<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Thanks. I guessed that but I copied and pasted them so I am not sure
why. I'll try again.<br>
<br>
Regards,<br>
<br>
Nick<br>
<br>
<div class="moz-cite-prefix">On 28/04/2017 18:09, Paul Wouters
wrote:<br>
</div>
<blockquote
cite="mid:B8F05CA1-4A10-4F93-A5F4-2AC4ADA305AE@nohats.ca"
type="cite">
<pre wrap="">
It means your PSK's don't match.
Sent from my iPhone
</pre>
<blockquote type="cite">
<pre wrap="">On Apr 28, 2017, at 13:06, Nick Howitt <a class="moz-txt-link-rfc2396E" href="mailto:nick@howitts.co.uk"><nick@howitts.co.uk></a> wrote:
Hi Paul,
I've trying to set up a very basic IKEv2+PSK conn from Android 5.0.1 to libreswan 3.20 but it is giving errors:
conn test
type=tunnel
authby=secret
auto=add
left=82.19.158.192
leftsourceip=172.17.2.1
leftsubnet=172.17.2.0/24
right=%any
rightid=@nick
salifetime=1h
ikelifetime=8h
ikev2=insist
dpdaction=clear
dpdtimeout=120
dpddelay=30
rekey=no
and:
Apr 28 17:58:13 server pluto[3953]: packet from 85.255.235.101:36533: test IKE proposals for initial responder: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128,HMAC_SHA1_96;DH=MODP2048,MODP3072,MODP1536 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128,HMAC_SHA1_96;DH=MODP2048,MODP3072,MODP1536 (default)
Apr 28 17:58:13 server pluto[3953]: packet from 85.255.235.101:36533: proposal 2:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from: 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[better-match]
Apr 28 17:58:13 server pluto[3953]: packet from 85.255.235.101:36533: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048
Apr 28 17:58:13 server pluto[3953]: packet from 85.255.235.101:36533: sending unencrypted notification v2N_INVALID_KE_PAYLOAD to 85.255.235.101:36533
Apr 28 17:58:14 server pluto[3953]: packet from 85.255.235.101:36533: proposal 2:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from: 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[better-match]
Apr 28 17:58:14 server pluto[3953]: "test"[4] 85.255.235.101 #455: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_gcm_16_256 integ=n/a prf=sha2_512 group=MODP2048}
Apr 28 17:58:14 server pluto[3953]: "test"[4] 85.255.235.101 #455: new NAT mapping for #455, was 85.255.235.101:36533, now 85.255.235.101:54219
Apr 28 17:58:14 server pluto[3953]: "test"[4] 85.255.235.101 #455: IKEv2 mode peer ID is ID_FQDN: '@nick'
Apr 28 17:58:14 server pluto[3953]: "test"[4] 85.255.235.101 #455: AUTH mismatch: Received AUTH != computed AUTH
Apr 28 17:58:14 server pluto[3953]: "test"[4] 85.255.235.101 #455: PSK Authentication failed: AUTH mismatch!
Apr 28 17:58:14 server pluto[3953]: "test"[4] 85.255.235.101 #455: sending unencrypted notification v2N_AUTHENTICATION_FAILED to 85.255.235.101:54219
Apr 28 17:58:14 server pluto[3953]: | ikev2_parent_inI2outR2_tail returned STF_FATAL
Apr 28 17:58:14 server pluto[3953]: "test"[4] 85.255.235.101 #455: deleting state (STATE_PARENT_R1)
Apr 28 17:58:14 server pluto[3953]: "test"[4] 85.255.235.101: deleting connection "test"[4] 85.255.235.101 instance with peer 85.255.235.101 {isakmp=#0/ipsec=#0}
Apr 28 17:58:15 server pluto[3953]: packet from 85.255.235.101:54219: sending unencrypted notification v2N_INVALID_IKE_SPI to 85.255.235.101:54219
Apr 28 17:58:17 server pluto[3953]: packet from 85.255.235.101:54219: sending unencrypted notification v2N_INVALID_IKE_SPI to 85.255.235.101:54219
Apr 28 17:58:20 server pluto[3953]: packet from 85.255.235.101:54219: sending unencrypted notification v2N_INVALID_IKE_SPI to 85.255.235.101:54219
Apr 28 17:58:27 server pluto[3953]: packet from 85.255.235.101:54219: sending unencrypted notification v2N_INVALID_IKE_SPI to 85.255.235.101:54219
Apr 28 17:58:37 server pluto[3953]: packet from 85.255.235.101:54219: sending unencrypted notification v2N_INVALID_IKE_SPI to 85.255.235.101:54219
Apr 28 17:58:56 server pluto[3953]: packet from 85.255.235.101:54219: sending unencrypted notification v2N_INVALID_IKE_SPI to 85.255.235.101:54219
It looks like it has agreed a proposal but I've no idea about the AUTH mismatch. I know I have not configured an addresspool. Is it necessary and causing this issue or is there something else going on?
Regards,
Nick
_______________________________________________
Swan mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.libreswan.org/mailman/listinfo/swan">https://lists.libreswan.org/mailman/listinfo/swan</a>
</pre>
</blockquote>
<pre wrap="">
</pre>
</blockquote>
<br>
</body>
</html>