[Swan] Connection problem with road warrior and pre-shared key configuration
Paul Wouters
paul at nohats.ca
Wed Jan 25 00:12:16 UTC 2017
On Tue, 24 Jan 2017, Steve Scheck wrote:
> Are there any hints from libreswan as to what it judges to be mismatched?
I managed to reproduce this error in one scenario, although different
from yours.
north-east"[1] 192.1.3.33 #1: STATE_AGGR_R1: sent AR1, expecting AI2
"north-east"[1] 192.1.3.33 #1: no RSA public key known for 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=testing at libreswan.org'
"north-east"[1] 192.1.3.33 #1: sending encrypted notification INVALID_KEY_INFORMATION to 192.1.3.33:500
"north-east"[1] 192.1.3.33 #1: Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA
I found a bug in IKEv1 Aggressive Mode when using certificates.
libreswan as initiator does not send the certificate, even when
setting leftsendcert=always.
If the initiator in your case is either libreswan or openswan, this
might be happening to you.
I've added a testcase for this (ikev1-aggr-sendcert-01)
Either Matt or I will look at a patch for this :)
But your case is using PSK. If the authentication for PSK fails, the
packets are undecryptable, so this is not the case you are seeing.
It seems like somehow this is a misconfiguration. It would help if
you can show some logs of the other side.
Paul
More information about the Swan
mailing list