[Swan] Connection problem with road warrior and pre-shared key configuration

Mon, 19 Dec 2016 15:42:52 -0800 

Hello,

I’m having problems getting Libreswan working for a road warrior with 
pre-shared key configuration.

Here’s the configuration and logs produced.

Thanks for any suggestions on how to proceed with troubleshooting this.

--

el-lado-claro.secrets
192.0.2.1 @EL-LADO-OSCURO: PSK "********************************"

el-lado-claro.conf
conn EL-LADO-OSCURO
    type=tunnel
    left=192.0.2.1
    leftid=192.0.2.1
    right=%any
    rightid=@EL-LADO-OSCURO
    authby=secret

    # IKE Phase 1
    #ike=3des-sha1;dh2
    ike=3des-sha1;modp1024
    aggrmode=yes
    ikelifetime=3600s

    # Phase 2
    phase2=esp
    phase2alg=aes128-sha1;modp1024
   salifetime=3600s

    # use auto=start when done testing the tunnel
    auto=add

Dec 19 15:28:48 localhost pluto[5561]: packet from 198.51.100.1:500: received 
Vendor ID payload [Dead Peer Detection]
Dec 19 15:28:48 localhost pluto[5561]: packet from 198.51.100.1:500: IKEv1 
Aggressive Mode with PSK is vulnerable to dictionary attacks and is cracked on 
large scale by TLA's
Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: 
Aggressive mode peer ID is ID_FQDN: '@EL-LADO-OSCURO'
Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: 
responding to Aggressive Mode, state #1, connection "EL-LADO-OSCURO" from 
198.51.100.1
Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: 
warning: peer requested IKE lifetime of 4294967295 seconds which we capped at 
our limit of 86400 seconds
Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: 
warning: peer requested IKE lifetime of 4294967295 seconds which we capped at 
our limit of 86400 seconds
Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: 
transition from state STATE_AGGR_R0 to state STATE_AGGR_R1
Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: 
STATE_AGGR_R1: sent AR1, expecting AI2
Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: 
packet rejected: should have been encrypted
Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: 
sending notification INVALID_FLAGS to 198.51.100.1:500
Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: 
Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA
Dec 19 15:29:05 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: 
Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA
Dec 19 15:29:35 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: 
Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA
Dec 19 15:29:52 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: max 
number of retransmissions (8) reached STATE_AGGR_R1
Dec 19 15:29:52 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: 
deleting state #1 (STATE_AGGR_R1)
Dec 19 15:29:52 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1: 
deleting connection "EL-LADO-OSCURO" instance with peer 198.51.100.1 
{isakmp=#0/ipsec=#0}


_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to