Arghhh! Are you sure that pluto supports single DES encryption (at least without the exclamation mark)?
On 22.12.2013 17:57, Bonato, Stefano wrote: > Thanks Andreas ! > > I need to use ikev1 ... :-( ... it's a requirement at this moment ... ) > > > > I use nat_traversal=yes ... but the answer has been practically the same .. > > Steve > > > > IPSEC.SECRETS > > %any : PSK "abcd" > > ________________________________________________________________ > > IPSEC.CONF > > config setup > > # interfaces="ipsec0=eth0" > > plutodebug=none > > # plutodebug=all > > crlcheckinterval=180s > > strictcrlpolicy=no > > # cachecrls=yes > > nat_traversal=yes > > charonstart=no > > # charonstart=yes > > plutostart=yes > > > > conn %default > > type=tunnel > > ikelifetime=28800s > > keylife=86400s > > rekeymargin=3m > > keyingtries=%forever > > dpdaction=clear > > dpddelay=30s > > # keyexchange=ikev1 > > # ike=3des-md5-modp1024 > > # esp=3des-md5-modp1024 > > # pfs=no > > # compress=no > > # authby=psk > > # authby=secret > > # auth=esp > > > > conn steve > > authby=psk > > type=tunnel > > ikelifetime=28800s > > keylife=86400s > > rekeymargin=3m > > keyingtries=%forever > > keyexchange=ikev1 > > ike=des-md5-modp1024 > > esp=des-md5-modp1024 > > pfs=no > > compress=no > > auth=esp > > leftid=192.168.13.3 > > left=192.168.13.3 > > leftsubnet=192.168.13.0/24 > > leftsourceip=192.168.13.3 > > leftfirewall=no > > rightid=2.40.85.224 > > right=2.40.85.224 > > rightsubnet=192.168.0.0/24 > > rightfirewall=no > > rightsourceip=2.40.85.224 > > dpdaction=hold > > dpddelay=60 > > dpdtimeout=500 > > auto=add > > > > ________________________________________________________________ > > > > > > > > Starting strongSwan 4.5.2 IPsec [starter]... > > Dec 22 16:49:08 vpn-steve-gw sudo: pam_unix(sudo:session): session > closed for user root > > Dec 22 16:49:08 vpn-steve-gw pluto[7597]: Starting IKEv1 pluto daemon > (strongSwan 4.5.2) THREADS SMARTCARD VENDORID > > Dec 22 16:49:08 vpn-steve-gw pluto[7597]: listening on interfaces: > > Dec 22 16:49:08 vpn-steve-gw pluto[7597]: eth0 > > Dec 22 16:49:08 vpn-steve-gw pluto[7597]: 192.168.13.3 > > Dec 22 16:49:08 vpn-steve-gw pluto[7597]: fe80::f816:3eff:fe3a:9677 > > Dec 22 16:49:08 vpn-steve-gw pluto[7597]: loaded plugins: test-vectors > curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl > gmp hmac xauth attr kernel-netlink resolve > > Dec 22 16:49:08 vpn-steve-gw pluto[7597]: including NAT-Traversal > patch (Version 0.6c) > > Dec 22 16:49:08 vpn-steve-gw ipsec_starter[7596]: pluto (7597) started > after 20 ms > > Dec 22 16:49:08 vpn-steve-gw pluto[7597]: no token present in slot > 18446744073709551615 > > Dec 22 16:49:08 vpn-steve-gw pluto[7597]: loading ca certificates from > '/etc/ipsec.d/cacerts' > > Dec 22 16:49:08 vpn-steve-gw pluto[7597]: loading aa certificates from > '/etc/ipsec.d/aacerts' > > Dec 22 16:49:08 vpn-steve-gw pluto[7597]: loading ocsp certificates from > '/etc/ipsec.d/ocspcerts' > > Dec 22 16:49:08 vpn-steve-gw pluto[7597]: Changing to directory > '/etc/ipsec.d/crls' > > Dec 22 16:49:08 vpn-steve-gw pluto[7597]: loading attribute certificates > from '/etc/ipsec.d/acerts' > > Dec 22 16:49:08 vpn-steve-gw pluto[7597]: spawning 4 worker threads > > Dec 22 16:49:08 vpn-steve-gw pluto[7597]: listening for IKE messages > > Dec 22 16:49:08 vpn-steve-gw pluto[7597]: adding interface eth0/eth0 > 192.168.13.3:500 > > Dec 22 16:49:08 vpn-steve-gw pluto[7597]: adding interface eth0/eth0 > 192.168.13.3:4500 > > Dec 22 16:49:08 vpn-steve-gw pluto[7597]: adding interface lo/lo > 127.0.0.1:500 > > Dec 22 16:49:08 vpn-steve-gw pluto[7597]: adding interface lo/lo > 127.0.0.1:4500 > > Dec 22 16:49:08 vpn-steve-gw pluto[7597]: adding interface lo/lo ::1:500 > > Dec 22 16:49:08 vpn-steve-gw pluto[7597]: loading secrets from > "/etc/ipsec.secrets" > > Dec 22 16:49:08 vpn-steve-gw pluto[7597]: loaded PSK secret for %any > > Dec 22 16:49:08 vpn-steve-gw pluto[7597]: added connection description > "steve" > > Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033: > received Vendor ID payload [strongSwan] > > Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033: > received Vendor ID payload [XAUTH] > > Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033: > received Vendor ID payload [Dead Peer Detection] > > Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033: > received Vendor ID payload [RFC 3947] > > Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033: > ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] > > Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033: > ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] > > Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033: > ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] > > Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033: > ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] > > Dec 22 16:49:17 vpn-steve-gw pluto[7597]: packet from 2.40.85.224:12033: > *initial Main Mode message received on 192.168.13.3:500 but no > connection has been authorized with policy=PSK* > > > > __________________________________________________ > > > > -----Original Message----- > From: Andreas Steffen [mailto:[email protected]] > Sent: domenica 22 dicembre 2013 5:04 > To: Bonato, Stefano; [email protected] > Subject: Re: [strongSwan] no connection has been authorized with policy=PSK > > > > Hi Stefano, > > > > I see that your peer is behind a NAT router > > > > packet from 2.40.85.224:7076 > > > > so that the IKE source port got translated from UDP 500 > > to 7076 but you defined > > > > nat_traversal=no > > > > which does not allow your source port to float. > > > > Thus please enable > > > > nat_traversal=yes > > > > and if you want to set up a strongSwan-strongSwan connection > > rather use IKEv2, not this obsolete and ugly grandma IKEv1 protocol. > > > > Regards > > > > Andreas > > > > > > > -- ====================================================================== Andreas Steffen [email protected] strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
