[Swan] AUTH mismatch: Received AUTH != computed AUTH

Paul Wouters paul at nohats.ca
Mon Sep 12 22:13:59 EEST 2022 

It really seems the PSKs are not the same. If you changed them, ensure to restart ipsec or run “ipsec secrets” to reload.

It might also that you have multiple secrets labeled with %any and another entry is picked? Try to just stick with @leftid and @rightid without using %any

Paul

Sent using a virtual keyboard on a phone

> On Sep 12, 2022, at 14:07, Brendan Kearney <bpk678 at gmail.com> wrote:
> 
> 
> list members,
> 
> i am going in circles trying to figure out where i have gone wrong and could use some help.  i have a libreswan instance behind my router, thus am using NAT-T on the "left" side.  i am trying to test with a client on my network, accessing my dyn-dns name (external IP of my router), and being forwarded to the libreswan instance.
> 
> all the routing is working and connections initiate, but do not complete because auth fails.  i get the following logs which indicates the error:
> 
> Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87: local IKE proposals (IKE SA responder matching remote proposals):
> 
> Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87:   1:IKE=AES_GCM_C_256-HMAC_SHA2_512+HMAC_SHA2_256-NONE-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192
> 
> Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87:   2:IKE=CHACHA20_POLY1305-HMAC_SHA2_512+HMAC_SHA2_256-NONE-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192
> 
> Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87:   3:IKE=AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192
> 
> Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87:   4:IKE=AES_GCM_C_128-HMAC_SHA2_512+HMAC_SHA2_256-NONE-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192
> 
> Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87:   5:IKE=AES_CBC_128-HMAC_SHA2_256-HMAC_SHA2_256_128-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192
> 
> Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84: proposal 1:IKE=AES_GCM_C_256-HMAC_SHA2_512-ECP_256 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=ECP_256[first-match] 2:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_256;DH=ECP_256 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;INTEG=HMAC_SHA2_512_256;DH=ECP_256 4:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=ECP_256 5:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=ECP_256 6:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=ECP_256 7:IKE:ENCR=3DES;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=ECP_256 8:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=ECP_384 9:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_256;DH=ECP_384 10:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;INTEG=HMAC_SHA2_512_256;DH=ECP_384 11:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=ECP_384 12:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=ECP_384 13:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=ECP_384 14:IKE:ENCR=3DES;PRF=HMAC_SHA1;INTEG=HMAC_SHA1...
> 
> Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84: sent IKE_SA_INIT reply {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=DH19}
> 
> Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84: processing decrypted IKE_AUTH request: SK{IDi,AUTH,SA,TSi,TSr}
> 
> Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84: IKEv2 mode peer ID is ID_IPV4_ADDR: '192.168.24.87'
> 
> Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84: AUTH mismatch: Received AUTH != computed AUTH
> 
> Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84: PSK Authentication failed: AUTH mismatch in I2 Auth Payload!
> 
> Sep 12 13:47:23 vpn audit[1512]: CRYPTO_IKE_SA pid=1512 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='op=start direction=responder conn-name="s2s" connstate=84 ike-version=2.0 auth=PRESHARED_KEY cipher=aes_gcm_16 ksize=256 integ=none prf=sha512 pfs=DH19  raddr=192.168.24.87 exe="/usr/libexec/ipsec/pluto" hostname=? addr=192.168.152.254 terminal=? res=failed'
> 
> Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84: responding to IKE_AUTH message (ID 1) from 192.168.24.87:4500 with encrypted notification AUTHENTICATION_FAILED
> 
> Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84: encountered fatal error in state STATE_PARENT_R1
> 
> Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84: deleting state (STATE_PARENT_R1) aged 0.037191s and NOT sending notification
> 
> Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87: deleting connection instance with peer 192.168.24.87 {isakmp=#0/ipsec=#0}
> 
> the "left" config:
> 
> # Site-to-Site (s2s) Config
> conn s2s
>     rekey=yes
>     left=192.168.152.254
>     leftsubnet=192.168.152.0/24
>     right=%any
>     ikelifetime=28800s
>     authby=secret
>     type=tunnel
>     auto=add
>     ikev2=insist
>     fragmentation=yes
> 
> the "left" secrets:
> 
> 192.168.152.254 %any : PSK "SooperSekretString"
> 
> the "right" config
> 
> #Site-to-Site (s2s) Config
> conn s2s
>     rekey=yes
>     left=%defaultroute
>     right=bkearney.ddns.net
>     ikelifetime=28800s
>     authby=secret
>     type=tunnel
>     auto=start
>     ikev2=insist
>     fragmentation=yes
> 
> the "right" secrets:
> 
> %any @ext.dyndns.tld : PSK "SooperSekretString"
> 
> any insight would be greatly appreciated.  i am at a loss as to where i am messing this up.
> 
> thank you,
> 
> brendan kearney
> 
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20220912/1a09f4fb/attachment-0001.htm>

More information about the Swan mailing list