[Swan] no connection has been authorized with policy=PSK
Bob Miller
bob at computerisms.ca
Wed Sep 3 20:38:13 EEST 2014
Good morning,
I hope this is just me being stupid; I built and deployed a new firewall
for a client over the weekend (using 3.9), and testing it today I am
getting error message:
but no connection has been authorized with policy=PSK
This particular customer is using mac and windows to connect, so having
bad experience trying to get certs working with both platforms before I
wish this to be a psk connection. I have modelled my conn from a
working openswan box, the logs tell me that everything is loading
correctly. When I turn on plutodebug=all a connection ends with this:
Sep 3 10:27:19 firewall pluto[10302]: | find_host_connection
me=207.189.234.30:500 him=%any:500 policy=PSK
Sep 3 10:27:19 firewall pluto[10302]: | find_host_pair_conn
(find_host_connection): 207.189.234.30:500 %any:500 -> hp:none
Sep 3 10:27:19 firewall pluto[10302]: | searching for connection with
policy = PSK
Sep 3 10:27:19 firewall pluto[10302]: | find_host_connection returns
empty
Sep 3 10:27:19 firewall pluto[10302]: packet from 199.247.177.61:500:
initial Main Mode message received on 207.189.234.30:500 but no
connection has been authorized with policy=PSK
I am pretty sure, based on prior experience and doing a bit of checking
on the web this morning, that the authby=secret line is supposed to
authorize the connection with policy=PSK. Am I in error?
Here is my config; did something change from openswan in the way I am
supposed to set this up? Or maybe is there a setting I am missing?
root at firewall:~# cat /etc/ipsec.conf
version 2.0
config setup
interfaces="%defaultroute"
plutodebug=all
klipsdebug=none
nat_traversal=yes
virtual_private=%v4:192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.0.0/12,%
v4:!192.168.191.0/24
protostack=netkey
oe=off
conn %default
keyingtries=5
auto=start
conn rw-l2tp-psk
type=transport
authby=secret
left=199.247.234.30
leftnexthop=207.189.235.254
leftprotoport=17/%any
right=%any
rightprotoport=17/%any
rightsubnet=vhost:%no,%priv
auto=add
pfs=no
dpddelay=30
dpdtimeout=120
dpdaction=clear
root at firewall:~# cat /etc/ipsec.secrets
207.189.234.30 %any : PSK "mysecret"
--
Computerisms
Bob Miller
867-334-7117 / 867-633-3760
http://computerisms.ca
More information about the Swan
mailing list