Hello Lorenzo, That's one that is also puzzling me at times. Maybe there's a newline at the end of the PSK in the fortigate and that's not filtered and also not displayed in the UI. Try entering the PSK there by hand. That way you can't unknowingly copy newlines - or enter special characters.
Kind regards Noel Am 26.05.21 um 16:40 schrieb Lorenzo Milesi:
Thanks for the quick respose. Gee, I feel ashamed, I'm usually the one spotting typos!! :( Fixed that now I've apparently a PSK mismatch because I get May 26 16:36:51 vpn01 charon: 03[NET] received packet: from 217.133.18.100[4500] to 95.110.128.186[4500] May 26 16:36:51 vpn01 charon: 10[MGR] checkout IKEv1 SA by message with SPIs 4e33bc842b30dd31_i 909c49b7e60be2ac_r May 26 16:36:51 vpn01 charon: 10[MGR] IKE_SA sts-base[5] successfully checked out May 26 16:36:51 vpn01 charon: 10[NET] received packet: from 217.133.18.100[4500] to 95.110.128.186[4500] (556 bytes) May 26 16:36:51 vpn01 charon: 10[ENC] invalid HASH_V1 payload length, decryption failed? May 26 16:36:51 vpn01 charon: 10[ENC] could not decrypt payloads But I'm puzzled, as I'm directly copying from the secrets file to the Fortigate GUI! My secrets is now: 2.3.8.1 : PSK "abcde" Stelle : PSK abcde (2.3.8.1 being the fortigate public ip) ----- Original Message -----From: "Noel Kuntze" <noel.kuntze+strongswan-users-ml@thermi.consulting> To: "Lorenzo Milesi" <lorenzo.mil...@yetopen.com>, "users" <users@lists.strongswan.org> Sent: Wednesday, May 26, 2021 4:24:31 PM Subject: Re: [strongSwan] Unable to find PSK for tunnel: no peer config found Hi Lorenzo, You are the victim of a typo.righid=StelleShould be rightid. Kind regards Noel Am 26.05.21 um 16:18 schrieb Lorenzo Milesi:Hi. I'm (still) trying to configure a tunnel between a StrongSwan 5.6.2 (Ubuntu 18.04) host and a Fortigate device. I finally came up with a working configuration, but now I'm unable to have srongswan authenticate, I get the infamous May 26 16:05:19 vpn01 charon: 13[IKE] no peer config found I tried different formats of selectors but they all fail. I checked the config several times but I cannot find what's wrong. My ipsec.secrets: 95.1.8.6 %any : PSK "abcde" 95.1.8.6 2.3.8.1 : PSK "abcde" 95.1.8.6 : PSK "abcde" Stelle : PSK "abcde" My ipsec.conf: conn sts-base keyexchange=ikev1 fragmentation=yes dpdaction=restart ike=aes256-sha256-modp3072 esp=aes256-sha256 keyingtries=%forever leftsubnet=172.32.1.0/24 lifetime=86400 leftauth=psk rightauth=psk righid=Stelle auto=start right=2.3.8.1 conn site-3-1 also=sts-base leftsubnet=172.32.1.0/24 rightsubnet=192.168.8.0/24 conn site-3-2 also=sts-base leftsubnet=172.32.1.0/24 rightsubnet=192.168.9.0/24 Log: May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] remote host is behind NAT May 26 16:05:19 vpn01 ipsec[1367]: 15[CFG] peer config match local: 1 (ID_ANY) May 26 16:05:19 vpn01 ipsec[1367]: 15[CFG] peer config match remote: 1 (ID_ANY) May 26 16:05:19 vpn01 ipsec[1367]: 15[CFG] ike config match: 2076 (95.1.8.6 2.3.8.1 IKEv1) May 26 16:05:19 vpn01 ipsec[1367]: 15[CFG] candidate "sts-base", match: 1/1/2076 (me/other/ike) May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] natd_chunk => 22 bytes @ 0x7ff92cef4ac0 May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] 0: D6 50 6B F7 85 FD B6 F3 B1 F8 20 48 71 AD 06 01 .Pk....... Hq... May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] 16: D9 85 12 64 01 F4 ...d.. May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] natd_hash => 32 bytes @ 0x7ff91000c150 May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] 0: D1 DB AE ED 2E B2 94 77 32 7E 51 CE 9B 0A 49 D5 .......w2~Q...I. May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] 16: 11 8F CC 18 33 70 47 FE D0 04 3B 8E EA DF 9E 3D ....3pG...;....