[Openswan Users] No preshared key found
tvsjr at sprynet.com
Sun Jan 30 15:58:29 CET 2005
I'll bump the system back up to 2.3.0 later in the day and try using a fixed
right IP address. That'll also give me an opportunity to check the output of
Encryption methods under Windoze are totally non-configurable. The only
thing selectable is the L2TP/PPP authentication used (EAP, PAP, CHAP, etc.)
Nothing about the crypto type of the IPSEC tunnel. My guess is, MS attempts
to make a 3DES connection, which results in failed authentication. Perhaps
assuming that the connection can't handle 3DES, it drops down to 1DES and
tries it again.
I'm still of the opinion that is the result of some small bug in 2.3.0.
Perhaps I can track it down a bit further.
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Jacco de Leeuw
Sent: Sunday, January 30, 2005 3:31 PM
To: users at openswan.org
Subject: Re: [Openswan Users] No preshared key found
>> Jan 29 16:32:51 gatekeeper Pluto: "DMZ" 192.168.222.50 #2: Can't
>> authenticate: no preshared key found for '192.168.222.1' and '%any'.
>> Attribute OAKLEY_AUTHENTICATION_METHOD.
> You didnt change IP addresses when you upgraded the machine? Odd
Perhaps Terry could try with right=<fixedIPaddress> first and then
later on switch to %any.
>> Jan 29 16:32:51 gatekeeper Pluto: "DMZ" 192.168.222.50 #2:
>> OAKLEY_DES_CBC is not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM.
> Someone is asking 1DES and is being rejected. As it should be.
I have seen this lots of times when the peer could not be authenticated.
I don't know if this is specific to Windows, transport mode or L2TP/IPsec
or something, but it seems to be just a result of the previous
> Change 192.168.222.50 to not request 1DES.
I don't think this is even configurable in the built-in Windows
> why pfs=no? It's better to use pfs=yes
Sadly, the default policy of the Windows client is to reject PFS
(*insert conspiracy theory here*). See also:
Jacco de Leeuw mailto:jacco2 at dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
Users mailing list
Users at openswan.org
More information about the Users