On Tue, 24 Jan 2017, Steve Scheck wrote:
Are there any hints from libreswan as to what it judges to be mismatched?
I managed to reproduce this error in one scenario, although different from yours. north-east"[1] 192.1.3.33 #1: STATE_AGGR_R1: sent AR1, expecting AI2 "north-east"[1] 192.1.3.33 #1: no RSA public key known for 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, [email protected]' "north-east"[1] 192.1.3.33 #1: sending encrypted notification INVALID_KEY_INFORMATION to 192.1.3.33:500 "north-east"[1] 192.1.3.33 #1: Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA I found a bug in IKEv1 Aggressive Mode when using certificates. libreswan as initiator does not send the certificate, even when setting leftsendcert=always. If the initiator in your case is either libreswan or openswan, this might be happening to you. I've added a testcase for this (ikev1-aggr-sendcert-01) Either Matt or I will look at a patch for this :) But your case is using PSK. If the authentication for PSK fails, the packets are undecryptable, so this is not the case you are seeing. It seems like somehow this is a misconfiguration. It would help if you can show some logs of the other side. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