= May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] natd_chunk => 22 bytes @ 0x7ff92cef4ac0 May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] 0: D6 50 6B F7 85 FD B6 F3 B1 F8 20 48 71 AD 06 01 .Pk....... Hq... May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] 16: 5F 6E 80 BA 01 F4 _n.... May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] natd_hash => 32 bytes @ 0x7ff91000c150 May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] 0: 27 C0 28 F3 4D E2 DD 93 03 04 E6 98 8A 20 02 3B '.(.M........ .; May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] 16: BA AC FF 7F C6 23 EC 1E 9F 77 1A 9E D7 DD EB 11 .....#...w...... May 26 16:05:19 vpn01 ipsec[1367]: 15[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ] May 26 16:05:19 vpn01 ipsec[1367]: 15[NET] sending packet: from 95.1.8.6[500] to 2.3.8.1[500] (524 bytes) May 26 16:05:19 vpn01 ipsec[1367]: 04[NET] sending packet: from 95.1.8.6[500] to 2.3.8.1[500] May 26 16:05:19 vpn01 ipsec[1367]: 15[MGR] checkin IKE_SA (unnamed)[102] May 26 16:05:19 vpn01 ipsec[1367]: 15[MGR] checkin of IKE_SA successful May 26 16:05:19 vpn01 ipsec[1367]: 03[NET] received packet => 112 bytes @ 0x7ff9326fd440 May 26 16:05:19 vpn01 ipsec[1367]: 03[NET] 0: 00 00 00 00 D6 50 6B F7 85 FD B6 F3 B1 F8 20 48 .....Pk....... H May 26 16:05:19 vpn01 ipsec[1367]: 03[NET] 16: 71 AD 06 01 05 10 02 01 00 00 00 00 00 00 00 6C q..............l May 26 16:05:19 vpn01 charon: 03[NET] 0: 00 00 00 00 D6 50 6B F7 85 FD B6 F3 B1 F8 20 48 .....Pk....... H May 26 16:05:19 vpn01 ipsec[1367]: 03[NET] 32: DF 47 5C 43 7A CD 60 FF DB 15 51 27 EA 7B 39 1A .G\Cz.`...Q'.{9. May 26 16:05:19 vpn01 charon: 03[NET] 16: 71 AD 06 01 05 10 02 01 00 00 00 00 00 00 00 6C q..............l May 26 16:05:19 vpn01 charon: 03[NET] 32: DF 47 5C 43 7A CD 60 FF DB 15 51 27 EA 7B 39 1A .G\Cz.`...Q'.{9. May 26 16:05:19 vpn01 charon: 03[NET] 48: D2 4E D8 56 36 6B 3C B6 4D 48 4A 65 B1 8B 90 B9 .N.V6k<.MHJe.... May 26 16:05:19 vpn01 charon: 03[NET] 64: E9 67 7F E3 0F 5B 38 43 41 6B DA 67 FD 2C 69 4F .g...[8CAk.g.,iO May 26 16:05:19 vpn01 charon: 03[NET] 80: 0D 36 D5 65 67 E5 CE D7 6C D4 44 D3 94 EF 55 CC .6.eg...l.D...U. May 26 16:05:19 vpn01 charon: 03[NET] 96: 4F 84 82 E2 05 A0 DD E9 9F FB F2 B5 DE 54 E1 77 O............T.w May 26 16:05:19 vpn01 charon: 03[NET] received packet: from 2.3.8.1[4500] to 95.1.8.6[4500] May 26 16:05:19 vpn01 charon: 03[NET] waiting for data on sockets May 26 16:05:19 vpn01 charon: 13[MGR] checkout IKEv1 SA by message with SPIs d6506bf785fdb6f3_i b1f8204871ad0601_r May 26 16:05:19 vpn01 charon: 13[MGR] IKE_SA (unnamed)[102] successfully checked out May 26 16:05:19 vpn01 charon: 13[NET] received packet: from 2.3.8.1[4500] to 95.1.8.6[4500] (108 bytes) May 26 16:05:19 vpn01 charon: 13[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] May 26 16:05:19 vpn01 charon: 13[CFG] looking for pre-shared key peer configs matching 95.1.8.6...2.3.8.1[Stelle] May 26 16:05:19 vpn01 charon: 13[CFG] peer config match local: 1 (ID_ANY) May 26 16:05:19 vpn01 charon: 13[CFG] peer config match remote: 0 (ID_FQDN -> 53:74:65:6c:6c:65) May 26 16:05:19 vpn01 charon: 13[CFG] ike config match: 2076 (95.1.8.6 2.3.8.1 IKEv1) May 26 16:05:19 vpn01 charon: 13[IKE] no peer config found May 26 16:05:19 vpn01 charon: 13[IKE] queueing INFORMATIONAL task May 26 16:05:19 vpn01 charon: 13[IKE] activating new tasks May 26 16:05:19 vpn01 charon: 13[IKE] activating INFORMATIONAL task May 26 16:05:19 vpn01 charon: 13[IKE] Hash => 32 bytes @ 0x7ff910017940 May 26 16:05:19 vpn01 charon: 13[IKE] 0: D0 BD F8 53 09 8C 69 43 BF 35 35 59 D3 72 08 B7 ...S..iC.55Y.r.. May 26 16:05:19 vpn01 charon: 13[IKE] 16: BF 25 1F 4A 79 65 78 55 F5 07 30 F5 E4 8F 7A 7D .