Hi Stefano, I see that your peer is behind a NAT router
packet from 2.40.85.224:7076 so that the IKE source port got translated from UDP 500 to 7076 but you defined nat_traversal=no which does not allow your source port to float. Thus please enable nat_traversal=yes and if you want to set up a strongSwan-strongSwan connection rather use IKEv2, not this obsolete and ugly grandma IKEv1 protocol. Regards Andreas On 22.12.2013 14:53, Bonato, Stefano wrote: > Hi ! > > I have a strange situation ... PSK error … : > > “ but no connection has been authorized with policy=PSK” > > > > THANKS A LOT FOR ANY suggestion … > > > > Steve. > > [email protected] > > > > > > AUTH.LOG: > > Dec 22 13:50:26 vpn-steve-gw pluto[5656]: packet from 2.40.85.224:7076: > received Vendor ID payload [strongSwan] > > Dec 22 13:50:26 vpn-steve-gw pluto[5656]: packet from 2.40.85.224:7076: > received Vendor ID payload [XAUTH] > > Dec 22 13:50:26 vpn-steve-gw pluto[5656]: packet from 2.40.85.224:7076: > received Vendor ID payload [Dead Peer Detection] > > Dec 22 13:50:26 vpn-steve-gw pluto[5656]: packet from 2.40.85.224:7076: > initial Main Mode message received on 192.168.13.3:500 but no connection > has been authorized with policy=PSK > > * * > > AUTH.LOG > > Dec 22 13:48:25 vpn-steve-gw ipsec_starter[5637]: Starting strongSwan > 4.5.2 IPsec [starter]... > > Dec 22 13:48:25 vpn-steve-gw sudo: pam_unix(sudo:session): session > closed for user root > > Dec 22 13:48:25 vpn-steve-gw pluto[5656]: Starting IKEv1 pluto daemon > (strongSwan 4.5.2) THREADS SMARTCARD VENDORID > > Dec 22 13:48:25 vpn-steve-gw pluto[5656]: listening on interfaces: > > Dec 22 13:48:25 vpn-steve-gw pluto[5656]: eth0 > > Dec 22 13:48:25 vpn-steve-gw pluto[5656]: 192.168.13.3 > > Dec 22 13:48:25 vpn-steve-gw pluto[5656]: fe80::f816:3eff:fe3a:9677 > > Dec 22 13:48:25 vpn-steve-gw pluto[5656]: loaded plugins: test-vectors > curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl > gmp hmac xauth attr kernel-netlink resolve > > Dec 22 13:48:25 vpn-steve-gw pluto[5656]: including NAT-Traversal > patch (Version 0.6c) [disabled] > > Dec 22 13:48:25 vpn-steve-gw ipsec_starter[5655]: pluto (5656) started > after 20 ms > > Dec 22 13:48:25 vpn-steve-gw pluto[5656]: no token present in slot > 18446744073709551615 > > Dec 22 13:48:25 vpn-steve-gw pluto[5656]: loading ca certificates from > '/etc/ipsec.d/cacerts' > > Dec 22 13:48:25 vpn-steve-gw pluto[5656]: loading aa certificates from > '/etc/ipsec.d/aacerts' > > Dec 22 13:48:25 vpn-steve-gw pluto[5656]: loading ocsp certificates from > '/etc/ipsec.d/ocspcerts' > > Dec 22 13:48:25 vpn-steve-gw pluto[5656]: Changing to directory > '/etc/ipsec.d/crls' > > Dec 22 13:48:25 vpn-steve-gw pluto[5656]: loading attribute certificates > from '/etc/ipsec.d/acerts' > > Dec 22 13:48:25 vpn-steve-gw pluto[5656]: spawning 4 worker threads > > Dec 22 13:48:25 vpn-steve-gw pluto[5656]: listening for IKE messages > > Dec 22 13:48:25 vpn-steve-gw pluto[5656]: adding interface eth0/eth0 > 192.168.13.3:500 > > Dec 22 13:48:25 vpn-steve-gw pluto[5656]: adding interface lo/lo > 127.0.0.1:500 > > Dec 22 13:48:25 vpn-steve-gw pluto[5656]: adding interface lo/lo ::1:500 > > Dec 22 13:48:25 vpn-steve-gw pluto[5656]: loading secrets from > "/etc/ipsec.secrets" > > Dec 22 13:48:25 vpn-steve-gw pluto[5656]: loaded PSK secret for > 2.40.85.224 15.126.251.57 192.168.13.3 192.168.0.4 > > Dec 22 13:48:25 vpn-steve-gw pluto[5656]: added connection description > "steve" > > Dec 22 13:48:36 vpn-steve-gw pluto[5656]: packet from 2.40.85.224:7076: > received Vendor ID payload [strongSwan] > > Dec 22 13:48:36 vpn-steve-gw pluto[5656]: packet from 2.40.85.224:7076: > received Vendor ID payload [XAUTH] > > Dec 