You need “ipsec secrets” to reread the secrets if you add / remove them.
Sent from my iPhone > On Aug 4, 2020, at 11:39, Štěpán Brož <[email protected]> wrote: > > > Hello Balaji, > > There is a command for re-reading secrets: # ipsec whack --rereadsecrets > > Does that work for you? > > Regards, > Stepan > > út 4. 8. 2020 v 17:22 odesílatel Balaji Thoguluva <[email protected]> napsal: >> Hi Developers, >> >> I have a connection with authby=rsasig and all the rest of the parameters >> set correctly. I am able to establish a connection successfully with X.509 >> certificate-based authentication. Now when the tunnel is up, I change the >> authentication from rsasig to PSK by setting authby=secret (also created a >> <conn-name>.secrets file for storing the PSK password) and all the >> parameters related to certificate removed from the connection. Without >> invoking "ipsec restart" command, I do a "/usr/local/sbin/ipsec auto >> --ondemand taccert" to load the PSK configuration automatically. The tunnel >> gets torn down. Now when the data packet triggers the tunnel, Libreswan is >> able to sends an IKE_SA_INIT request and gets back the IKE_SA_INIT response. >> However it stops processing there because it cannot find the PSK. >> >> Aug 4 14:23:05 [localhost] pluto[4324]: initiate on demand from >> 10.196.172.139:0 to 10.196.175.174:49 proto=6 because: acquire >> Aug 4 14:23:05 [localhost] pluto[4324]: "taccert" #3: initiating v2 parent >> SA >> Aug 4 14:23:05 [localhost] pluto[4324]: "taccert" #3: local IKE proposals >> for taccert (IKE SA initiator selecting KE): >> 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 >> Aug 4 14:23:05 [localhost] pluto[4324]: "taccert" #3: STATE_PARENT_I1: sent >> v2I1, expected v2R1 >> Aug 4 14:23:05 [localhost] pluto[4324]: "taccert" #3: No matching PSK found >> for connection:taccert >> >> Aug 4 14:23:05 [localhost] pluto[4324]: "taccert" #3: Failed to find our >> PreShared Key >> >> Aug 4 14:23:05 [localhost] pluto[4324]: "taccert" #4: deleting state >> (STATE_UNDEFINED) and NOT sending notification >> Aug 4 14:23:08 [localhost] sshd[4782]: pam_authp(sshd:auth): >> pam_sm_authenticate: Timeout waiting for authProxy >> >> A couple of questions. >> >> 1. Can we get the PSK tunnel establishment working without restarting IPsec? >> It looks to me that the secret file is not loaded by the libreswan. Is there >> any way to load the secret file by any utility command on the fly? >> >> Any help is appreciated. >> >> Thanks, >> Balaji >> _______________________________________________ >> Swan-dev mailing list >> [email protected] >> https://lists.libreswan.org/mailman/listinfo/swan-dev > _______________________________________________ > Swan-dev mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan-dev
_______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
