[Swan] Connection problem with road warrior and pre-shared key configuration
Steve Scheck
sscheck at ssni.com
Tue Jan 3 17:53:16 UTC 2017
Thanks for the feedback Paul.
I tried adding a line like this to the secrets file:
192.0.2.1 %any @EL-LADO-OSCURO: PSK "********************************"
Or this:
192.0.2.1 0.0.0.0 @EL-LADO-OSCURO: PSK "********************************"
It resulted in Pluto not being able to find a matching connection profile (I don’t have the logs handy at the moment, but that’s essentially what they reported).
Leaving the secrets file alone, removing the empty lines had no effect on the logged failure information, so I suspect they’re unrelated to whatever the mismatch is.
On 12/23/16, 12:11 PM, "Paul Wouters" <paul at nohats.ca> wrote:
On Mon, 19 Dec 2016, Steve Scheck wrote:
> I’m having problems getting Libreswan working for a road warrior with pre-shared key configuration.
>
> Here’s the configuration and logs produced.
>
> Thanks for any suggestions on how to proceed with troubleshooting this.
> el-lado-claro.secrets
>
> 192.0.2.1 @EL-LADO-OSCURO: PSK "********************************"
you need to add 0.0.0.0 or %any as well if you have right=%any
> el-lado-claro.conf
>
> conn EL-LADO-OSCURO
>
> type=tunnel
>
> left=192.0.2.1
>
> leftid=192.0.2.1
>
> right=%any
>
> rightid=@EL-LADO-OSCURO
>
> authby=secret
>
There cannot be empty lines in your configuration.
>
> # IKE Phase 1
>
> #ike=3des-sha1;dh2
>
> ike=3des-sha1;modp1024
this is really old fashioned. I hope you can do better with the other
end? Like match the esp= and use aes-sha1 at the least?
>
> Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: transition from state STATE_AGGR_R0 to state STATE_AGGR_R1
>
> Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: STATE_AGGR_R1: sent AR1, expecting AI2
>
> Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: packet rejected: should have been encrypted
It really did not like you at all. Looks like a mismatched
configuration. You might be able to tell more if you enable
debugging and see whats in the unencrypted response.
Paul
More information about the Swan
mailing list