[Swan-dev] missing PSK?

D. Hugh Redelmeier hugh at mimosa.com
Sat Feb 2 21:24:00 UTC 2019


In my run of the tests last night, 
testing/pluto/newoe-27-replace-sa-auth-authnull
failed in a drastic way.

It could not find the preshared key.  Any idea why?  Did something change?

testing/pluto/newoe-27-replace-sa-auth-authnull/OUTPUT/road.console.diff

-134 "authenticated" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
-002 "authenticated" #2: IKEv2 mode peer ID is ID_FQDN: '@east'
-003 "authenticated" #2: Authenticated using authby=secret
-002 "authenticated" #2: negotiated connection [192.1.3.209-192.1.3.209:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
-004 "authenticated" #2: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
-road #
- # should show established tunnel and no bare shunts
...
+002 "authenticated" #1: No matching PSK found for connection:authenticated
+003 "authenticated" #1: Failed to find our PreShared Key
+002 "authenticated" #3: initiating v2 parent SA to replace #1
+133 "authenticated" #3: STATE_PARENT_I0: initiate, replacing #1
+002 "authenticated" #1: deleting state (STATE_PARENT_I2) and NOT sending notification
+133 "authenticated" #3: STATE_PARENT_I1: sent v2I1, expected v2R1

Looking in testing/pluto/newoe-27-replace-sa-auth-authnull/OUTPUT/road.pluto.log:

| ikev2_calculate_psk_sighash() called from STATE_PARENT_I2 to create PSK with authby=secret
| started looking for secret for @road->@east of kind PKK_PSK
| actually looking for secret for @road->@east of kind PKK_PSK
| line 1: key type PKK_PSK(@road) to type PKK_RSA
| concluding with best_match=000 best=(nil) (lineno=-1)
| no PreShared Key Found
"authenticated" #1: No matching PSK found for connection:authenticated
"authenticated" #1: Failed to find our PreShared Key

(I admit this could be something I did, but I don't know what.)


More information about the Swan-dev mailing list