One is a wrapper for the other Sent using a virtual keyboard on a phone
> On Sep 15, 2022, at 13:37, Brendan Kearney <[email protected]> wrote: > > > that seems to have done the trick, but i thought i was doing that albeit via > a different command. > > ipsec auto --rereadsecrets > vs > ipsec secrets > > is there a difference between the two commands? in either case, thanks for > the pointer. > > brendan > >> On 9/12/22 3:13 PM, Paul Wouters wrote: >> It really seems the PSKs are not the same. If you changed them, ensure to >> restart ipsec or run “ipsec secrets” to reload. >> >> It might also that you have multiple secrets labeled with %any and another >> entry is picked? Try to just stick with @leftid and @rightid without using >> %any >> >> Paul >> >> Sent using a virtual keyboard on a phone >> >>> On Sep 12, 2022, at 14:07, Brendan Kearney <[email protected]> wrote: >>> >>> >>> list members, >>> >>> i am going in circles trying to figure out where i have gone wrong and >>> could use some help. i have a libreswan instance behind my router, thus am >>> using NAT-T on the "left" side. i am trying to test with a client on my >>> network, accessing my dyn-dns name (external IP of my router), and being >>> forwarded to the libreswan instance. >>> >>> all the routing is working and connections initiate, but do not complete >>> because auth fails. i get the following logs which indicates the error: >>> >>> Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87: local IKE >>> proposals (IKE SA responder matching remote proposals): >>> >>> Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87: >>> 1:IKE=AES_GCM_C_256-HMAC_SHA2_512+HMAC_SHA2_256-NONE-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192 >>> >>> Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87: >>> 2:IKE=CHACHA20_POLY1305-HMAC_SHA2_512+HMAC_SHA2_256-NONE-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192 >>> >>> Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87: >>> 3:IKE=AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192 >>> >>> Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87: >>> 4:IKE=AES_GCM_C_128-HMAC_SHA2_512+HMAC_SHA2_256-NONE-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192 >>> >>> Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87: >>> 5:IKE=AES_CBC_128-HMAC_SHA2_256-HMAC_SHA2_256_128-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192 >>> >>> Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84: proposal >>> 1:IKE=AES_GCM_C_256-HMAC_SHA2_512-ECP_256 chosen from remote proposals >>> 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=ECP_256[first-match] >>> 2:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_256;DH=ECP_256 >>> 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;INTEG=HMAC_SHA2_512_256;DH=ECP_256 >>> 4:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=ECP_256 >>> 5:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=ECP_256 >>> 6:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=ECP_256 >>> 7:IKE:ENCR=3DES;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=ECP_256 >>> 8:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=ECP_384 >>> 9:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_256;DH=ECP_384 >>> 10:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;INTEG=HMAC_SHA2_512_256;DH=ECP_384 >>> 11:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=ECP_384 >>> 12:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=ECP_384 >>> 13:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=ECP_384 >>> 14:IKE:ENCR=3DES;PRF=HMAC_SHA1;INTEG=HMAC_SHA1... >>> >>> Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84: sent >>> IKE_SA_INIT reply {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a >>> prf=HMAC_SHA2_512 group=DH19} >>> >>> Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84: processing >>> decrypted IKE_AUTH request: SK{IDi,AUTH,SA,TSi,TSr} >>> >>> Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84: IKEv2 mode >>> peer ID is ID_IPV4_ADDR: '192.168.24.87' >>> >>> Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84: AUTH mismatch: >>> Received AUTH != computed AUTH >>> >>> Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84: PSK >>> Authentication failed: AUTH mismatch in I2 Auth Payload! >>> >>> Sep 12 13:47:23 vpn audit[1512]: CRYPTO_IKE_SA pid=1512 uid=0 >>> auid=4294967295 ses=4294967295 subj=kernel msg='op=start >>> direction=responder conn-name="s2s" connstate=84 ike-version=2.0 >>> auth=PRESHARED_KEY cipher=aes_gcm_16 ksize=256 integ=none prf=sha512 >>> pfs=DH19 raddr=192.168.24.87 exe="/usr/libexec/ipsec/pluto" hostname=? >>> addr=192.168.152.254 terminal=? res=failed' >>> >>> Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84: responding to >>> IKE_AUTH message (ID 1) from 192.168.24.87:4500 with encrypted notification >>> AUTHENTICATION_FAILED >>> >>> Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84: encountered >>> fatal error in state STATE_PARENT_R1 >>> >>> Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84: deleting state >>> (STATE_PARENT_R1) aged 0.037191s and NOT sending notification >>> >>> Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87: deleting >>> connection instance with peer 192.168.24.87 {isakmp=#0/ipsec=#0} >>> >>> the "left" config: >>> >>> # Site-to-Site (s2s) Config >>> conn s2s >>> rekey=yes >>> left=192.168.152.254 >>> leftsubnet=192.168.152.0/24 >>> right=%any >>> ikelifetime=28800s >>> authby=secret >>> type=tunnel >>> auto=add >>> ikev2=insist >>> fragmentation=yes >>> >>> the "left" secrets: >>> >>> 192.168.152.254 %any : PSK "SooperSekretString" >>> >>> the "right" config >>> >>> #Site-to-Site (s2s) Config >>> conn s2s >>> rekey=yes >>> left=%defaultroute >>> right=bkearney.ddns.net >>> ikelifetime=28800s >>> authby=secret >>> type=tunnel >>> auto=start >>> ikev2=insist >>> fragmentation=yes >>> >>> the "right" secrets: >>> >>> %any @ext.dyndns.tld : PSK "SooperSekretString" >>> >>> any insight would be greatly appreciated. i am at a loss as to where i am >>> messing this up. >>> >>> thank you, >>> >>> brendan kearney >>> >>> _______________________________________________ >>> Swan mailing list >>> [email protected] >>> https://lists.libreswan.org/mailman/listinfo/swan
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
