<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:Calibri;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:Calibri;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:Calibri;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body bgcolor="white" lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">Hello,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">I’m having problems getting Libreswan working for a road warrior with pre-shared key configuration.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Here’s the configuration and logs produced.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Thanks for any suggestions on how to proceed with troubleshooting this.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">--<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">el-lado-claro.secrets<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">192.0.2.1 @EL-LADO-OSCURO: PSK "********************************"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">el-lado-claro.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">conn EL-LADO-OSCURO<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> type=tunnel<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> left=192.0.2.1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> leftid=192.0.2.1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> right=%any<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> rightid=@EL-LADO-OSCURO<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> authby=secret<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> # IKE Phase 1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> #ike=3des-sha1;dh2<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> ike=3des-sha1;modp1024<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> aggrmode=yes<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> ikelifetime=3600s<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> # Phase 2<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> phase2=esp<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> phase2alg=aes128-sha1;modp1024<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> salifetime=3600s<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> # use auto=start when done testing the tunnel<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> auto=add<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Dec 19 15:28:48 localhost pluto[5561]: packet from 198.51.100.1:500: received Vendor ID payload [Dead Peer Detection]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Dec 19 15:28:48 localhost pluto[5561]: packet from 198.51.100.1:500: IKEv1 Aggressive Mode with PSK is vulnerable to dictionary attacks and is cracked on large scale by TLA's<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: Aggressive mode peer ID is ID_FQDN: '@EL-LADO-OSCURO'<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: responding to Aggressive Mode, state #1, connection "EL-LADO-OSCURO" from 198.51.100.1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: warning: peer requested IKE lifetime of 4294967295 seconds which we capped at our limit of 86400 seconds<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: warning: peer requested IKE lifetime of 4294967295 seconds which we capped at our limit of 86400 seconds<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: transition from state STATE_AGGR_R0 to state STATE_AGGR_R1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: STATE_AGGR_R1: sent AR1, expecting AI2<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: packet rejected: should have been encrypted<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: sending notification INVALID_FLAGS to 198.51.100.1:500<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Dec 19 15:28:48 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Dec 19 15:29:05 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Dec 19 15:29:35 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Dec 19 15:29:52 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: max number of retransmissions (8) reached STATE_AGGR_R1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Dec 19 15:29:52 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1 #1: deleting state #1 (STATE_AGGR_R1)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Dec 19 15:29:52 localhost pluto[5561]: "EL-LADO-OSCURO"[1] 198.51.100.1: deleting connection "EL-LADO-OSCURO" instance with peer 198.51.100.1 {isakmp=#0/ipsec=#0}<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
</div>
</body>
</html>