Issue #1519
SA establish failed using load-tester as client in PSK scenario, always reporting MAC mismatched on server.
Status:
Closed
Priority:
Normal
Assignee:
-
Category:
configuration
Affected version:
5.4.0
Resolution:
No feedback
Description
Hi
load-tester(strongswan 5.3.0) is used as client and strongswan 5.4.0 is used as server. Auth method is preshared key.Version is ikev2.
you will see that the preshared keys are totally the same on both sides, but the server can not authenticate the load-tester, always reporting mac mismatched. i checked and tried lots of times following the document's description. pls help me check the configs on both sides, and find the reason. thanks very much.
Best Wishes!
server side config:
[root@localhost ln]# cat /etc/ipsec.secrets
: PSK "default-psk"
[root@localhost ln]# cat /etc/ipsec/ipsec.conf
config setup
conn tt
reauth=no
rekey=no
dpdaction = none
keyingtries=%forever
keyexchange=ikev2
ike=aes128-sha1-modp2048
left=10.11.1.1
leftsubnet=0.0.0.0/0
leftauth=psk
right=%any
rightid = %any
leftid = srv.strongswan.org
rightauth=psk
rightsourceip=1.0.0.0/8
esp=aes-sha1!
mobike=no
auto=add
load-tester config:
[root@localhost charon]# cat load-tester.conf
# Section to configure the load-tester plugin, see LOAD TESTS in
# strongswan.conf(5) for details.
load-tester
{
load = yes
enable = yes
initiators = 1
iterations = 1
delay = 50
addrs
{
ens255f0 = 10.10.0.0/18
}
addrs_prefix = 8
responder = 10.11.1.1
proposal = aes128-sha1-modp2048
esp = aes128-sha1
initiator_auth = psk
responder_auth = psk
preshared_key = "default-psk"
request_virtual_ip = yes
ike_rekey = 0
child_rekey = 0
initiator_tsr = 192.0.0.0/8
delete_after_established = no
shutdown_when_complete = no
}
command to start:
ipsec load-tester initiate 1 or ipsec start
result on server side(5.4.0):
[root@localhost ln]# ipsec restart --debug-all --nofork Stopping strongSwan IPsec failed: starter is not running Starting strongSwan 5.4.0 IPsec [starter]... Loading config setup Loading conn 'tt' auto=add dpdaction=none esp=aes-sha1! ike=aes128-sha1-modp2048 keyexchange=ikev2 keyingtries=%forever left=10.11.1.1 leftauth=psk leftid=srv.strongswan.org leftsubnet=0.0.0.0/0 mobike=no reauth=no rekey=no right=%any rightauth=psk rightid=%any rightsourceip=1.0.0.0/8 found netkey IPsec stack Attempting to start charon... 00[DMN] Starting IKE charon daemon (strongSwan 5.4.0, Linux 3.10.0-327.el7.x86_64, x86_64) 00[CFG] loading ca certificates from '/etc/ipsec/ipsec.d/cacerts' 00[CFG] loading aa certificates from '/etc/ipsec/ipsec.d/aacerts' 00[CFG] loading ocsp signer certificates from '/etc/ipsec/ipsec.d/ocspcerts' 00[CFG] loading attribute certificates from '/etc/ipsec/ipsec.d/acerts' 00[CFG] loading crls from '/etc/ipsec/ipsec.d/crls' 00[CFG] loading secrets from '/etc/ipsec/ipsec.secrets' 00[CFG] loaded IKE secret for %any 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown error-notify 00[JOB] spawning 16 worker threads charon (7361) started after 540 ms 08[CFG] received stroke: add connection 'tt' 08[CFG] adding virtual IP address pool 1.0.0.0/8 08[CFG] added configuration 'tt' 15[NET] received packet: from 10.10.0.1[500] to 10.11.1.1[500] (448 bytes) 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ] 15[IKE] 10.10.0.1 is initiating an IKE_SA 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ] 15[NET] sending packet: from 10.11.1.1[500] to 10.10.0.1[500] (456 bytes) 10[NET] received packet: from 10.10.0.1[500] to 10.11.1.1[500] (300 bytes) 10[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ] 10[IKE] received 1 cert requests for an unknown ca 10[CFG] looking for peer configs matching 10.11.1.1[srv.strongswan.org]...10.10.0.1[c2-r1.strongswan.org] 10[CFG] selected peer config 'tt' 10[IKE] tried 1 shared key for 'srv.strongswan.org' - 'c2-r1.strongswan.org', but MAC mismatched 10[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] 10[NET] sending packet: from 10.11.1.1[500] to 10.10.0.1[500] (76 bytes) 09[NET] received packet: from 10.10.0.2[500] to 10.11.1.1[500] (448 bytes) 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
load-tester log(5.3.0):
[root@localhost charon]# ipsec restart --debug-all --nofork Stopping strongSwan IPsec... Starting strongSwan 5.3.0 IPsec [starter]... no files found matching '/etc/ipsec.d/ipsec.conf' Loading config setup found netkey IPsec stack Attempting to start charon... 00[DMN] Starting IKE charon daemon (strongSwan 5.3.0, Linux 3.10.0-327.el7.x86_64, x86_64) 00[CFG] loaded load-tester address pool 10.10.0.0/18 on ens255f0 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' 00[CFG] loading crls from '/etc/ipsec.d/crls' 00[CFG] loading secrets from '/etc/ipsec.secrets' 00[LIB] opening '/etc/ipsec.d/private/myKey.der' failed: No such file or directory 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 6 builders 00[CFG] loading private key from '/etc/ipsec.d/private/myKey.der' failed 00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr load-tester kernel-netlink resolve socket-default stroke updown xauth-generic 00[JOB] spawning 32 worker threads 06[CFG] assigning new lease to 'ext-2' 06[CFG] installed load-tester IP 10.10.0.1 on ens255f0 06[IKE] initiating IKE_SA load-test[1] to 10.11.1.1 charon (9580) started after 20 ms 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ] 06[NET] sending packet: from 10.10.0.1[500] to 10.11.1.1[500] (448 bytes) 11[NET] received packet: from 10.11.1.1[500] to 10.10.0.1[500] (456 bytes) 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ] 11[IKE] sending cert request for "CN=srv, OU=load-test, O=strongSwan" 11[IKE] authentication of 'c2-r1.strongswan.org' (myself) with pre-shared key 11[IKE] establishing CHILD_SA load-test 11[ENC] generating IKE_AUTH request 1 [ IDi CERTREQ IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ] 11[NET] sending packet: from 10.10.0.1[500] to 10.11.1.1[500] (300 bytes) 13[NET] received packet: from 10.11.1.1[500] to 10.10.0.1[500] (76 bytes) 13[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] 13[IKE] received AUTHENTICATION_FAILED notify error 13[CFG] lease 10.10.0.1 by 'ext-2' went offline
Related issues
History
#1 Updated by Tobias Brunner over 9 years ago
- Description updated (diff)
- Category set to configuration
- Status changed from New to Feedback
- Priority changed from High to Normal
[root@localhost ln]# cat /etc/ipsec.secrets ... [root@localhost ln]# cat /etc/ipsec/ipsec.conf
Could it be that the ipsec.secrets file actually loaded is not /etc/ipsec.secrets but /etc/ipsec/ipsec.secrets?
#2 Updated by Tobias Brunner over 9 years ago
- Related to Issue #1518: Why does the performance of strongswan decreases dramatically when the number of connection is huge. pls help me! added
#3 Updated by Noel Kuntze over 8 years ago
- Status changed from Feedback to Closed
- Resolution set to No feedback