[Openswan Users] No preshared key found

Paul Wouters paul at xelerance.com
Sun Jan 30 15:42:50 CET 2005


On Sat, 29 Jan 2005, tvsjr wrote:

> running Fedora Core 3. I've just installed Openswan 2.3.0. I'm using the
> same config files as I was on a Fedora Core 2 box running, I believe, 2.2.0.

> Jan 29 16:32:51 gatekeeper Pluto[6769]: "DMZ"[2] 192.168.222.50 #2: Can't
> authenticate: no preshared key found for '192.168.222.1' and '%any'.
> Attribute OAKLEY_AUTHENTICATION_METHOD.

You didnt change IP addresses when you upgraded the machine? Odd

> Jan 29 16:32:51 gatekeeper Pluto[6769]: "DMZ"[2] 192.168.222.50 #2:
> OAKLEY_DES_CBC is not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM.

Someone is asking 1DES and is being rejected. As it should be. Change 192.168.222.50
to not request 1DES. Though even openswan-2.2.x will have rejected this.

> conn DMZ
>            authby=secret
>            pfs=no
>            left=192.168.222.1
>            leftprotoport=17/0
>            right=%any
>            rightprotoport=17/1701
>            auto=add

why pfs=no? It's better to use pfs=yes

> And ipsec.secrets:
>
> 192.168.222.1 %any: PSK "thisisatest"

Are you sure there was no change by the rpm, and that your stuff is in ipsec.secrets.rpmsave ?
Does 'ipsec --rereadsecrets' give any error?

> Interestingly enough, using the Fedora Core 3 RPM for 2.3.0 available on the
> website (downloaded today), I had to add the ignore statements for the OE
> policy groups. I thought Openswan shipped with those already disabled. Is
> this an issue with 2.3.0, or am I missing something?

I mistakenly enabled OE on our rpm because that is what I am running myself. The next
version will have OE disabled again until we've fully integrated key sending using dhclient
and/or zeroconf again, and when we have updated the OE scheme to use source based routing,
instead of the current 'routing hack'.

Paul


More information about the Users mailing list