[Openswan Users] No preshared key found

tvsjr tvsjr at sprynet.com
Sun Jan 30 14:22:18 CET 2005


I did change IP addresses. That's the only thing I changed. Using the 2.2.0
RPMs with identical configuration files, everything works perfectly. I don't
know why the WinXP client is asking for 1DES, but 2.2.0 establishes a 3DES
connection just fine, 2.3.0 dies.

Pfs=no at the recommendation of Jacco's interoperability configuration.

Yep, absolutely positive where the data is. I didn't try ipsec
--rereadsecrets... it gives no error under 2.2.0, unsure on 2.3.0.

Disabling OE is the easy thing. The oddities of the configuration in 2.3.0
are the real problem...

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: Sunday, January 30, 2005 8:43 AM
To: tvsjr
Cc: users at openswan.org
Subject: Re: [Openswan Users] No preshared key found

On Sat, 29 Jan 2005, tvsjr wrote:

> running Fedora Core 3. I've just installed Openswan 2.3.0. I'm using the
> same config files as I was on a Fedora Core 2 box running, I believe,
2.2.0.

> Jan 29 16:32:51 gatekeeper Pluto[6769]: "DMZ"[2] 192.168.222.50 #2: Can't
> authenticate: no preshared key found for '192.168.222.1' and '%any'.
> Attribute OAKLEY_AUTHENTICATION_METHOD.

You didnt change IP addresses when you upgraded the machine? Odd

> Jan 29 16:32:51 gatekeeper Pluto[6769]: "DMZ"[2] 192.168.222.50 #2:
> OAKLEY_DES_CBC is not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM.

Someone is asking 1DES and is being rejected. As it should be. Change
192.168.222.50
to not request 1DES. Though even openswan-2.2.x will have rejected this.

> conn DMZ
>            authby=secret
>            pfs=no
>            left=192.168.222.1
>            leftprotoport=17/0
>            right=%any
>            rightprotoport=17/1701
>            auto=add

why pfs=no? It's better to use pfs=yes

> And ipsec.secrets:
>
> 192.168.222.1 %any: PSK "thisisatest"

Are you sure there was no change by the rpm, and that your stuff is in
ipsec.secrets.rpmsave ?
Does 'ipsec --rereadsecrets' give any error?

> Interestingly enough, using the Fedora Core 3 RPM for 2.3.0 available on
the
> website (downloaded today), I had to add the ignore statements for the OE
> policy groups. I thought Openswan shipped with those already disabled. Is
> this an issue with 2.3.0, or am I missing something?

I mistakenly enabled OE on our rpm because that is what I am running myself.
The next
version will have OE disabled again until we've fully integrated key sending
using dhclient
and/or zeroconf again, and when we have updated the OE scheme to use source
based routing,
instead of the current 'routing hack'.

Paul



More information about the Users mailing list