Hi,I am usingthe swanctl (command line interface) tool to configure the
Charon daemon at IKEResponder. I have kept all the entries of ipsec.conf and
ipsec.secret file ( in /etcdirectory) under comment. Here goes
theconfiguration. /etc/ipsec.secrets(IKE Responder end):
@srv.strongswan.org%any : PSK 'strongSwan'/etc/swanctl/swanctl.conf(IKE
Initiator end) : connections{ gw-gw { local_addrs = 10.20.20.2
remote_addrs = 10.20.20.1 pools =abc local { auth = psk
} remote { auth = psk }children { net-net {
#remote_ts = 50.0.0.1/8 local_ts = 40.0.0.1/32
start_action = none updown
=/usr/local/libexec/ipsec/_updown iptables rekey_time = 1000m
esp_proposals = aes128-sha1 } } version = 2
mobike = no reauth_time = 60m rekey_time = 20m proposals=
aes128-sha1-modp1024 }} secrets {ike-GW { secret = @srv.strongswan.org
%any : PSK ‘strongSwan’ } } # Sectiondefining named pools. pools {
abc { addrs = 50.0.0.1/8 } }When I runthe scenario, the
CHILD SA is not getting established. I get authentication failuremessage (on
IKE Initiator end). Here are the log messages. 25[NET]received packet: from
10.20.20.1[500] to 10.20.20.2[500] (304 bytes)25[ENC]parsed IKE_SA_INIT request
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]25[IKE]10.20.20.1 is initiating an
IKE_SA25[ENC]generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP)N(MULT_AUTH) ]25[NET]sending packet: from 10.20.20.2[500] to
10.20.20.1[500] (312 bytes)11[NET]received packet: from 10.20.20.1[500] to
10.20.20.2[500] (300 bytes)11[ENC]parsed IKE_AUTH request 1 [ IDi CERTREQ IDr
AUTH CPRQ(ADDR DNS) SA TSi TSrN(MULT_AUTH) N(EAP_ONLY) ]11[IKE]received 1 cert
requests for an unknown ca11[CFG]looking for peer configs
matching10.20.20.2[srv.strongswan.org]...10.20.20.1[c2-r1.strongswan.org]11[CFG]selected
peer config 'gw-gw'11[IKE]tried 1 shared key for 'srv.strongswan.org' -
'c2-r1.strongswan.org', but MACmismatched11[ENC]generating IKE_AUTH response 1
[ N(AUTH_FAILED) ] But if Ikeep the following secret i.e., @srv.strongswan.org
%any: PSK 'strongSwan' inipsec.secret file (at IKE Responder end), then it
works fine. Can anyone pleasesuggest what might be the wrong? Note that, I have
kept dos_protection to no(in strongswan.conf) at both ends. Regards,Chinmaya
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users