Thanks Andreas !
I need to use ikev1 ... :-( ... it's a requirement at this moment ... )
I use nat_traversal=yes ... but the answer has been practically the same ..
Steve
IPSEC.SECRETS
%any : PSK "abcd"
________________________________________________________________
IPSEC.CONF
config setup
# interfaces="ipsec0=eth0"
plutodebug=none
# plutodebug=all
crlcheckinterval=180s
strictcrlpolicy=no
# cachecrls=yes
nat_traversal=yes
charonstart=no
# charonstart=yes
plutostart=yes
conn %default
type=tunnel
ikelifetime=28800s
keylife=86400s
rekeymargin=3m
keyingtries=%forever
dpdaction=clear
dpddelay=30s
# keyexchange=ikev1
# ike=3des-md5-modp1024
# esp=3des-md5-modp1024
# pfs=no
# compress=no
# authby=psk
# authby=secret
# auth=esp
conn steve
authby=psk
type=tunnel
ikelifetime=28800s
keylife=86400s
rekeymargin=3m
keyingtries=%forever
keyexchange=ikev1
ike=des-md5-modp1024
esp=des-md5-modp1024
pfs=no
compress=no
auth=esp
leftid=192.168.13.3
left=192.168.13.3
leftsubnet=192.168.13.0/24
leftsourceip=192.168.13.3
leftfirewall=no
rightid=2.40.85.224
right=2.40.85.224
rightsubnet=192.168.0.0/24
rightfirewall=no
rightsourceip=2.40.85.224
dpdaction=hold
dpddelay=60
dpdtimeout=500
auto=add
________________________________________________________________
Starting strongSwan 4.5.2 IPsec [starter]...
Dec 22 16:49:08 vpn-steve-gw sudo: pam_unix(sudo:session): session closed for
user root
Dec 22 16:49:08 vpn-steve-gw pluto[7597]: Starting IKEv1 pluto daemon
(strongSwan 4.5.2) THREADS SMARTCARD VENDORID
Dec 22 16:49:08 vpn-steve-gw pluto[7597]: listening on interfaces:
Dec 22 16:49:08 vpn-steve-gw pluto[7597]: eth0
Dec 22 16:49:08 vpn-steve-gw pluto[7597]: 192.168.13.3
Dec 22 16:49:08 vpn-steve-gw pluto[7597]: fe80::f816:3eff:fe3a:9677
Dec 22 16:49:08 vpn-steve-gw pluto[7597]: loaded plugins: test-vectors curl
ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac
xauth attr kernel-netlink resolve
Dec 22 16:49:08 vpn-steve-gw pluto[7597]: including NAT-Traversal patch
(Version 0.6c)
Dec 22 16:49:08 vpn-steve-gw ipsec_starter[7596]: pluto (7597) started after 20
ms
Dec 22 16:49:08 vpn-steve-gw pluto[7597]: no token present in slot
18446744073709551615
Dec 22 16:49:08 vpn-steve-gw pluto[7597]: loading ca certificates from
'/etc/ipsec.d/cacerts'
Dec 22 16:49:08 vpn-steve-gw pluto[7597]: loading aa certificates from
'/etc/ipsec.d/aacerts'
Dec 22 16:49:08 vpn-steve-gw pluto[7597]: loading ocsp certificates from
'/etc/ipsec.d/ocspcerts'
Dec 22 16:49:08 vpn-steve-gw pluto[7597]: Changing to directory
'/etc/ipsec.d/crls'
Dec 22 16:49:08 vpn-steve-gw pluto[7597]: loading attribute certificates from
'/etc/ipsec.d/acerts'
Dec 22 16:49:08 vpn-steve-gw pluto[7597]: spawning 4 worker threads
Dec 22 16:49:08 vpn-steve-gw pluto[7597]: listening for IKE messages
Dec 22 16:49:08 vpn-steve-gw pluto[7597]: adding interface eth0/eth0
192.168.13.3:500
Dec 22 16:49:08 vpn-steve-gw pluto[7597]: adding interface eth0/eth0
192.168.13.3:4500
Dec 22 16:49:08 vpn-steve-gw pluto[7597]: adding interface lo/lo 127.0.0.1:500
Dec 22 16:49:08 vpn-steve-gw pluto[7597]: adding interface lo/lo 127.0.0.1:4500
Dec 22 16:49:08 vpn-steve-gw pluto[7597]: adding interface lo/lo ::1:500
Dec 22 16:49:08 vpn-steve-gw pluto[7597]: loading secrets from
"/etc/ipsec.secrets"
Dec 22 16:49:08 vpn-steve-gw pluto[7597]: loaded PSK secret for %any
Dec 22 16:49:08 vpn-steve-gw pluto[7597]: added connection description "steve"
Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033:
received Vendor ID payload [strongSwan]
Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033:
received Vendor ID payload [XAUTH]
Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033:
received Vendor ID payload [Dead Peer Detection]
Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033:
received Vendor ID payload [RFC 3947]
Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033:
initial Main Mode message received on 192.168.13.3:500 but no connection has
been authorized with policy=PSK
__________________________________________________
-----Original Message-----
From: Andreas Steffen [mailto:[email protected]]
Sent: domenica 22 dicembre 2013 5:04
To: Bonato, Stefano; [email protected]
Subject: Re: [strongSwan] no connection has been authorized with policy=PSK
Hi Stefano,
I see that your peer is behind a NAT router
packet from 2.40.85.224:7076
so that the IKE source port got translated from UDP 500
to 7076 but you defined
nat_traversal=no
which does not allow your source port to float.
Thus please enable
nat_traversal=yes
and if you want to set up a strongSwan-strongSwan connection
rather use IKEv2, not this obsolete and ugly grandma IKEv1 protocol.
Regards
Andreas
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
