[Openswan Users] but no connection has been authorized with policy=PSK

Simon Deziel simon at xelerance.com
Thu Nov 28 16:47:20 UTC 2013 

Hi Mohsen,

I think you should have those settings:

  left=%defaultsource
  leftid=ElasticIP
  leftsourceip=ElasticIP
  forceencaps=yes
  auto=add

The Elastic IP shouldn't have the "@" prefix. Your ipsec.secrets should
look like this:

ElasticIP  0.0.0.0 %any: PSK "123"

For a complete example (not using L2TP):
https://github.com/xelerance/Openswan/wiki/Amazon-ec2-example

Regards,
Simon


On 13-11-28 11:31 AM, Mohsen B.Sarmadi wrote:
> Dear all,
> 
> I am using a EC2 Ubuntu 12.04 LTS instance in AWS.
> I used all of the configurations from
> here(http://fortycloud.com/setting-up-ipsecopenswan-in-amazon-ec2/), but
> in auth.log i am keep getting 
> 
> Nov 28 16:12:22 ip-10-164-25-201 *pluto*[6268]: packet from
> myComputerIP:500: initial Main Mode message received
> on myEC2PrivateIP:500 but no connection has been authorized with policy=PSK
> 
> $cat /etc/ipsec.secrets
> @myEC2PrivateIP %any: PSK "123"
> 
> $ sudo cat /etc/ipsec.conf
> config setup
>    protostack=netkey
>    interfaces=%defaultroute
>    nat_traversal=yes 
> # this will force openswan to use IPSec over UDP - required for EC2
>    force_keepalive=yes
>    keep_alive=60
>    virtual_private=%v4:172.24.0.0/16 <http://172.24.0.0/16> 
> # this Subnet must include range provided in the xl2tpd config file
>    oe=no
>    nhelpers=0
> conn RWConn # road warrior connection description
>    rightsubnet=vhost:%priv
>    type=transport
>    authby=secret
>    pfs=no
>    rekey=no
>    ikelifetime=8h
>    keylife=1h
>    leftprotoport=17/1701
>    left= myEC2PrivateIP
>    leftid=@myEC2PrivateIP
>    rightprotoport=17/%any
>    right=%any
>    auto=ignore
> 
> 
> 
> $ sudo cat /etc/xl2tpd/xl2tpd.conf 
> [global]
> ipsec saref = yes
> ; this must be the private EC2 address allocated to eth0 
> listen-addr = myEC2PrivateIP
> [lns default]
> ; addresses to road road warriors will be allocated from this range
> ip range = 172.24.100.1-172.24.100.254    
> ; GW virtual address (must be outside of the above range)
> local ip = 172.24.0.150
> refuse pap = yes
> require authentication = yes
> name = MyGW
> ; points to PPP config file (you can choose your own name)
> pppoptfile = /etc/ppp/options.xl2tpd    
> length bit = yes
> 
> please help me on this.
> thanks
> Mohs
> 
> 
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>

More information about the Users mailing list