that seems to have done the trick, but i thought i was doing that albeit
via a different command.
ipsec auto --rereadsecrets
vs
ipsec secrets
is there a difference between the two commands? in either case, thanks
for the pointer.
brendan
On 9/12/22 3:13 PM, Paul Wouters wrote:
It really seems the PSKs are not the same. If you changed them, ensure
to restart ipsec or run “ipsec secrets” to reload.
It might also that you have multiple secrets labeled with %any and
another entry is picked? Try to just stick with @leftid and @rightid
without using %any
Paul
Sent using a virtual keyboard on a phone
On Sep 12, 2022, at 14:07, Brendan Kearney <[email protected]> wrote:
list members,
i am going in circles trying to figure out where i have gone wrong
and could use some help. i have a libreswan instance behind my
router, thus am using NAT-T on the "left" side. i am trying to test
with a client on my network, accessing my dyn-dns name (external IP
of my router), and being forwarded to the libreswan instance.
all the routing is working and connections initiate, but do not
complete because auth fails. i get the following logs which
indicates the error:
Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87: local
IKE proposals (IKE SA responder matching remote proposals):
Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87:
1:IKE=AES_GCM_C_256-HMAC_SHA2_512+HMAC_SHA2_256-NONE-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192
Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87:
2:IKE=CHACHA20_POLY1305-HMAC_SHA2_512+HMAC_SHA2_256-NONE-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192
Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87:
3:IKE=AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192
Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87:
4:IKE=AES_GCM_C_128-HMAC_SHA2_512+HMAC_SHA2_256-NONE-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192
Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87:
5:IKE=AES_CBC_128-HMAC_SHA2_256-HMAC_SHA2_256_128-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192
Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84:
proposal 1:IKE=AES_GCM_C_256-HMAC_SHA2_512-ECP_256 chosen from
remote proposals
1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=ECP_256[first-match]
2:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_256;DH=ECP_256
3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;INTEG=HMAC_SHA2_512_256;DH=ECP_256
4:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=ECP_256
5:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=ECP_256
6:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=ECP_256
7:IKE:ENCR=3DES;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=ECP_256
8:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=ECP_384
9:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_256;DH=ECP_384
10:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;INTEG=HMAC_SHA2_512_256;DH=ECP_384
11:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=ECP_384
12:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=ECP_384
13:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=ECP_384
14:IKE:ENCR=3DES;PRF=HMAC_SHA1;INTEG=HMAC_SHA1...
Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84: sent
IKE_SA_INIT reply {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a
prf=HMAC_SHA2_512 group=DH19}
Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84:
processing decrypted IKE_AUTH request: SK{IDi,AUTH,SA,TSi,TSr}
Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84:
IKEv2 mode peer ID is ID_IPV4_ADDR: '192.168.24.87'
Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84: AUTH
mismatch: Received AUTH != computed AUTH
Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84: PSK
Authentication failed: AUTH mismatch in I2 Auth Payload!
Sep 12 13:47:23 vpn audit[1512]: CRYPTO_IKE_SA pid=1512 uid=0
auid=4294967295 ses=4294967295 subj=kernel msg='op=start
direction=responder conn-name="s2s" connstate=84 ike-version=2.0
auth=PRESHARED_KEY cipher=aes_gcm_16 ksize=256 integ=none
prf=sha512 pfs=DH19 raddr=192.168.24.87
exe="/usr/libexec/ipsec/pluto" hostname=? addr=192.168.152.254
terminal=? res=failed'
Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84:
responding to IKE_AUTH message (ID 1) from 192.168.24.87:4500
with encrypted notification AUTHENTICATION_FAILED
Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84:
encountered fatal error in state STATE_PARENT_R1
Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87 #84:
deleting state (STATE_PARENT_R1) aged 0.037191s and NOT sending
notification
Sep 12 13:47:23 vpn pluto[1512]: "s2s"[9] 192.168.24.87: deleting
connection instance with peer 192.168.24.87 {isakmp=#0/ipsec=#0}
the "left" config:
# Site-to-Site (s2s) Config
conn s2s
rekey=yes
left=192.168.152.254
leftsubnet=192.168.152.0/24
right=%any
ikelifetime=28800s
authby=secret
type=tunnel
auto=add
ikev2=insist
fragmentation=yes
the "left" secrets:
192.168.152.254 %any : PSK "SooperSekretString"
the "right" config
#Site-to-Site (s2s) Config
conn s2s
rekey=yes
left=%defaultroute
right=bkearney.ddns.net
ikelifetime=28800s
authby=secret
type=tunnel
auto=start
ikev2=insist
fragmentation=yes
the "right" secrets:
%any @ext.dyndns.tld : PSK "SooperSekretString"
any insight would be greatly appreciated. i am at a loss as to where
i am messing this up.
thank you,
brendan kearney
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
