Re: [Swan] Connection problem with road warrior and pre-shared key configuration

Tue, 03 Jan 2017 09:54:03 -0800 

Thanks for the feedback Paul.

I tried adding a line like this to the secrets file:

    192.0.2.1 %any @EL-LADO-OSCURO: PSK "********************************"

Or this:

    192.0.2.1 0.0.0.0 @EL-LADO-OSCURO: PSK "********************************"

It resulted in Pluto not being able to find a matching connection profile (I 
don’t have the logs handy at the moment, but that’s essentially what they 
reported).

Leaving the secrets file alone, removing the empty lines had no effect on the 
logged failure information, so I suspect they’re unrelated to whatever the 
mismatch is.


On 12/23/16, 12:11 PM, "Paul Wouters" <[email protected]> wrote:

    On Mon, 19 Dec 2016, Steve Scheck wrote:
    
    > I’m having problems getting Libreswan working for a road warrior with 
pre-shared key configuration.
    > 
    > Here’s the configuration and logs produced.
    > 
    > Thanks for any suggestions on how to proceed with troubleshooting this.
    
    > el-lado-claro.secrets
    > 
    > 192.0.2.1 @EL-LADO-OSCURO: PSK "********************************"
    
    you need to add 0.0.0.0 or %any as well if you have right=%any
    
    > el-lado-claro.conf
    > 
    > conn EL-LADO-OSCURO
    > 
    >     type=tunnel
    > 
    >     left=192.0.2.1
    > 
    >     leftid=192.0.2.1
    > 
    >     right=%any
    > 
    >     rightid=@EL-LADO-OSCURO
    > 
    >     authby=secret
    >
    
    There cannot be empty lines in your configuration.
    
    > 
    >     # IKE Phase 1
    > 
    >     #ike=3des-sha1;dh2
    > 
    >     ike=3des-sha1;modp1024
    
    this is really old fashioned. I hope you can do better with the other
    end? Like match the esp= and use aes-sha1 at the least?
    
    > 
    > Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 
#1: transition from state STATE_AGGR_R0 to state STATE_AGGR_R1
    > 
    > Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 
#1: STATE_AGGR_R1: sent AR1, expecting AI2
    > 
    > Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 
#1: packet rejected: should have been encrypted
    
    It really did not like you at all. Looks like a mismatched
    configuration. You might be able to tell more if you enable
    debugging and see whats in the unencrypted response.
    
    Paul
    

_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to