[Swan] Connection problem with road warrior and pre-shared key configuration
Steve Scheck
sscheck at ssni.com
Mon Dec 19 23:39:01 UTC 2016
Hello,
I’m having problems getting Libreswan working for a road warrior with pre-shared key configuration.
Here’s the configuration and logs produced.
Thanks for any suggestions on how to proceed with troubleshooting this.
--
el-lado-claro.secrets
192.0.2.1 @EL-LADO-OSCURO: PSK "********************************"
el-lado-claro.conf
conn EL-LADO-OSCURO
type=tunnel
left=192.0.2.1
leftid=192.0.2.1
right=%any
rightid=@EL-LADO-OSCURO
authby=secret
# IKE Phase 1
#ike=3des-sha1;dh2
ike=3des-sha1;modp1024
aggrmode=yes
ikelifetime=3600s
# Phase 2
phase2=esp
phase2alg=aes128-sha1;modp1024
salifetime=3600s
# use auto=start when done testing the tunnel
auto=add
Dec 19 15:28:48 localhost pluto[5561]: packet from 198.51.100.1:500: received Vendor ID payload [Dead Peer Detection]
Dec 19 15:28:48 localhost pluto[5561]: packet from 198.51.100.1:500: IKEv1 Aggressive Mode with PSK is vulnerable to dictionary attacks and is cracked on large scale by TLA's
Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: Aggressive mode peer ID is ID_FQDN: '@EL-LADO-OSCURO'
Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: responding to Aggressive Mode, state #1, connection "EL-LADO-OSCURO" from 198.51.100.1
Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: warning: peer requested IKE lifetime of 4294967295 seconds which we capped at our limit of 86400 seconds
Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: warning: peer requested IKE lifetime of 4294967295 seconds which we capped at our limit of 86400 seconds
Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: transition from state STATE_AGGR_R0 to state STATE_AGGR_R1
Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: STATE_AGGR_R1: sent AR1, expecting AI2
Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: packet rejected: should have been encrypted
Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: sending notification INVALID_FLAGS to 198.51.100.1:500
Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA
Dec 19 15:29:05 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA
Dec 19 15:29:35 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA
Dec 19 15:29:52 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: max number of retransmissions (8) reached STATE_AGGR_R1
Dec 19 15:29:52 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: deleting state #1 (STATE_AGGR_R1)
Dec 19 15:29:52 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1: deleting connection "EL-LADO-OSCURO" instance with peer 198.51.100.1 {isakmp=#0/ipsec=#0}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20161219/277ea9b3/attachment.html>
More information about the Swan
mailing list