%.JyexU..0...z} May 26 16:05:19 vpn01 charon: 13[ENC] generating INFORMATIONAL_V1 request 3029794389 [ HASH N(AUTH_FAILED) ] May 26 16:05:19 vpn01 charon: 13[NET] sending packet: from 95.1.8.6[4500] to 2.3.8.1[4500] (108 bytes) May 26 16:05:19 vpn01 charon: 13[MGR] checkin and destroy IKE_SA (unnamed)[102] May 26 16:05:19 vpn01 charon: 13[IKE] IKE_SA (unnamed)[102] state change: CONNECTING => DESTROYING May 26 16:05:19 vpn01 charon: 13[MGR] checkin and destroy of IKE_SA successful May 26 16:05:19 vpn01 charon: 04[NET] sending packet: from 95.1.8.6[4500] to 2.3.8.1[4500] May 26 16:05:22 vpn01 charon: 03[NET] received packet => 112 bytes @ 0x7ff9326fd440 May 26 16:05:22 vpn01 charon: 03[NET] 0: 00 00 00 00 D6 50 6B F7 85 FD B6 F3 B1 F8 20 48 .....Pk....... H May 26 16:05:22 vpn01 charon: 03[NET] 16: 71 AD 06 01 05 10 02 01 00 00 00 00 00 00 00 6C q..............l May 26 16:05:22 vpn01 charon: 03[NET] 32: DF 47 5C 43 7A CD 60 FF DB 15 51 27 EA 7B 39 1A .G\Cz.`...Q'.{9. May 26 16:05:22 vpn01 charon: 03[NET] 48: D2 4E D8 56 36 6B 3C B6 4D 48 4A 65 B1 8B 90 B9 .N.V6k<.MHJe.... May 26 16:05:22 vpn01 charon: 03[NET] 64: E9 67 7F E3 0F 5B 38 43 41 6B DA 67 FD 2C 69 4F .g...[8CAk.g.,iO May 26 16:05:22 vpn01 charon: 03[NET] 80: 0D 36 D5 65 67 E5 CE D7 6C D4 44 D3 94 EF 55 CC .6.eg...l.D...U. May 26 16:05:22 vpn01 charon: 03[NET] 96: 4F 84 82 E2 05 A0 DD E9 9F FB F2 B5 DE 54 E1 77 O............T.w May 26 16:05:22 vpn01 charon: 03[NET] received packet: from 2.3.8.1[4500] to 95.1.8.6[4500] May 26 16:05:22 vpn01 charon: 03[NET] waiting for data on sockets May 26 16:05:22 vpn01 charon: 12[MGR] checkout IKEv1 SA by message with SPIs d6506bf785fdb6f3_i b1f8204871ad0601_r May 26 16:05:22 vpn01 charon: 12[MGR] IKE_SA checkout not successful May 26 16:05:28 vpn01 charon: 03[NET] received packet => 112 bytes @ 0x7ff9326fd440 May 26 16:05:28 vpn01 charon: 03[NET] 0: 00 00 00 00 D6 50 6B F7 85 FD B6 F3 B1 F8 20 48 .....Pk....... H May 26 16:05:28 vpn01 charon: 03[NET] 16: 71 AD 06 01 05 10 02 01 00 00 00 00 00 00 00 6C q..............l May 26 16:05:28 vpn01 charon: 03[NET] 32: DF 47 5C 43 7A CD 60 FF DB 15 51 27 EA 7B 39 1A .G\Cz.`...Q'.{9. May 26 16:05:28 vpn01 charon: 03[NET] 48: D2 4E D8 56 36 6B 3C B6 4D 48 4A 65 B1 8B 90 B9 .N.V6k<.MHJe.... May 26 16:05:28 vpn01 charon: 03[NET] 64: E9 67 7F E3 0F 5B 38 43 41 6B DA 67 FD 2C 69 4F .g...[8CAk.g.,iO May 26 16:05:28 vpn01 charon: 03[NET] 80: 0D 36 D5 65 67 E5 CE D7 6C D4 44 D3 94 EF 55 CC .6.eg...l.D...U. May 26 16:05:28 vpn01 charon: 03[NET] 96: 4F 84 82 E2 05 A0 DD E9 9F FB F2 B5 DE 54 E1 77 O............T.w May 26 16:05:28 vpn01 charon: 03[NET] received packet: from 2.3.8.1[4500] to 95.1.8.6[4500] May 26 16:05:28 vpn01 charon: 03[NET] waiting for data on sockets May 26 16:05:28 vpn01 charon: 12[MGR] checkout IKEv1 SA by message with SPIs d6506bf785fdb6f3_i b1f8204871ad0601_r May 26 16:05:28 vpn01 charon: 12[MGR] IKE_SA checkout not successful thanks -- Lorenzo Milesi - lorenzo.mil...@yetopen.com CTO @ YetOpen Srl YetOpen <https://www.yetopen.com> /Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary/ -------- D.Lgs. 196/2003 e GDPR 679/2016 -------- Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata. Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile. Grazie. Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information; pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible. Thank you.
OpenPGP_signature
Description: OpenPGP digital signature
