Hi , Could you please help here.
Thanks and Regards, Ravi On Fri, Jan 11, 2013 at 1:02 PM, Ravikumar Chennaparapu < [email protected]> wrote: > Hi, > > We are trying to establish 4 IKE tunnels as below: > > 172.29.88.2...172.17.11.56, > > 172.29.88.2... 172.16.11.55, > > 172.29.88.2... 172.18.11.57, > 172.29.88.2... 10.69.196.246 > > Initiator Configuration > > ------------------------------------------------------------------------------------------------------ > PSKs in "ipsec.secrets" file > > 172.29.88.2 172.16.11.55 : PSK > "~zyxwvutsrqponmlkjihgfedcba_][ZYXWVUTSRQPONMLKJIHGFEDCBA@?=;9876" > > 172.29.88.2 172.17.11.56 : PSK > "~zyxwvutsrqponmlkjihgfedcba_][ZYXWVUTSRQPONMLKJIHGFEDCBA@?=;9876" > > 172.29.88.2 172.18.11.57 : PSK > "~zyxwvutsrqponmlkjihgfedcba_][ZYXWVUTSRQPONMLKJIHGFEDCBA@?=;9876" > > 172.29.88.2 10.69.196.246 : PSK > "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > > > Responder Configuration > > ------------------------------------------------------------------------------------------------------ > PSKs in "ipsec.secrets" file > > > 172.29.88.2 172.16.11.55 : PSK > "~zyxwvutsrqponmlkjihgfedcba_][ZYXWVUTSRQPONMLKJIHGFEDCBA@?=;9876" > > 172.29.88.2 172.17.11.56 : PSK > "~zyxwvutsrqponmlkjihgfedcba_][ZYXWVUTSRQPONMLKJIHGFEDCBA@?=;9876" > > 172.29.88.2 172.18.11.57 : PSK > "~zyxwvutsrqponmlkjihgfedcba_][ZYXWVUTSRQPONMLKJIHGFEDCBA@?=;9876" > * #172.29.88.2 10.69.196.246 : PSK > "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"* > > * > * > > *In this case, all IKE tunnels are not getting established due to "MAC > mismatch" error on responder. * > > > 14[NET] received packet: from 172.29.88.2[500] to 172.18.11.57[500] > > 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > > 14[IKE] 172.29.88.2 is initiating an IKE_SA > > 14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) > N(NATD_D_IP) N(MULT_AUTH) ] > > 14[NET] sending packet: from 172.18.11.57[500] to 172.29.88.2[500] > > 15[NET] received packet: from 172.29.88.2[500] to 172.18.11.57[500] > > 15[ENC] parsed IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MULT_AUTH) > N(EAP_ONLY) ] > > 15[CFG] looking for peer configs matching > 172.18.11.57[%any]...172.29.88.2[172.29.88.2] > > 15[CFG] selected peer config 'conn3' > > 15[IKE] tried 3 shared keys for '%any' - '172.29.88.2',* but MAC > mismatched* > > 15[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] > > 15[NET] sending packet: from 172.18.11.57[500] to 172.29.88.2[500] > > 08[NET] received packet: from 172.29.88.2[500] to 172.18.11.57[500] > > 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > > 08[IKE] 172.29.88.2 is initiating an IKE_SA > > 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) > N(NATD_D_IP) N(MULT_AUTH) ] > > 08[NET] sending packet: from 172.18.11.57[500] to 172.29.88.2[500] > > 07[NET] received packet: from 172.29.88.2[500] to 172.18.11.57[500] > > 07[ENC] parsed IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MULT_AUTH) > N(EAP_ONLY) ] > > 07[CFG] looking for peer configs matching > 172.18.11.57[%any]...172.29.88.2[172.29.88.2] > > 07[CFG] selected peer config 'conn3' > > 07[IKE] tried 3 shared keys for '%any' - '172.29.88.2', but MAC mismatched > > 07[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] > > 07[NET] sending packet: from 172.18.11.57[500] to 172.29.88.2[500] > > 10[NET] received packet: from 172.29.88.2[500] to 172.18.11.57[500] > > 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > > 10[IKE] 172.29.88.2 is initiating an IKE_SA > > 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) > N(NATD_D_IP) N(MULT_AUTH) ] > > 10[NET] sending packet: from 172.18.11.57[500] to 172.29.88.2[500] > > 09[NET] received packet: from 172.29.88.2[500] to 172.18.11.57[500] > > 09[ENC] parsed IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MULT_AUTH) > N(EAP_ONLY) ] > > 09[CFG] looking for peer configs matching > 172.18.11.57[%any]...172.29.88.2[172.29.88.2] > > 09[CFG] selected peer config 'conn3' > 09[IKE] tried 3 shared keys for '%any' - '172.29.88.2', but MAC mismatched > > * > * > > * If we uncomment the last line in "ipsec.secrets" file in responder > ,then all IKE tunnels are established successfully. we think, initiator is > only using the last PSK for all the IKE tunnles, though different PSK are > configured for each. Could you please help us here.* > > * > * > > *One more query, how to find the PSK being used during IKE negotiations? * > > * > * > > *Thanks in Advance.* > > * > * > > *BR,* > > *Ravi* >
_______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
