Hosting Provided By

[Users] Pluto policy block PSK

From: Premysl Dedic <dedic(at)expansiongroup.net>
Date: Tue Sep 30 2003 - 08:05:23 EDT

Hi,

I have installed FreeSWAn from RPMs and I successfuly did a tunnel between two endpoints using RSA keys. Now I need to use preshared keys but it do not work (description follows). Can somebody be so kind and tell me what I need to do? Thanks a lot.

Premysl Dedic

Problem:

1I have installed FreeSWAn from RPMs and I successfuly did a tunnel between two endpoints using RSA keys. Now I need to use preshared keys but it do not work. From Pluto's debug output is clear, that Pluto's default policy block incoming connection:

.....

Sep 30 12:06:36 mates pluto[8533]: | ******parse ISAKMP Oakley attribute: Sep 30 12:06:36 mates pluto[8533]: | af+type: OAKLEY_AUTHENTICATION_METHOD

Sep 30 12:06:36 mates pluto[8533]: |    length/value: 1
Sep 30 12:06:36 mates pluto[8533]: |    [1 is OAKLEY_PRESHARED_KEY]
Sep 30 12:06:36 mates pluto[8533]: "mates-ns" #2: policy does not allow

OAKLEY_PRESHARED_KEY authentication. Attribute OAKLEY_AUTHENTICATION_METHOD
.......

But I really do not know, what I need to set in ipsec.conf file to make my connection work. If I use commandline: ipsec whack --name test --host AAA --to --host BBB --psk it WORKS!

If I print the Pluto's status I will see, that default policy DO NOT CONTAIN a PSK alternative:
....

000 "mates-ns": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "mates-ns": policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio: 32,32; interface: eth0;
000 "mates-ns": newest ISAKMP SA: #0; newest IPsec SA: #0;
....

If I will print it again after "whack" command shown above I will see the change on my "test" connection:
....

000 "test":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; 
rekey_fuzz: 100%; keyingtries: 3
000 "test":   policy: PSK; prio: 32,32; interface: eth0;
000 "test":   newest ISAKMP SA: #1; newest IPsec SA: #0;



_______________________________________________

FreeS/WAN Users mailing list
users@lists.freeswan.org
https://mj2.freeswan.org/cgi-bin/mj_wwwusr Received on Tue Sep 30 08:13:02 2003

Do you need help?

This message: [ Message body ]
Next message: Sascha Runschke: "Re: [Users] Pluto policy block PSK"
Previous message: MECHEAL HANNS: "[Users] CONGRATULATION,YOU HAVE WON."
Reply: Sascha Runschke: "Re: [Users] Pluto policy block PSK"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:01:34 EDT