[strongSwan] NAT-T/IKEV1/PSK question

Thu, 25 Sep 2014 07:29:46 -0700

Hello, I am struggling to setup a connection between a strongswan 5.1.3 sitting in a NAT-T situation and a peer with external IP. We use IKEv1 and PreShard Keys. The problem is that strongswan keeps telling me there is no matching config although the key is there. 
Here is what I have (details anonymized):
conn client-test
        keyexchange=ikev1
        left=172.17.123.1
        leftsubnet=172.24.123.0/24
        leftid=@local-id
        right=a.b.c.d
        rightsubnet=10.1.1.0/30
        rightid=@remote-id
        auto=start

and the secrets
@local-id @remote-id : PSK "..."

Upon connection initiation, I get the following:
Sep 25 14:20:18 ipsec-srv charon: 09[CFG] looking for an ike config for 172.17.123.1...a.b.c.d Sep 25 14:20:18 ipsec-srv charon: 09[CFG] candidate: 172.17.123.1...a.b.c.d, prio 3100 Sep 25 14:20:18 ipsec-srv charon: 09[CFG] found matching ike config: 172.17.123.1...a.b.c.d with prio 3100 
(...)
Sep 25 14:20:18 ipsec-srv charon: 09[IKE] a.b.c.d is initiating a Main Mode IKE_SA Sep 25 14:20:18 ipsec-srv charon: 09[IKE] IKE_SA (unnamed)[15] state change: CREATED => CONNECTING 
(...)
Sep 25 14:20:18 ipsec-srv charon: 09[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 
(...)
Sep 25 14:20:18 ipsec-srv charon: 11[ENC] parsed ID_PROT request 0 [ KE No ]
Sep 25 14:20:18 ipsec-srv charon: 11[CFG] candidate "client-test", match: 1/1/3100 (me/other/ike) Sep 25 14:20:18 ipsec-srv charon: 11[ENC] generating ID_PROT response 0 [ KE No ] Sep 25 14:20:18 ipsec-srv charon: 11[NET] sending packet: from 172.17.123.1[500] to a.b.c.d[500] (196 bytes) Sep 25 14:20:18 ipsec-srv charon: 08[NET] received packet: from a.b.c.d[500] to 172.17.123.1[500] (76 bytes) Sep 25 14:20:18 ipsec-srv charon: 08[ENC] parsed ID_PROT request 0 [ ID HASH ] Sep 25 14:20:18 ipsec-srv charon: 08[CFG] looking for pre-shared key peer configs matching 172.17.123.1...a.b.c.d[remote-id] Sep 25 14:20:18 ipsec-srv charon: 08[CFG] candidate "client-test", match: 1/20/3100 (me/other/ike) 
Sep 25 14:20:18 ipsec-srv charon: 08[IKE] no peer config found
So it is looking for a PSK using the internal address although I configured a local ID !? The reason I use IDs is that I could not get it to work with IPs in IKEv1; regardless what I use as IP (%any, internal IP, external IP) it would not find the PSK although it is present. 

Any hints? Thanks for reading,
Jakob Curdes


_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to