[strongSwan] Getting Authentication Failure with swanctl tool using strongswan-5.2.2

[Chinmaya Dwibedy]

  Hi,I am usingthe swanctl (command line interface) tool to configure the 
Charon daemon at IKEResponder. I have kept all the entries of  ipsec.conf and 
ipsec.secret file ( in /etcdirectory)  under comment. Here goes 
theconfiguration. /etc/ipsec.secrets(IKE Responder end): 
@srv.strongswan.org%any : PSK 'strongSwan'/etc/swanctl/swanctl.conf(IKE 
Initiator end) : connections{   gw-gw {      local_addrs  = 10.20.20.2      
remote_addrs = 10.20.20.1       pools =abc       local {         auth = psk     
 }      remote {         auth = psk      }children {         net-net {          
       #remote_ts  = 50.0.0.1/8                 local_ts = 40.0.0.1/32          
       start_action = none                 updown 
=/usr/local/libexec/ipsec/_updown iptables                 rekey_time = 1000m   
              esp_proposals = aes128-sha1         }         }  version = 2      
mobike = no      reauth_time = 60m      rekey_time =  20m      proposals= 
aes128-sha1-modp1024   }} secrets {ike-GW {        secret = @srv.strongswan.org 
%any : PSK ‘strongSwan’     } }  # Sectiondefining named pools. pools {        
abc {             addrs = 50.0.0.1/8         }  }When I runthe scenario, the 
CHILD SA is not getting established. I get authentication failuremessage (on 
IKE Initiator end). Here are the log messages.  25[NET]received packet: from 
10.20.20.1[500] to 10.20.20.2[500] (304 bytes)25[ENC]parsed IKE_SA_INIT request 
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]25[IKE]10.20.20.1 is initiating an 
IKE_SA25[ENC]generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) 
N(NATD_D_IP)N(MULT_AUTH) ]25[NET]sending packet: from 10.20.20.2[500] to 
10.20.20.1[500] (312 bytes)11[NET]received packet: from 10.20.20.1[500] to 
10.20.20.2[500] (300 bytes)11[ENC]parsed IKE_AUTH request 1 [ IDi CERTREQ IDr 
AUTH CPRQ(ADDR DNS) SA TSi TSrN(MULT_AUTH) N(EAP_ONLY) ]11[IKE]received 1 cert 
requests for an unknown ca11[CFG]looking for peer configs 
matching10.20.20.2[srv.strongswan.org]...10.20.20.1[c2-r1.strongswan.org]11[CFG]selected
 peer config 'gw-gw'11[IKE]tried 1 shared key for 'srv.strongswan.org' - 
'c2-r1.strongswan.org', but MACmismatched11[ENC]generating IKE_AUTH response 1 
[ N(AUTH_FAILED) ] But if Ikeep the following secret i.e., @srv.strongswan.org 
%any: PSK 'strongSwan' inipsec.secret file (at IKE Responder end), then it 
works fine. Can anyone pleasesuggest what might be the wrong? Note that, I have 
kept dos_protection to no(in strongswan.conf) at both ends. Regards,Chinmaya
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users