[Swan] Connection problem with road warrior and pre-shared key configuration

Mon Dec 19 23:39:01 UTC 2016

Hello,

I’m having problems getting Libreswan working for a road warrior with pre-shared key configuration.

Here’s the configuration and logs produced.

Thanks for any suggestions on how to proceed with troubleshooting this.

--

el-lado-claro.secrets
192.0.2.1 @EL-LADO-OSCURO: PSK "********************************"

el-lado-claro.conf
conn EL-LADO-OSCURO
    type=tunnel
    left=192.0.2.1
    leftid=192.0.2.1
    right=%any
    rightid=@EL-LADO-OSCURO
    authby=secret

    # IKE Phase 1
    #ike=3des-sha1;dh2
    ike=3des-sha1;modp1024
    aggrmode=yes
    ikelifetime=3600s

    # Phase 2
    phase2=esp
    phase2alg=aes128-sha1;modp1024
   salifetime=3600s

    # use auto=start when done testing the tunnel
    auto=add

Dec 19 15:28:48 localhost pluto[5561]: packet from 198.51.100.1:500: received Vendor ID payload [Dead Peer Detection]
Dec 19 15:28:48 localhost pluto[5561]: packet from 198.51.100.1:500: IKEv1 Aggressive Mode with PSK is vulnerable to dictionary attacks and is cracked on large scale by TLA's
Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: Aggressive mode peer ID is ID_FQDN: '@EL-LADO-OSCURO'
Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: responding to Aggressive Mode, state #1, connection "EL-LADO-OSCURO" from 198.51.100.1
Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: warning: peer requested IKE lifetime of 4294967295 seconds which we capped at our limit of 86400 seconds
Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: warning: peer requested IKE lifetime of 4294967295 seconds which we capped at our limit of 86400 seconds
Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: transition from state STATE_AGGR_R0 to state STATE_AGGR_R1
Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: STATE_AGGR_R1: sent AR1, expecting AI2
Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: packet rejected: should have been encrypted
Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: sending notification INVALID_FLAGS to 198.51.100.1:500
Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA
Dec 19 15:29:05 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA
Dec 19 15:29:35 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA
Dec 19 15:29:52 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: max number of retransmissions (8) reached STATE_AGGR_R1
Dec 19 15:29:52 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: deleting state #1 (STATE_AGGR_R1)
Dec 19 15:29:52 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1: deleting connection "EL-LADO-OSCURO" instance with peer 198.51.100.1 {isakmp=#0/ipsec=#0}

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20161219/277ea9b3/attachment.html>