[Swan] AUTH mismatch: Received AUTH != computed AUTH

Mon, 12 Sep 2022 11:07:58 -0700 

list members,
i am going in circles trying to figure out where i have gone wrong and could use some help.  i have a libreswan instance behind my router, thus am using NAT-T on the "left" side.  i am trying to test with a client on my network, accessing my dyn-dns name (external IP of my router), and being forwarded to the libreswan instance. 


all the routing is working and connections initiate, but do not complete 
because auth fails.  i get the following logs which indicates the error:


   Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87: local IKE
   proposals (IKE SA responder matching remote proposals):

   Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87:
   
1:IKE=AES_GCM_C_256-HMAC_SHA2_512+HMAC_SHA2_256-NONE-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192

   Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87:
   
2:IKE=CHACHA20_POLY1305-HMAC_SHA2_512+HMAC_SHA2_256-NONE-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192

   Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87:
   
3:IKE=AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192

   Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87:
   
4:IKE=AES_GCM_C_128-HMAC_SHA2_512+HMAC_SHA2_256-NONE-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192

   Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87:
   
5:IKE=AES_CBC_128-HMAC_SHA2_256-HMAC_SHA2_256_128-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192

   Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84:
   proposal 1:IKE=AES_GCM_C_256-HMAC_SHA2_512-ECP_256 chosen from
   remote proposals
   1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=ECP_256[first-match]
   2:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_256;DH=ECP_256
   3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;INTEG=HMAC_SHA2_512_256;DH=ECP_256
   4:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=ECP_256
   5:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=ECP_256
   6:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=ECP_256
   7:IKE:ENCR=3DES;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=ECP_256
   8:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=ECP_384
   9:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_256;DH=ECP_384
   10:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;INTEG=HMAC_SHA2_512_256;DH=ECP_384
   11:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=ECP_384
   12:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=ECP_384
   13:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=ECP_384
   14:IKE:ENCR=3DES;PRF=HMAC_SHA1;INTEG=HMAC_SHA1...

   Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84: sent
   IKE_SA_INIT reply {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a
   prf=HMAC_SHA2_512 group=DH19}

   Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84:
   processing decrypted IKE_AUTH request: SK{IDi,AUTH,SA,TSi,TSr}

   Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84: IKEv2
   mode peer ID is ID_IPV4_ADDR: '192.168.24.87'

   Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84: AUTH
   mismatch: Received AUTH != computed AUTH

   Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84: PSK
   Authentication failed: AUTH mismatch in I2 Auth Payload!

   Sep 12 13:47:23 vpn audit[1512]: CRYPTO_IKE_SA pid=1512 uid=0
   auid=4294967295 ses=4294967295 subj=kernel msg='op=start
   direction=responder conn-name="s2s" connstate=84 ike-version=2.0
   auth=PRESHARED_KEY cipher=aes_gcm_16 ksize=256 integ=none prf=sha512
   pfs=DH19  raddr=192.168.24.87 exe="/usr/libexec/ipsec/pluto"
   hostname=? addr=192.168.152.254 terminal=? res=failed'

   Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84:
   responding to IKE_AUTH message (ID 1) from 192.168.24.87:4500 with
   encrypted notification AUTHENTICATION_FAILED

   Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84:
   encountered fatal error in state STATE_PARENT_R1

   Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84:
   deleting state (STATE_PARENT_R1) aged 0.037191s and NOT sending
   notification

   Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87: deleting
   connection instance with peer 192.168.24.87 {isakmp=#0/ipsec=#0}

the "left" config:

   # Site-to-Site (s2s) Config
   conn s2s
        rekey=yes
        left=192.168.152.254
        leftsubnet=192.168.152.0/24
        right=%any
        ikelifetime=28800s
        authby=secret
        type=tunnel
        auto=add
        ikev2=insist
        fragmentation=yes

the "left" secrets:

   192.168.152.254 %any : PSK "SooperSekretString"

the "right" config

   #Site-to-Site (s2s) Config
   conn s2s
        rekey=yes
        left=%defaultroute
        right=bkearney.ddns.net
        ikelifetime=28800s
        authby=secret
        type=tunnel
        auto=start
        ikev2=insist
        fragmentation=yes

the "right" secrets:

   %any @ext.dyndns.tld : PSK "SooperSekretString"


any insight would be greatly appreciated.  i am at a loss as to where i 
am messing this up.


thank you,

brendan kearney

_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan






















					Reply via email to