[strongSwan-dev] IKEV2 PSK issues with strongswan 4.5.3

Thu, 10 Jan 2013 23:32:57 -0800 

Hi,

We are trying to establish 4 IKE tunnels as below:

         172.29.88.2...172.17.11.56,

          172.29.88.2... 172.16.11.55,

          172.29.88.2... 172.18.11.57,
          172.29.88.2... 10.69.196.246

Initiator Configuration
------------------------------------------------------------------------------------------------------
PSKs in "ipsec.secrets" file

172.29.88.2 172.16.11.55 : PSK
"~zyxwvutsrqponmlkjihgfedcba_][ZYXWVUTSRQPONMLKJIHGFEDCBA@?=;9876"

172.29.88.2 172.17.11.56 : PSK
"~zyxwvutsrqponmlkjihgfedcba_][ZYXWVUTSRQPONMLKJIHGFEDCBA@?=;9876"

172.29.88.2 172.18.11.57 : PSK
"~zyxwvutsrqponmlkjihgfedcba_][ZYXWVUTSRQPONMLKJIHGFEDCBA@?=;9876"

172.29.88.2 10.69.196.246 : PSK
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


Responder Configuration
------------------------------------------------------------------------------------------------------
PSKs in "ipsec.secrets" file


172.29.88.2 172.16.11.55 : PSK
"~zyxwvutsrqponmlkjihgfedcba_][ZYXWVUTSRQPONMLKJIHGFEDCBA@?=;9876"

172.29.88.2 172.17.11.56 : PSK
"~zyxwvutsrqponmlkjihgfedcba_][ZYXWVUTSRQPONMLKJIHGFEDCBA@?=;9876"

172.29.88.2 172.18.11.57 : PSK
"~zyxwvutsrqponmlkjihgfedcba_][ZYXWVUTSRQPONMLKJIHGFEDCBA@?=;9876"
*                #172.29.88.2 10.69.196.246 : PSK
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"*

*
*

*In this case, all IKE tunnels are not getting established due to "MAC
mismatch" error on responder. *


14[NET] received packet: from 172.29.88.2[500] to 172.18.11.57[500]

14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]

14[IKE] 172.29.88.2 is initiating an IKE_SA

14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(MULT_AUTH) ]

14[NET] sending packet: from 172.18.11.57[500] to 172.29.88.2[500]

15[NET] received packet: from 172.29.88.2[500] to 172.18.11.57[500]

15[ENC] parsed IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MULT_AUTH)
N(EAP_ONLY) ]

15[CFG] looking for peer configs matching
172.18.11.57[%any]...172.29.88.2[172.29.88.2]

15[CFG] selected peer config 'conn3'

15[IKE] tried 3 shared keys for '%any' - '172.29.88.2',* but MAC mismatched*

15[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

15[NET] sending packet: from 172.18.11.57[500] to 172.29.88.2[500]

08[NET] received packet: from 172.29.88.2[500] to 172.18.11.57[500]

08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]

08[IKE] 172.29.88.2 is initiating an IKE_SA

08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(MULT_AUTH) ]

08[NET] sending packet: from 172.18.11.57[500] to 172.29.88.2[500]

07[NET] received packet: from 172.29.88.2[500] to 172.18.11.57[500]

07[ENC] parsed IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MULT_AUTH)
N(EAP_ONLY) ]

07[CFG] looking for peer configs matching
172.18.11.57[%any]...172.29.88.2[172.29.88.2]

07[CFG] selected peer config 'conn3'

07[IKE] tried 3 shared keys for '%any' - '172.29.88.2', but MAC mismatched

07[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

07[NET] sending packet: from 172.18.11.57[500] to 172.29.88.2[500]

10[NET] received packet: from 172.29.88.2[500] to 172.18.11.57[500]

10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]

10[IKE] 172.29.88.2 is initiating an IKE_SA

10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(MULT_AUTH) ]

10[NET] sending packet: from 172.18.11.57[500] to 172.29.88.2[500]

09[NET] received packet: from 172.29.88.2[500] to 172.18.11.57[500]

09[ENC] parsed IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MULT_AUTH)
N(EAP_ONLY) ]

09[CFG] looking for peer configs matching
172.18.11.57[%any]...172.29.88.2[172.29.88.2]

09[CFG] selected peer config 'conn3'
09[IKE] tried 3 shared keys for '%any' - '172.29.88.2', but MAC mismatched

*
*

* If we uncomment the last line in "ipsec.secrets" file in responder ,then
all IKE  tunnels are established successfully. we think, initiator is only
using the last PSK for all the IKE tunnles, though different PSK are
configured for each. Could you please help us here.*

*
*

*One more query, how to find the PSK being used during IKE negotiations? *

*
*

*Thanks in Advance.*

*
*

*BR,*

*Ravi*

_______________________________________________
Dev mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/dev

Reply via email to