[Swan-dev] Changing authentication type from rsasig to PSK for a connection

Paul Wouters paul at nohats.ca
Tue Aug 4 18:06:43 UTC 2020

You need “ipsec secrets” to reread the secrets if you add / remove them.

Sent from my iPhone

> On Aug 4, 2020, at 11:39, Štěpán Brož <stepan at izitra.cz> wrote:
> Hello Balaji,
> There is a command for re-reading secrets: # ipsec whack --rereadsecrets
> Does that work for you?
> Regards,
> Stepan
> út 4. 8. 2020 v 17:22 odesílatel Balaji Thoguluva <tbbalaji at gmail.com> napsal:
>> Hi Developers,
>> I have a connection with authby=rsasig and all the rest of the parameters set correctly. I am able to establish a connection successfully with X.509 certificate-based authentication. Now when the tunnel is up, I change the authentication from rsasig to PSK by setting authby=secret (also created a <conn-name>.secrets file for storing the PSK password) and all the parameters related to certificate removed from the connection. Without invoking "ipsec restart" command, I do a "/usr/local/sbin/ipsec auto --ondemand taccert" to load the PSK configuration automatically. The tunnel gets torn down. Now when the data packet triggers the tunnel, Libreswan is able to sends an IKE_SA_INIT request and gets back the IKE_SA_INIT response. However it stops processing there because it cannot find the PSK.
>> Aug  4 14:23:05 [localhost] pluto[4324]: initiate on demand from to proto=6 because: acquire       
>> Aug  4 14:23:05 [localhost] pluto[4324]: "taccert" #3: initiating v2 parent SA                                                        
>> Aug  4 14:23:05 [localhost] pluto[4324]: "taccert" #3: local IKE proposals for taccert (IKE SA initiator selecting KE): 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048
>> Aug  4 14:23:05 [localhost] pluto[4324]: "taccert" #3: STATE_PARENT_I1: sent v2I1, expected v2R1                                
>> Aug  4 14:23:05 [localhost] pluto[4324]: "taccert" #3: No matching PSK found for connection:taccert                                                                                                   
>> Aug  4 14:23:05 [localhost] pluto[4324]: "taccert" #3: Failed to find our PreShared Key                                                                                  
>> Aug  4 14:23:05 [localhost] pluto[4324]: "taccert" #4: deleting state (STATE_UNDEFINED) and NOT sending notification                        
>> Aug  4 14:23:08 [localhost] sshd[4782]: pam_authp(sshd:auth): pam_sm_authenticate: Timeout waiting for authProxy         
>> A couple of questions.
>> 1. Can we get the PSK tunnel establishment working without restarting IPsec? It looks to me that the secret file is not loaded by the libreswan. Is there any way to load the secret file by any utility command on the fly?
>> Any help is appreciated.
>> Thanks,
>> Balaji
>> _______________________________________________
>> Swan-dev mailing list
>> Swan-dev at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan-dev
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20200804/4ea9ff4c/attachment-0001.html>

More information about the Swan-dev mailing list