[Swan-dev] Changing authentication type from rsasig to PSK for a connection
tbbalaji at gmail.com
Tue Aug 4 15:22:27 UTC 2020
I have a connection with authby=rsasig and all the rest of the parameters
set correctly. I am able to establish a connection successfully with X.509
certificate-based authentication. Now when the tunnel is up, I change the
authentication from rsasig to PSK by setting authby=secret (also created a
<conn-name>.secrets file for storing the PSK password) and all the
parameters related to certificate removed from the connection. Without
invoking "ipsec restart" command, I do a "/usr/local/sbin/ipsec auto
--ondemand taccert" to load the PSK configuration automatically. The tunnel
gets torn down. Now when the data packet triggers the tunnel, Libreswan is
able to sends an IKE_SA_INIT request and gets back the IKE_SA_INIT
response. However it stops processing there because it cannot find the PSK.
Aug 4 14:23:05 [localhost] pluto: initiate on demand from
10.196.172.139:0 to 10.196.175.174:49 proto=6 because: acquire
Aug 4 14:23:05 [localhost] pluto: "taccert" #3: initiating v2 parent
Aug 4 14:23:05 [localhost] pluto: "taccert" #3: local IKE proposals
for taccert (IKE SA initiator selecting KE):
Aug 4 14:23:05 [localhost] pluto: "taccert" #3: STATE_PARENT_I1:
sent v2I1, expected v2R1
Aug 4 14:23:05 [localhost] pluto: "taccert" #3: No matching PSK
Aug 4 14:23:05 [localhost] pluto: "taccert" #3: Failed to find our
Aug 4 14:23:05 [localhost] pluto: "taccert" #4: deleting state
(STATE_UNDEFINED) and NOT sending notification
Aug 4 14:23:08 [localhost] sshd: pam_authp(sshd:auth):
pam_sm_authenticate: Timeout waiting for authProxy
A couple of questions.
1. Can we get the PSK tunnel establishment working without restarting
IPsec? It looks to me that the secret file is not loaded by the libreswan.
Is there any way to load the secret file by any utility command on the fly?
Any help is appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Swan-dev