It really seems the PSKs are not the same. If you changed them, ensure to restart ipsec or run “ipsec secrets” to reload.
It might also that you have multiple secrets labeled with %any and another entry is picked? Try to just stick with @leftid and @rightid without using %any Paul Sent using a virtual keyboard on a phone > On Sep 12, 2022, at 14:07, Brendan Kearney <[email protected]> wrote: > > > list members, > > i am going in circles trying to figure out where i have gone wrong and could > use some help. i have a libreswan instance behind my router, thus am using > NAT-T on the "left" side. i am trying to test with a client on my network, > accessing my dyn-dns name (external IP of my router), and being forwarded to > the libreswan instance. > > all the routing is working and connections initiate, but do not complete > because auth fails. i get the following logs which indicates the error: > > Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87: local IKE proposals > (IKE SA responder matching remote proposals): > > Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87: > 1:IKE=AES_GCM_C_256-HMAC_SHA2_512+HMAC_SHA2_256-NONE-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192 > > Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87: > 2:IKE=CHACHA20_POLY1305-HMAC_SHA2_512+HMAC_SHA2_256-NONE-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192 > > Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87: > 3:IKE=AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192 > > Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87: > 4:IKE=AES_GCM_C_128-HMAC_SHA2_512+HMAC_SHA2_256-NONE-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192 > > Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87: > 5:IKE=AES_CBC_128-HMAC_SHA2_256-HMAC_SHA2_256_128-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192 > > Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84: proposal > 1:IKE=AES_GCM_C_256-HMAC_SHA2_512-ECP_256 chosen from remote proposals > 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=ECP_256[first-match] > 2:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_256;DH=ECP_256 > 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;INTEG=HMAC_SHA2_512_256;DH=ECP_256 > 4:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=ECP_256 > 5:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=ECP_256 > 6:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=ECP_256 > 7:IKE:ENCR=3DES;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=ECP_256 > 8:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=ECP_384 > 9:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_256;DH=ECP_384 > 10:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;INTEG=HMAC_SHA2_512_256;DH=ECP_384 > 11:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=ECP_384 > 12:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=ECP_384 > 13:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=ECP_384 > 14:IKE:ENCR=3DES;PRF=HMAC_SHA1;INTEG=HMAC_SHA1... > > Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84: sent IKE_SA_INIT > reply {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 > group=DH19} > > Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84: processing > decrypted IKE_AUTH request: SK{IDi,AUTH,SA,TSi,TSr} > > Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84: IKEv2 mode peer > ID is ID_IPV4_ADDR: '192.168.24.87' > > Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84: AUTH mismatch: > Received AUTH != computed AUTH > > Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84: PSK > Authentication failed: AUTH mismatch in I2 Auth Payload! > > Sep 12 13:47:23 vpn audit[1512]: CRYPTO_IKE_SA pid=1512 uid=0 auid=4294967295 > ses=4294967295 subj=kernel msg='op=start direction=responder conn-name="s2s" > connstate=84 ike-version=2.0 auth=PRESHARED_KEY cipher=aes_gcm_16 ksize=256 > integ=none prf=sha512 pfs=DH19 raddr=192.168.24.87 > exe="/usr/libexec/ipsec/pluto" hostname=? addr=192.168.152.254 terminal=? > res=failed' > > Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84: responding to > IKE_AUTH message (ID 1) from 192.168.24.87:4500 with encrypted notification > AUTHENTICATION_FAILED > > Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84: encountered > fatal error in state STATE_PARENT_R1 > > Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84: deleting state > (STATE_PARENT_R1) aged 0.037191s and NOT sending notification > > Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87: deleting connection > instance with peer 192.168.24.87 {isakmp=#0/ipsec=#0} > > the "left" config: > > # Site-to-Site (s2s) Config > conn s2s > rekey=yes > left=192.168.152.254 > leftsubnet=192.168.152.0/24 > right=%any > ikelifetime=28800s > authby=secret > type=tunnel > auto=add > ikev2=insist > fragmentation=yes > > the "left" secrets: > > 192.168.152.254 %any : PSK "SooperSekretString" > > the "right" config > > #Site-to-Site (s2s) Config > conn s2s > rekey=yes > left=%defaultroute > right=bkearney.ddns.net > ikelifetime=28800s > authby=secret > type=tunnel > auto=start > ikev2=insist > fragmentation=yes > > the "right" secrets: > > %any @ext.dyndns.tld : PSK "SooperSekretString" > > any insight would be greatly appreciated. i am at a loss as to where i am > messing this up. > > thank you, > > brendan kearney > > _______________________________________________ > Swan mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
