[Swan-dev] Changing authentication type from rsasig to PSK for a connection

Štěpán Brož stepan at izitra.cz
Tue Aug 4 15:39:11 UTC 2020 

Hello Balaji,

There is a command for re-reading secrets: # ipsec whack --rereadsecrets

Does that work for you?

Regards,
Stepan

út 4. 8. 2020 v 17:22 odesílatel Balaji Thoguluva <tbbalaji at gmail.com>
napsal:

> Hi Developers,
>
> I have a connection with authby=rsasig and all the rest of the parameters
> set correctly. I am able to establish a connection successfully with X.509
> certificate-based authentication. Now when the tunnel is up, I change the
> authentication from rsasig to PSK by setting authby=secret (also created a
> <conn-name>.secrets file for storing the PSK password) and all the
> parameters related to certificate removed from the connection. Without
> invoking "ipsec restart" command, I do a "/usr/local/sbin/ipsec auto
> --ondemand taccert" to load the PSK configuration automatically. The tunnel
> gets torn down. Now when the data packet triggers the tunnel, Libreswan is
> able to sends an IKE_SA_INIT request and gets back the IKE_SA_INIT
> response. However it stops processing there because it cannot find the PSK.
>
> Aug  4 14:23:05 [localhost] pluto[4324]: initiate on demand from
> 10.196.172.139:0 to 10.196.175.174:49 proto=6 because: acquire
> Aug  4 14:23:05 [localhost] pluto[4324]: "taccert" #3: initiating v2
> parent SA
> Aug  4 14:23:05 [localhost] pluto[4324]: "taccert" #3: local IKE proposals
> for taccert (IKE SA initiator selecting KE):
> 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048
> Aug  4 14:23:05 [localhost] pluto[4324]: "taccert" #3: STATE_PARENT_I1:
> sent v2I1, expected v2R1
> Aug  4 14:23:05 [localhost] pluto[4324]: "taccert" #3: No matching PSK
> found for
> connection:taccert
>
> Aug  4 14:23:05 [localhost] pluto[4324]: "taccert" #3: Failed to find our
> PreShared
> Key
>
> Aug  4 14:23:05 [localhost] pluto[4324]: "taccert" #4: deleting state
> (STATE_UNDEFINED) and NOT sending notification
> Aug  4 14:23:08 [localhost] sshd[4782]: pam_authp(sshd:auth):
> pam_sm_authenticate: Timeout waiting for authProxy
>
> A couple of questions.
>
> 1. Can we get the PSK tunnel establishment working without restarting
> IPsec? It looks to me that the secret file is not loaded by the libreswan.
> Is there any way to load the secret file by any utility command on the fly?
>
> Any help is appreciated.
>
> Thanks,
> Balaji
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20200804/0fa88486/attachment.html>

More information about the Swan-dev mailing list