[Openswan Users] but no connection has been authorized with policy=PSK

Willie Gillespie wgillespie+openswan at es2eng.com
Mon Apr 11 19:52:17 EDT 2011 

On 4/11/2011 2:56 PM, Thomas Schweikle wrote:
> Am 11.04.2011 22:43, schrieb Paul Wouters:
>> On Mon, 11 Apr 2011, Thomas Schweikle wrote:
>>
>>> packet from ww.xx.yy.zz:61986: initial\
>>>   Main Mode message received on 222.66.77.27:500 but no connection
>>> has been authorized with policy=PSK
>>
>> You wrote before:
>>
>>           # LOCAL
>>           leftid=          @rz
>>           left=            222.66.77.27
>>           leftnexthop=     222.66.77.1
>>           leftsubnet=      192.168.180.0/23
>>           #
>>           # REMOTE
>>           rightid=         @openswan
>>           right=           192.168.1.4
>>           rightnexthop=    192.168.1.1
>>           rightsubnet=     192.168.1.0/24
>>
>>
>> Clearly ww.xx.yy.zz is not matching 192.168.1.4, or it is not using "openswan" as its id.
>
> Hmmm. My setup is as:
>
> openswan (192.168.1.4) -->  router/nat (with unknown IP, since it
> changes every day once --- this is ww.xx.yy.zz) -->  RZ
> (222.66.77.27) -->  Inside (192.168.180.27)
>
> on the server side:
>          leftid=          @rz
>          left=            222.66.77.27
>          leftnexthop=     222.66.77.1
>          leftsubnet=      192.168.180.0/23
>          #
>          # REMOTE
>          rightid=         @openswan
>          right=           192.168.1.4
>          rightnexthop=    192.168.1.1
>          rightsubnet=     192.168.1.0/24
>
>
> on the client side:
>          leftid=          @openswan
>          left=            192.168.1.4
>          leftnexthop=     192.168.1.1
>          leftsubnet=      192.168.1.0/24
>          #
>          # REMOTE
>          rightid=         @rz
>          right=           222.66.77.27
>          rightnexthop=    222.66.77.1
>          rightsubnet=     192.168.180.0/23
>
> I had to switch left and right for the client, because if I left it
> as it was (two identical config-files), I did not even see
> connection attempts.

Okay, jumping in here.

The client side (@openswan side) looks okay.  The left needs to be an 
address on that machine.  It is: 192.168.1.4, so that's good.

However, on the server side (@rz side), it sees the packets coming from 
ww.xx.yy.zz, so that's what it needs defined in the connection.  Not 
192.168.1.4.  Unfortunately for you, it changes every day, so you are in 
the same situation as a road-warrior configuration, where you may have 
to use %any for right= on the @rz side of things.

More information about the Users mailing list