[Swan] Connection problem with road warrior and pre-shared key configuration
Paul Wouters
paul at nohats.ca
Fri Dec 23 20:11:25 UTC 2016
On Mon, 19 Dec 2016, Steve Scheck wrote:
> I’m having problems getting Libreswan working for a road warrior with pre-shared key configuration.
>
> Here’s the configuration and logs produced.
>
> Thanks for any suggestions on how to proceed with troubleshooting this.
> el-lado-claro.secrets
>
> 192.0.2.1 @EL-LADO-OSCURO: PSK "********************************"
you need to add 0.0.0.0 or %any as well if you have right=%any
> el-lado-claro.conf
>
> conn EL-LADO-OSCURO
>
> type=tunnel
>
> left=192.0.2.1
>
> leftid=192.0.2.1
>
> right=%any
>
> rightid=@EL-LADO-OSCURO
>
> authby=secret
>
There cannot be empty lines in your configuration.
>
> # IKE Phase 1
>
> #ike=3des-sha1;dh2
>
> ike=3des-sha1;modp1024
this is really old fashioned. I hope you can do better with the other
end? Like match the esp= and use aes-sha1 at the least?
>
> Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: transition from state STATE_AGGR_R0 to state STATE_AGGR_R1
>
> Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: STATE_AGGR_R1: sent AR1, expecting AI2
>
> Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: packet rejected: should have been encrypted
It really did not like you at all. Looks like a mismatched
configuration. You might be able to tell more if you enable
debugging and see whats in the unencrypted response.
Paul
More information about the Swan
mailing list