22 13:48:36 vpn-steve-gw pluto[5656]: packet from 2.40.85.224:7076: > received Vendor ID payload [Dead Peer Detection] > > Dec 22 13:48:36 vpn-steve-gw pluto[5656]: packet from 2.40.85.224:7076: > initial Main Mode message received on 192.168.13.3:500 but no connection > has been authorized with policy=PSK > > Dec 22 13:48:46 vpn-steve-gw pluto[5656]: packet from 2.40.85.224:7076: > received Vendor ID payload [strongSwan] > > Dec 22 13:48:46 vpn-steve-gw pluto[5656]: packet from 2.40.85.224:7076: > received Vendor ID payload [XAUTH] > > Dec 22 13:48:46 vpn-steve-gw pluto[5656]: packet from 2.40.85.224:7076: > received Vendor ID payload [Dead Peer Detection] > > Dec 22 13:48:46 vpn-steve-gw pluto[5656]: packet from 2.40.85.224:7076: > initial Main Mode message received on 192.168.13.3:500 but no connection > has been authorized with policy=PSK > > Dec 22 13:49:06 vpn-steve-gw pluto[5656]: packet from 2.40.85.224:7076: > received Vendor ID payload [strongSwan] > > Dec 22 13:49:06 vpn-steve-gw pluto[5656]: packet from 2.40.85.224:7076: > received Vendor ID payload [XAUTH] > > Dec 22 13:49:06 vpn-steve-gw pluto[5656]: packet from 2.40.85.224:7076: > received Vendor ID payload [Dead Peer Detection] > > Dec 22 13:49:06 vpn-steve-gw pluto[5656]: packet from 2.40.85.224:7076: > initial Main Mode message received on 192.168.13.3:500 but no connection > has been authorized with policy=PSK > > > > > > IPSEC.CONF: > > > > config setup > > # interfaces="ipsec0=eth0" > > plutodebug=none > > # plutodebug=all > > crlcheckinterval=180s > > strictcrlpolicy=no > > # cachecrls=yes > > nat_traversal=no > > charonstart=no > > # charonstart=yes > > plutostart=yes > > > > conn %default > > type=tunnel > > ikelifetime=28800s > > keylife=86400s > > rekeymargin=3m > > keyingtries=%forever > > dpdaction=clear > > dpddelay=30s > > keyexchange=ikev1 > > ike=3des-md5-modp1024 > > esp=3des-md5-modp1024 > > pfs=yes > > compress=no > > # authby=secret > > auth=esp > > > > conn steve > > authby=psk > > leftauth=psk > > rightauth=psk > > type=tunnel > > ikelifetime=28800s > > keylife=86400s > > rekeymargin=3m > > keyingtries=%forever > > keyexchange=ikev1 > > ike=3des-md5-modp1024 > > esp=3des-md5-modp1024 > > pfs=yes > > compress=no > > auth=esp > > leftid=192.168.13.3 > > left=192.168.13.3 > > leftsubnet=192.168.13.0/24 > > leftsourceip=192.168.13.3 > > leftfirewall=no > > rightid=2.40.85.224 > > right=2.40.85.224 > > rightsubnet=192.168.0.0/24 > > rightfirewall=no > > rightsourceip=192.168.0.4 > > dpdaction=hold > > dpddelay=60 > > dpdtimeout=500 > > auto=add > > > > > > > > > > cid:[email protected] > > > > > Stefano Bonato > > ALM Managing Consultant > > HP Software Professional Services > <http://www8.hp.com/us/en/software-solutions/software.html?compURI=1173876> > > Hewlett-Packard Company > > email: [email protected] <mailto:[email protected]> phone: > + 39 348 8513451 > > http://www.hp.com/ > > > > Follow HP Italia on: > > http://blog.privacychoice.org/wp-content/uploads/2013/03/LinkedIn-Logo-022.png > <http://www.linkedin.com/company/hewlett-packard>http://3.bp.blogspot.com/-avfQU90rrXE/UQC8FI_oi8I/AAAAAAAAEvQ/sMsHyJe6dQA/s1600/fb.png > <https://www.facebook.com/HPItalia>http://www.psicologialavoro.it/wp-content/uploads/marketing-psicologo-su-slideshare.png > <http://www.slideshare.net/HPEnterpriseIT>http://icons.iconarchive.com/icons/fasticon/web-2/256/Twitter-icon.png > <https://twitter.com/HPEnterpriseIT>cid:[email protected] > > > > > > > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users > -- ====================================================================== Andreas Steffen [email protected] strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
