Project

General

Profile

Issue #461

[5.1.1]Why maching a conn but selected another conn

Added by Tyrael Wang almost 11 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
configuration
Affected version:
5.1.1
Resolution:

Description

11[IKE] <9> 124.78.108.xxx is initiating a Aggressive Mode IKE_SA
11[IKE] <9> IKE_SA (unnamed)[9] state change: CREATED => CONNECTING

11[CFG] <9> looking for XAuthInitPSK peer configs *matching xxx.253.165.yyy ...124.78.108.xxx[android]*

11[CFG] <9> selected peer config "CiscoIPSec" 
11[IKE] <CiscoIPSec|9> sending XAuth vendor ID
11[IKE] <CiscoIPSec|9> sending DPD vendor ID
11[IKE] <CiscoIPSec|9> sending NAT-T (RFC 3947) vendor ID

attention at above text , "*matching xxx.253.165.yyy ...124.78.108.xxx[android]*",but "*selected peer config "CiscoIPSec"* ".

where is the wrong ? below is my ipsec.conf


config setup
        # strictcrlpolicy=yes
        uniqueids = no
        charondebug=no
conn %default
        ikelifetime=60m
        keylife=20m
        rekey=no
        keyingtries=1
        #keyexchange=ike
        #aggressive=yes
        left=%defaultroute
        right=%any
        #leftsubnet=%modeconfig
        rightsourceip=192.168.99.128/25
        dpdaction=clear
        dpddelay=300s
        dpdtimeout=30m

conn android
        type=tunnel
        authby=xauthpsk
        xauth=server
        #mode=main
        keyexchange=ikev1
        ike=aes128-md5-modp1024
        esp=aes128-md5
        auto=add
        compress=yes
        leftid=android
        leftauth=psk
        rightauth=psk
        rightauth2=xauth
conn IPSec-IKEv2
        keyexchange=ikev2
        auto=add
        leftauth=pubkey
        leftcert=serverCert.pem
        rightauth=eap-radius
        rightsendcert=never
        eap_identity=%identity
conn CiscoIPSec
        keyexchange=ikev1
        auto=add
        aggressive=yes
        ike=aes256-sha1-modp1024!
        esp=aes256-sha1!
        leftid=blackberry
        type=tunnel
        xauth=server
        leftauth=psk
        rightauth=psk
        rightauth2=xauth-eap
        #rightauth2=eap-radius
        #leftfirewall=yes
        modeconfig=push

and below is my ipsec.secret

%any %any : PSK "heibang" 
test : XAUTH "test" 
: RSA serverKey.pem

So,what should I do ?

History

#1 Updated by Folke Ashberg almost 11 years ago

For me it looks like CiscoIPSec is the only aggressive conn.

124.78.108.xxx[android] is right-side. In the conn-CiscoIPSec there is only leftid=blackberry.
The clients sends it's id (android) and because your rightid=%any this one matches.

Leftid is not checked, the request only includes the initiator-id and not the expected id of the server, but in the reply the bleckberry is sent out, so maybe this is the reason why your connection fails: the client is confused about your id "blackberry"

Try

conn android
        type=tunnel
        aggressive=yes
        keyexchange=ikev1
        ike=aes128-md5-modp1024
        esp=aes128-md5
        auto=add
        compress=yes
        rightid=android
        leftauth=psk
        rightauth=psk
        rightauth2=xauth

#2 Updated by Tyrael Wang almost 11 years ago

thx,but did not work ~~~ config as you given , but selected the conn Cisco-IPSec as the same......

#3 Updated by Tobias Brunner over 9 years ago

  • Status changed from New to Closed

Closing some old tickets. Please open a new ticket if the issue persists.

Also available in: Atom PDF