from
192.168.5.69[500] to 192.168.5.11[500] (228 bytes)
Mar 24 18:34:06 alpha charon: 09[ENC] parsed ID_PROT request 0 [ KE No
NAT-D NAT-D ]
Mar 24 18:34:06 alpha charon: 09[IKE] remote host is behind NAT
Mar 24 18:34:06 alpha charon: 09[ENC] generating ID_PROT response 0 [ KE No
NAT-D NAT-D ]
Mar 24 18:34:06 alpha charon: 09[NET] sending packet: from
192.168.5.11[500] to 192.168.5.69[500] (244 bytes)
Mar 24 18:34:06 alpha charon: 10[NET] received packet: from
192.168.5.69[4500] to 192.168.5.11[4500] (108 bytes)
Mar 24 18:34:06 alpha charon: 10[ENC] parsed ID_PROT request 0 [ ID HASH
N(INITIAL_CONTACT) ]
Mar 24 18:34:06 alpha charon: 10[CFG] looking for pre-shared key peer
configs matching 192.168.5.11...192.168.5.69[192.168.1.8]
Mar 24 18:34:06 alpha charon: 10[CFG] selected peer config "L2TP"
Mar 24 18:34:06 alpha charon: 10[IKE] IKE_SA L2TP[1] established between
192.168.5.11[CN=acme.com, C=US, O=Acme Technologies Inc, OU=Network
Technologies]...192.168.5.69[192.168.1.8]
Mar 24 18:34:06 alpha charon: 10[IKE] scheduling reauthentication in 2670s
Mar 24 18:34:06 alpha charon: 10[IKE] maximum IKE_SA lifetime 3210s
Mar 24 18:34:06 alpha charon: 10[ENC] generating ID_PROT response 0 [ ID
HASH ]
Mar 24 18:34:06 alpha charon: 10[NET] sending packet: from
192.168.5.11[4500] to 192.168.5.69[4500] (172 bytes)
Mar 24 18:34:10 alpha charon: 12[NET] received packet: from
192.168.5.69[4500] to 192.168.5.11[4500] (108 bytes)
Mar 24 18:34:10 alpha charon: 12[IKE] received retransmit of request with
ID 0, retransmitting response
Mar 24 18:34:10 alpha charon: 12[NET] sending packet: from
192.168.5.11[4500] to 192.168.5.69[4500] (172 bytes)
Mar 24 18:34:13 alpha charon: 13[NET] received packet: from
192.168.5.69[4500] to 192.168.5.11[4500] (108 bytes)
Mar 24 18:34:13 alpha charon: 13[IKE] received retransmit of request with
ID 0, retransmitting response
Mar 24 18:34:13 alpha charon: 13[NET] sending packet: from
192.168.5.11[4500] to 192.168.5.69[4500] (172 bytes)
Mar 24 18:34:16 alpha charon: 14[NET] received packet: from
192.168.5.69[4500] to 192.168.5.11[4500] (108 bytes)
Mar 24 18:34:16 alpha charon: 14[IKE] received retransmit of request with
ID 0, retransmitting response
Mar 24 18:34:16 alpha charon: 14[NET] sending packet: from
192.168.5.11[4500] to 192.168.5.69[4500] (172 bytes)
Mar 24 18:34:28 alpha charon: 15[NET] received packet: from
192.168.5.69[4500] to 192.168.5.11[4500] (108 bytes)
Mar 24 18:34:28 alpha charon: 15[IKE] received retransmit of request with
ID 0, retransmitting response
Mar 24 18:34:28 alpha charon: 15[NET] sending packet: from
192.168.5.11[4500] to 192.168.5.69[4500] (172 bytes)
Mar 24 18:34:36 alpha charon: 16[IKE] sending DPD request
Mar 24 18:34:36 alpha charon: 16[ENC] generating INFORMATIONAL_V1 request
3738696413 [ HASH N(DPD) ]
Mar 24 18:34:36 alpha charon: 16[NET] sending packet: from
192.168.5.11[4500] to 192.168.5.69[4500] (92 bytes)
Mar 24 18:35:06 alpha charon: 03[IKE] sending DPD request
Mar 24 18:35:06 alpha charon: 03[ENC] generating INFORMATIONAL_V1 request
3017683089 [ HASH N(DPD) ]
Mar 24 18:35:06 alpha charon: 03[NET] sending packet: from
192.168.5.11[4500] to 192.168.5.69[4500] (92 bytes)


Looks like the Security Association is successful on the server, but the
Mac quits with the same error as before:

 "The L2TP-VPN Server did not respond. Try reconnecting. If the problem
continues, verify
  settings and contact your Administrator."



There is nothing in the Mac logs either.  I did change the ipsec.conf on
the server:


config setup
    cachecrls=yes
    uniqueids=yes
    charondebug=""

conn %default
    keyingtries=%forever
    dpddelay=30s
    dpdtimeout=120s
    authby=secret
    keyexchange=ikev2



conn L2TP
    #aggressive=yes
    fragmentation=yes
    dpdaction=clear
    #Server IP
    left=192.168.5.11
    #Server default gateway
    # leftnexthop=192.168.5.254
    leftprotoport=17/1701
    rightprotoport=17/%any
    right=%any
    rightsubnet=0.0.0.0/0
    authby=secret
    # leftauth=psk
    # leftauth2=xauth
    # rightauth=psk
    # leftid="<insert-the-public-ip-here>"

    leftid="CN=access.acme.com, C=US, O="Acme Technologies Inc""
    leftcert=/etc/ipsec.d/certs/alpha_SSWAN_vpnHost_signed_cert.crt


    ikelifetime=1h
    keylife=8h

ike=aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha1-modp1536,3des-sha1-modp1024,3des-md5-modp1536,3des-md5-modp1024

esp=aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha1-modp1536,3des-sha1-modp1024,3des-md5-modp1536,3des-md5-modp1024
    auto=add
    keyexchange=ike
    type=transport

What am I missing?  Kindly share your thoughts.

Thanks

On Sat, Mar 24, 2018 at 1:17 PM, Noel Kuntze <
noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:

> Please always address the mailing list, too.
>
> Then a little bit more text for you, so you can see your error.
>
> > Mar 24 09:41:06 alpha charon: 07[IKE] 192.168.5.69 is initiating a Main
> Mode IKE_SA
> > Mar 24 09:41:06 alpha charon: 09[IKE] found 1 matching config, but none
> allows pre-shared key authentication using Main Mode
>
> > conn L2TP
> >     aggressive=yes
>
>
> I hope it's clear now.
>
> Btw, all those other conns are useless. They don't do anything.
>
> On 24.03.2018 16:53, Ubaidul Khan wrote:
> > Thanks for replying, but none(of the two messages you sent) has any
> content.
> >
> > On Sat, Mar 24, 2018 at 11:02 AM, Noel Kuntze
> <noel.kuntze+strongswan-users-ml at thermi.consulting <mailto:noel.kuntze+
> strongswan-users-ml at thermi.consulting>> wrote:
> >
> >
> >
> >     On 24.03.2018 15 <tel:24.03.2018%2015>:02, Ubaidul Khan wrote:
> >     > Mar 24 09:41:06 alpha charon: 09[IKE] found 1 matching config, but
> none allows pre-shared key authentication using Main Mode
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180324/3b4bd700/attachment.html>


More information about the Users mailing list