Hello Balaji, There is a command for re-reading secrets: # ipsec whack --rereadsecrets
Does that work for you? Regards, Stepan út 4. 8. 2020 v 17:22 odesílatel Balaji Thoguluva <[email protected]> napsal: > Hi Developers, > > I have a connection with authby=rsasig and all the rest of the parameters > set correctly. I am able to establish a connection successfully with X.509 > certificate-based authentication. Now when the tunnel is up, I change the > authentication from rsasig to PSK by setting authby=secret (also created a > <conn-name>.secrets file for storing the PSK password) and all the > parameters related to certificate removed from the connection. Without > invoking "ipsec restart" command, I do a "/usr/local/sbin/ipsec auto > --ondemand taccert" to load the PSK configuration automatically. The tunnel > gets torn down. Now when the data packet triggers the tunnel, Libreswan is > able to sends an IKE_SA_INIT request and gets back the IKE_SA_INIT > response. However it stops processing there because it cannot find the PSK. > > Aug 4 14:23:05 [localhost] pluto[4324]: initiate on demand from > 10.196.172.139:0 to 10.196.175.174:49 proto=6 because: acquire > Aug 4 14:23:05 [localhost] pluto[4324]: "taccert" #3: initiating v2 > parent SA > Aug 4 14:23:05 [localhost] pluto[4324]: "taccert" #3: local IKE proposals > for taccert (IKE SA initiator selecting KE): > 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 > Aug 4 14:23:05 [localhost] pluto[4324]: "taccert" #3: STATE_PARENT_I1: > sent v2I1, expected v2R1 > Aug 4 14:23:05 [localhost] pluto[4324]: "taccert" #3: No matching PSK > found for > connection:taccert > > Aug 4 14:23:05 [localhost] pluto[4324]: "taccert" #3: Failed to find our > PreShared > Key > > Aug 4 14:23:05 [localhost] pluto[4324]: "taccert" #4: deleting state > (STATE_UNDEFINED) and NOT sending notification > Aug 4 14:23:08 [localhost] sshd[4782]: pam_authp(sshd:auth): > pam_sm_authenticate: Timeout waiting for authProxy > > A couple of questions. > > 1. Can we get the PSK tunnel establishment working without restarting > IPsec? It looks to me that the secret file is not loaded by the libreswan. > Is there any way to load the secret file by any utility command on the fly? > > Any help is appreciated. > > Thanks, > Balaji > _______________________________________________ > Swan-dev mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan-dev >
_______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
