Re: [strongSwan] Problem with pre-shared keys on debian

Tue, 10 Nov 2009 11:44:04 -0800 

Hello Andrew,

there must be at least one whitespace character between the identity
enumerations and the colon ':' separator:

192.168.1.228 192.168.1.192 : PSK "cisco"
                           ^
Unfortunately our FreeS/WAN ancestors did not have IPv6 addresses in
mind when they chose a colon as a separating symbol :-)

Best regards

Andreas

Andrew Terekhov wrote:
> Hello, I'm getting a problem when using pre-shared keys to authenticate
> peers using IKEv2. Bot peers have debian installed.
> 
> Here is the log:
> Nov 10 17:00:21 debian charon: 06[CFG] added configuration 'net-net':
> 192.168.1.228[192.168.1.228]...192.168.1.192[192.168.1.192]
> Nov 10 17:00:21 debian charon: 08[CFG] received stroke: initiate 'net-net'
> Nov 10 17:00:21 debian charon: 08[AUD] initiating IKE_SA 'net-net' to
> 192.168.1.192
> Nov 10 17:00:21 debian charon: 08[IKE] IKE_SA 'net-net' state change:
> CREATED => CONNECTING
> Nov 10 17:00:21 debian charon: 08[ENC] generating IKE_SA_INIT request 0 [ SA
> KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Nov 10 17:00:21 debian charon: 08[NET] sending packet: from
> 192.168.1.228[500] to 192.168.1.192[500]
> Nov 10 17:00:21 debian charon: 10[NET] received packet: from
> 192.168.1.192[500] to 192.168.1.228[500]
> Nov 10 17:00:21 debian charon: 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE
> No N(NATD_S_IP) N(NATD_D_IP) ]
> Nov 10 17:00:21 debian charon: 10[IKE] authentication of '192.168.1.228'
> (myself) with pre-shared key
> Nov 10 17:00:21 debian charon: 10[IKE] no shared key found for
> '192.168.1.228' - '192.168.1.192'
> Nov 10 17:00:21 debian charon: 10[AUD] generating authentication data failed
> Nov 10 17:00:21 debian charon: 10[AUD] establishing CHILD_SA failed
> 
> 
> It looks like there is no psk, but here is /etc/ipsec.secrets
> 192.168.1.228 192.168.1.192: PSK "cisco"
> 192.168.1.228 0.0.0.0: PSK "cisco"
> 192.168.1.192 192.168.1.228: PSK "cisco"
> 
> So I suppose it should authenticate itself. But it doesn't.
> 
> Can anyone please help?
> 
> Thanks!
> 
> Sincerely yours,
> Andrew Terekhov.
> _______________________________________________
> Users mailing list
> [email protected]
> https://lists.strongswan.org/mailman/listinfo/users


-- 
======================================================================
Andreas Steffen                         [email protected]
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to