[Openswan Users] No preshared key found
tvsjr
tvsjr at sprynet.com
Sun Jan 30 15:58:29 CET 2005
I'll bump the system back up to 2.3.0 later in the day and try using a fixed
right IP address. That'll also give me an opportunity to check the output of
ipsec --rereadsecrets.
Encryption methods under Windoze are totally non-configurable. The only
thing selectable is the L2TP/PPP authentication used (EAP, PAP, CHAP, etc.)
Nothing about the crypto type of the IPSEC tunnel. My guess is, MS attempts
to make a 3DES connection, which results in failed authentication. Perhaps
assuming that the connection can't handle 3DES, it drops down to 1DES and
tries it again.
I'm still of the opinion that is the result of some small bug in 2.3.0.
Perhaps I can track it down a bit further.
More later...
Terry
-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Jacco de Leeuw
Sent: Sunday, January 30, 2005 3:31 PM
To: users at openswan.org
Subject: Re: [Openswan Users] No preshared key found
>> Jan 29 16:32:51 gatekeeper Pluto[6769]: "DMZ"[2] 192.168.222.50 #2: Can't
>> authenticate: no preshared key found for '192.168.222.1' and '%any'.
>> Attribute OAKLEY_AUTHENTICATION_METHOD.
>
> You didnt change IP addresses when you upgraded the machine? Odd
Perhaps Terry could try with right=<fixedIPaddress> first and then
later on switch to %any.
>> Jan 29 16:32:51 gatekeeper Pluto[6769]: "DMZ"[2] 192.168.222.50 #2:
>> OAKLEY_DES_CBC is not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM.
>
> Someone is asking 1DES and is being rejected. As it should be.
I have seen this lots of times when the peer could not be authenticated.
I don't know if this is specific to Windows, transport mode or L2TP/IPsec
or something, but it seems to be just a result of the previous
authentication problem.
> Change 192.168.222.50 to not request 1DES.
I don't think this is even configurable in the built-in Windows
client.
> why pfs=no? It's better to use pfs=yes
Sadly, the default policy of the Windows client is to reject PFS
(*insert conspiracy theory here*). See also:
http://www.jacco2.dds.nl/networking/freeswan-l2tp.html#PFS
Jacco
--
Jacco de Leeuw mailto:jacco2 at dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
_______________________________________________
Users mailing list
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
More information about the Users
mailing list