<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p>list members,<br>
</p>
<p>i am going in circles trying to figure out where i have gone
wrong and could use some help. i have a libreswan instance behind
my router, thus am using NAT-T on the "left" side. i am trying to
test with a client on my network, accessing my dyn-dns name
(external IP of my router), and being forwarded to the libreswan
instance.</p>
<p>all the routing is working and connections initiate, but do not
complete because auth fails. i get the following logs which
indicates the error:</p>
<blockquote>
<p>Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87: local
IKE proposals (IKE SA responder matching remote proposals):<br>
</p>
<p>Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87:
1:IKE=AES_GCM_C_256-HMAC_SHA2_512+HMAC_SHA2_256-NONE-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192<br>
</p>
<p>Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87:
2:IKE=CHACHA20_POLY1305-HMAC_SHA2_512+HMAC_SHA2_256-NONE-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192<br>
</p>
<p>Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87:
3:IKE=AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192<br>
</p>
<p>Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87:
4:IKE=AES_GCM_C_128-HMAC_SHA2_512+HMAC_SHA2_256-NONE-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192<br>
</p>
<p>Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87:
5:IKE=AES_CBC_128-HMAC_SHA2_256-HMAC_SHA2_256_128-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192<br>
</p>
<p>Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84:
proposal 1:IKE=AES_GCM_C_256-HMAC_SHA2_512-ECP_256 chosen from
remote proposals
1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=ECP_256[first-match]
2:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_256;DH=ECP_256
3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;INTEG=HMAC_SHA2_512_256;DH=ECP_256
4:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=ECP_256
5:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=ECP_256
6:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=ECP_256
7:IKE:ENCR=3DES;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=ECP_256
8:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=ECP_384
9:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_256;DH=ECP_384
10:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;INTEG=HMAC_SHA2_512_256;DH=ECP_384
11:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=ECP_384
12:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=ECP_384
13:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=ECP_384
14:IKE:ENCR=3DES;PRF=HMAC_SHA1;INTEG=HMAC_SHA1...<br>
</p>
<p>Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84:
sent IKE_SA_INIT reply {auth=IKEv2 cipher=AES_GCM_16_256
integ=n/a prf=HMAC_SHA2_512 group=DH19}<br>
</p>
<p>Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84:
processing decrypted IKE_AUTH request: SK{IDi,AUTH,SA,TSi,TSr}<br>
</p>
<p>Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84:
IKEv2 mode peer ID is ID_IPV4_ADDR: '192.168.24.87'<br>
</p>
<p>Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84:
AUTH mismatch: Received AUTH != computed AUTH<br>
</p>
<p>Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84:
PSK Authentication failed: AUTH mismatch in I2 Auth Payload!<br>
</p>
<p>Sep 12 13:47:23 vpn audit[1512]: CRYPTO_IKE_SA pid=1512 uid=0
auid=4294967295 ses=4294967295 subj=kernel msg='op=start
direction=responder conn-name="s2s" connstate=84 ike-version=2.0
auth=PRESHARED_KEY cipher=aes_gcm_16 ksize=256 integ=none
prf=sha512 pfs=DH19 raddr=192.168.24.87
exe="/usr/libexec/ipsec/pluto" hostname=? addr=192.168.152.254
terminal=? res=failed'<br>
</p>
<p>Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84:
responding to IKE_AUTH message (ID 1) from 192.168.24.87:4500
with encrypted notification AUTHENTICATION_FAILED<br>
</p>
<p>Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84:
encountered fatal error in state STATE_PARENT_R1<br>
</p>
<p>Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84:
deleting state (STATE_PARENT_R1) aged 0.037191s and NOT sending
notification<br>
</p>
<p>Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87:
deleting connection instance with peer 192.168.24.87
{isakmp=#0/ipsec=#0}</p>
</blockquote>
<p>the "left" config:</p>
<blockquote>
<p># Site-to-Site (s2s) Config<br>
conn s2s<br>
rekey=yes<br>
left=192.168.152.254<br>
leftsubnet=192.168.152.0/24<br>
right=%any<br>
ikelifetime=28800s<br>
authby=secret<br>
type=tunnel<br>
auto=add<br>
ikev2=insist<br>
fragmentation=yes</p>
</blockquote>
<p>the "left" secrets:</p>
<blockquote>
<p>192.168.152.254 %any : PSK "SooperSekretString"</p>
</blockquote>
<p>the "right" config</p>
<blockquote>
<p>#Site-to-Site (s2s) Config<br>
conn s2s<br>
rekey=yes<br>
left=%defaultroute<br>
right=bkearney.ddns.net<br>
ikelifetime=28800s<br>
authby=secret<br>
type=tunnel<br>
auto=start<br>
ikev2=insist<br>
fragmentation=yes</p>
</blockquote>
<p>the "right" secrets:</p>
<blockquote>
<p>%any @ext.dyndns.tld : PSK "SooperSekretString"</p>
</blockquote>
<p>any insight would be greatly appreciated. i am at a loss as to
where i am messing this up.</p>
<p>thank you,</p>
<p>brendan kearney<br>
</p>
</body>
</html>