<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto">One is a wrapper for the other <br><br><div dir="ltr">Sent using a virtual keyboard on a phone</div><div dir="ltr"><br><blockquote type="cite">On Sep 15, 2022, at 13:37, Brendan Kearney <bpk678@gmail.com> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr">
  
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  
  
    <p>that seems to have done the trick, but i thought i was doing that
      albeit via a different command.</p>
    <blockquote>
      <p>ipsec auto --rereadsecrets<br>
        vs<br>
        ipsec secrets<br>
      </p>
    </blockquote>
    <p>is there a difference between the two commands?  in either case,
      thanks for the pointer.</p>
    <p>brendan<br>
    </p>
    <div class="moz-cite-prefix">On 9/12/22 3:13 PM, Paul Wouters wrote:<br>
    </div>
    <blockquote type="cite" cite="mid:954C5CCD-B6B5-4AC0-A79D-DE22DA0634C2@nohats.ca">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      It really seems the PSKs are not the same. If you changed them,
      ensure to restart ipsec or run “ipsec secrets” to reload.
      <div><br>
      </div>
      <div>It might also that you have multiple secrets labeled with
        %any and another entry is picked? Try to just stick with @leftid
        and @rightid without using %any</div>
      <div><br>
      </div>
      <div>Paul<br>
        <br>
        <div dir="ltr">Sent using a virtual keyboard on a phone</div>
        <div dir="ltr"><br>
          <blockquote type="cite">On Sep 12, 2022, at 14:07, Brendan
            Kearney <a class="moz-txt-link-rfc2396E" href="mailto:bpk678@gmail.com"><bpk678@gmail.com></a> wrote:<br>
            <br>
          </blockquote>
        </div>
        <blockquote type="cite">
          <div dir="ltr">
            <meta http-equiv="content-type" content="text/html;
              charset=UTF-8">
            <p>list members,<br>
            </p>
            <p>i am going in circles trying to figure out where i have
              gone wrong and could use some help.  i have a libreswan
              instance behind my router, thus am using NAT-T on the
              "left" side.  i am trying to test with a client on my
              network, accessing my dyn-dns name (external IP of my
              router), and being forwarded to the libreswan instance.</p>
            <p>all the routing is working and connections initiate, but
              do not complete because auth fails.  i get the following
              logs which indicates the error:</p>
            <blockquote>
              <p>Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9]
                192.168.24.87: local IKE proposals (IKE SA responder
                matching remote proposals):<br>
              </p>
              <p>Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9]
                192.168.24.87:  
1:IKE=AES_GCM_C_256-HMAC_SHA2_512+HMAC_SHA2_256-NONE-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192<br>
              </p>
              <p>Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9]
                192.168.24.87:  
2:IKE=CHACHA20_POLY1305-HMAC_SHA2_512+HMAC_SHA2_256-NONE-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192<br>
              </p>
              <p>Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9]
                192.168.24.87:  
3:IKE=AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192<br>
              </p>
              <p>Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9]
                192.168.24.87:  
4:IKE=AES_GCM_C_128-HMAC_SHA2_512+HMAC_SHA2_256-NONE-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192<br>
              </p>
              <p>Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9]
                192.168.24.87:  
5:IKE=AES_CBC_128-HMAC_SHA2_256-HMAC_SHA2_256_128-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192<br>
              </p>
              <p>Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87
                #84: proposal 1:IKE=AES_GCM_C_256-HMAC_SHA2_512-ECP_256
                chosen from remote proposals
                1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=ECP_256[first-match]
                2:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_256;DH=ECP_256
3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;INTEG=HMAC_SHA2_512_256;DH=ECP_256
4:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=ECP_256
5:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=ECP_256
6:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=ECP_256
                7:IKE:ENCR=3DES;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=ECP_256
                8:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=ECP_384
                9:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_256;DH=ECP_384
10:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;INTEG=HMAC_SHA2_512_256;DH=ECP_384
11:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=ECP_384
12:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=ECP_384
13:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=ECP_384
                14:IKE:ENCR=3DES;PRF=HMAC_SHA1;INTEG=HMAC_SHA1...<br>
              </p>
              <p>Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87
                #84: sent IKE_SA_INIT reply {auth=IKEv2
                cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512
                group=DH19}<br>
              </p>
              <p>Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87
                #84: processing decrypted IKE_AUTH request:
                SK{IDi,AUTH,SA,TSi,TSr}<br>
              </p>
              <p>Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87
                #84: IKEv2 mode peer ID is ID_IPV4_ADDR: '192.168.24.87'<br>
              </p>
              <p>Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87
                #84: AUTH mismatch: Received AUTH != computed AUTH<br>
              </p>
              <p>Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87
                #84: PSK Authentication failed: AUTH mismatch in I2 Auth
                Payload!<br>
              </p>
              <p>Sep 12 13:47:23 vpn audit[1512]: CRYPTO_IKE_SA pid=1512
                uid=0 auid=4294967295 ses=4294967295 subj=kernel
                msg='op=start direction=responder conn-name="s2s"
                connstate=84 ike-version=2.0 auth=PRESHARED_KEY
                cipher=aes_gcm_16 ksize=256 integ=none prf=sha512
                pfs=DH19  raddr=192.168.24.87
                exe="/usr/libexec/ipsec/pluto" hostname=?
                addr=192.168.152.254 terminal=? res=failed'<br>
              </p>
              <p>Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87
                #84: responding to IKE_AUTH message (ID 1) from
                192.168.24.87:4500 with encrypted notification
                AUTHENTICATION_FAILED<br>
              </p>
              <p>Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87
                #84: encountered fatal error in state STATE_PARENT_R1<br>
              </p>
              <p>Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87
                #84: deleting state (STATE_PARENT_R1) aged 0.037191s and
                NOT sending notification<br>
              </p>
              <p>Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9]
                192.168.24.87: deleting connection instance with peer
                192.168.24.87 {isakmp=#0/ipsec=#0}</p>
            </blockquote>
            <p>the "left" config:</p>
            <blockquote>
              <p># Site-to-Site (s2s) Config<br>
                conn s2s<br>
                    rekey=yes<br>
                    left=192.168.152.254<br>
                    leftsubnet=192.168.152.0/24<br>
                    right=%any<br>
                    ikelifetime=28800s<br>
                    authby=secret<br>
                    type=tunnel<br>
                    auto=add<br>
                    ikev2=insist<br>
                    fragmentation=yes</p>
            </blockquote>
            <p>the "left" secrets:</p>
            <blockquote>
              <p>192.168.152.254 %any : PSK "SooperSekretString"</p>
            </blockquote>
            <p>the "right" config</p>
            <blockquote>
              <p>#Site-to-Site (s2s) Config<br>
                conn s2s<br>
                    rekey=yes<br>
                    left=%defaultroute<br>
                    right=bkearney.ddns.net<br>
                    ikelifetime=28800s<br>
                    authby=secret<br>
                    type=tunnel<br>
                    auto=start<br>
                    ikev2=insist<br>
                    fragmentation=yes</p>
            </blockquote>
            <p>the "right" secrets:</p>
            <blockquote>
              <p>%any @ext.dyndns.tld : PSK "SooperSekretString"</p>
            </blockquote>
            <p>any insight would be greatly appreciated.  i am at a loss
              as to where i am messing this up.</p>
            <p>thank you,</p>
            <p>brendan kearney<br>
            </p>
            <span>_______________________________________________</span><br>
            <span>Swan mailing list</span><br>
            <span><a class="moz-txt-link-abbreviated" href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a></span><br>
            <span><a class="moz-txt-link-freetext" href="https://lists.libreswan.org/mailman/listinfo/swan">https://lists.libreswan.org/mailman/listinfo/swan</a></span><br>
          </div>
        </blockquote>
      </div>
    </blockquote>
  

</div></blockquote></body></html>