[Openswan Users] No preshared key found
Paul Wouters
paul at xelerance.com
Sun Jan 30 15:42:50 CET 2005
On Sat, 29 Jan 2005, tvsjr wrote:
> running Fedora Core 3. I've just installed Openswan 2.3.0. I'm using the
> same config files as I was on a Fedora Core 2 box running, I believe, 2.2.0.
> Jan 29 16:32:51 gatekeeper Pluto[6769]: "DMZ"[2] 192.168.222.50 #2: Can't
> authenticate: no preshared key found for '192.168.222.1' and '%any'.
> Attribute OAKLEY_AUTHENTICATION_METHOD.
You didnt change IP addresses when you upgraded the machine? Odd
> Jan 29 16:32:51 gatekeeper Pluto[6769]: "DMZ"[2] 192.168.222.50 #2:
> OAKLEY_DES_CBC is not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM.
Someone is asking 1DES and is being rejected. As it should be. Change 192.168.222.50
to not request 1DES. Though even openswan-2.2.x will have rejected this.
> conn DMZ
> authby=secret
> pfs=no
> left=192.168.222.1
> leftprotoport=17/0
> right=%any
> rightprotoport=17/1701
> auto=add
why pfs=no? It's better to use pfs=yes
> And ipsec.secrets:
>
> 192.168.222.1 %any: PSK "thisisatest"
Are you sure there was no change by the rpm, and that your stuff is in ipsec.secrets.rpmsave ?
Does 'ipsec --rereadsecrets' give any error?
> Interestingly enough, using the Fedora Core 3 RPM for 2.3.0 available on the
> website (downloaded today), I had to add the ignore statements for the OE
> policy groups. I thought Openswan shipped with those already disabled. Is
> this an issue with 2.3.0, or am I missing something?
I mistakenly enabled OE on our rpm because that is what I am running myself. The next
version will have OE disabled again until we've fully integrated key sending using dhclient
and/or zeroconf again, and when we have updated the OE scheme to use source based routing,
instead of the current 'routing hack'.
Paul
More information about the Users
mailing list