[Swan-dev] Changing authentication type from rsasig to PSK for a connection
stepan at izitra.cz
Tue Aug 4 15:39:11 UTC 2020
There is a command for re-reading secrets: # ipsec whack --rereadsecrets
Does that work for you?
út 4. 8. 2020 v 17:22 odesílatel Balaji Thoguluva <tbbalaji at gmail.com>
> Hi Developers,
> I have a connection with authby=rsasig and all the rest of the parameters
> set correctly. I am able to establish a connection successfully with X.509
> certificate-based authentication. Now when the tunnel is up, I change the
> authentication from rsasig to PSK by setting authby=secret (also created a
> <conn-name>.secrets file for storing the PSK password) and all the
> parameters related to certificate removed from the connection. Without
> invoking "ipsec restart" command, I do a "/usr/local/sbin/ipsec auto
> --ondemand taccert" to load the PSK configuration automatically. The tunnel
> gets torn down. Now when the data packet triggers the tunnel, Libreswan is
> able to sends an IKE_SA_INIT request and gets back the IKE_SA_INIT
> response. However it stops processing there because it cannot find the PSK.
> Aug 4 14:23:05 [localhost] pluto: initiate on demand from
> 10.196.172.139:0 to 10.196.175.174:49 proto=6 because: acquire
> Aug 4 14:23:05 [localhost] pluto: "taccert" #3: initiating v2
> parent SA
> Aug 4 14:23:05 [localhost] pluto: "taccert" #3: local IKE proposals
> for taccert (IKE SA initiator selecting KE):
> Aug 4 14:23:05 [localhost] pluto: "taccert" #3: STATE_PARENT_I1:
> sent v2I1, expected v2R1
> Aug 4 14:23:05 [localhost] pluto: "taccert" #3: No matching PSK
> found for
> Aug 4 14:23:05 [localhost] pluto: "taccert" #3: Failed to find our
> Aug 4 14:23:05 [localhost] pluto: "taccert" #4: deleting state
> (STATE_UNDEFINED) and NOT sending notification
> Aug 4 14:23:08 [localhost] sshd: pam_authp(sshd:auth):
> pam_sm_authenticate: Timeout waiting for authProxy
> A couple of questions.
> 1. Can we get the PSK tunnel establishment working without restarting
> IPsec? It looks to me that the secret file is not loaded by the libreswan.
> Is there any way to load the secret file by any utility command on the fly?
> Any help is appreciated.
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Swan-dev