[Swan] no connection has been authorized with policy=PSK

Bob Miller bob at computerisms.ca
Wed Sep 3 20:38:13 EEST 2014 

Good morning,

I hope this is just me being stupid; I built and deployed a new firewall
for a client over the weekend (using 3.9), and testing it today I am
getting error message:

but no connection has been authorized with policy=PSK

This particular customer is using mac and windows to connect, so having
bad experience trying to get certs working with both platforms before I
wish this to be a psk connection.  I have modelled my conn from a
working openswan box, the logs tell me that everything is loading
correctly.  When I turn on plutodebug=all a connection ends with this:

Sep  3 10:27:19 firewall pluto[10302]: | find_host_connection
me=207.189.234.30:500 him=%any:500 policy=PSK
Sep  3 10:27:19 firewall pluto[10302]: | find_host_pair_conn
(find_host_connection): 207.189.234.30:500 %any:500 -> hp:none
Sep  3 10:27:19 firewall pluto[10302]: | searching for connection with
policy = PSK
Sep  3 10:27:19 firewall pluto[10302]: | find_host_connection returns
empty
Sep  3 10:27:19 firewall pluto[10302]: packet from 199.247.177.61:500:
initial Main Mode message received on 207.189.234.30:500 but no
connection has been authorized with policy=PSK

I am pretty sure, based on prior experience and doing a bit of checking
on the web this morning, that the authby=secret line is supposed to
authorize the connection with policy=PSK.  Am I in error?

Here is my config; did something change from openswan in the way I am
supposed to set this up?  Or maybe is there a setting I am missing?


root at firewall:~# cat /etc/ipsec.conf 
version 2.0

config setup
   interfaces="%defaultroute"
   plutodebug=all
   klipsdebug=none
   nat_traversal=yes
   virtual_private=%v4:192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.0.0/12,%
v4:!192.168.191.0/24
   protostack=netkey
   oe=off

conn %default
   keyingtries=5
   auto=start

conn rw-l2tp-psk
   type=transport
   authby=secret
   left=199.247.234.30
   leftnexthop=207.189.235.254
   leftprotoport=17/%any
   right=%any
   rightprotoport=17/%any
   rightsubnet=vhost:%no,%priv
   auto=add
   pfs=no
   dpddelay=30
   dpdtimeout=120
   dpdaction=clear

root at firewall:~# cat /etc/ipsec.secrets 
207.189.234.30 %any : PSK "mysecret"



-- 
Computerisms
Bob Miller	
867-334-7117 / 867-633-3760
http://computerisms.ca

More information about the Swan mailing list