Issue #1519
Updated by Tobias Brunner over 9 years ago
Hi
load-tester(strongswan 5.3.0) is used as client and strongswan 5.4.0 is used as server. Auth method is preshared key.Version is ikev2.
you will see that the preshared keys are totally the same on both sides, but the server can not authenticate the load-tester, always reporting mac mismatched. i checked and tried lots of times following the document's description. pls help me check the configs on both sides, and find the reason. thanks very much.
Best Wishes!
server side config:
<pre> ==========================================================
[root@localhost ln]# cat /etc/ipsec.secrets
: *: PSK "default-psk" "default-psk"*
[root@localhost ln]# cat /etc/ipsec/ipsec.conf
config setup
conn tt
reauth=no
rekey=no
dpdaction = none
keyingtries=%forever
keyexchange=ikev2
ike=aes128-sha1-modp2048
left=10.11.1.1
leftsubnet=0.0.0.0/0
leftauth=psk
right=%any
rightid = %any
leftid = srv.strongswan.org
rightauth=psk
rightsourceip=1.0.0.0/8
esp=aes-sha1!
mobike=no
auto=add
</pre>
load-tester config:
<pre> ========================================================================
[root@localhost charon]# cat load-tester.conf
# Section to configure the load-tester plugin, see LOAD TESTS in
# strongswan.conf(5) for details.
load-tester
{
load = yes
enable = yes
initiators = 1
iterations = 1
delay = 50
addrs
{
ens255f0 = 10.10.0.0/18
}
addrs_prefix = 8
responder = 10.11.1.1
proposal = aes128-sha1-modp2048
esp = aes128-sha1
initiator_auth = psk
responder_auth = psk
preshared_key *preshared_key = "default-psk" "default-psk"*
request_virtual_ip = yes
ike_rekey = 0
child_rekey = 0
initiator_tsr = 192.0.0.0/8
delete_after_established = no
shutdown_when_complete = no
}
</pre>
command to start:
<pre>
ipsec load-tester initiate 1 or ipsec start
</pre>
result on server side(5.4.0):
<pre> =======================================================================
[root@localhost ln]# ipsec restart --debug-all --nofork
Stopping strongSwan IPsec failed: starter is not running
Starting strongSwan 5.4.0 IPsec [starter]...
Loading config setup
Loading conn 'tt'
auto=add
dpdaction=none
esp=aes-sha1!
ike=aes128-sha1-modp2048
keyexchange=ikev2
keyingtries=%forever
left=10.11.1.1
leftauth=psk
leftid=srv.strongswan.org
leftsubnet=0.0.0.0/0
mobike=no
reauth=no
rekey=no
right=%any
rightauth=psk
rightid=%any
rightsourceip=1.0.0.0/8
found netkey IPsec stack
Attempting to start charon...
00[DMN] Starting IKE charon daemon (strongSwan 5.4.0, Linux 3.10.0-327.el7.x86_64, x86_64)
00[CFG] loading ca certificates from '/etc/ipsec/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/etc/ipsec/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec/ipsec.secrets'
00[CFG] loaded IKE secret for %any
00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown error-notify
00[JOB] spawning 16 worker threads
charon (7361) started after 540 ms
08[CFG] received stroke: add connection 'tt'
08[CFG] adding virtual IP address pool 1.0.0.0/8
08[CFG] added configuration 'tt'
15[NET] received packet: from 10.10.0.1[500] to 10.11.1.1[500] (448 bytes)
15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
15[IKE] 10.10.0.1 is initiating an IKE_SA
15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
15[NET] sending packet: from 10.11.1.1[500] to 10.10.0.1[500] (456 bytes)
10[NET] received packet: from 10.10.0.1[500] to 10.11.1.1[500] (300 bytes)
10[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
10[IKE] received 1 cert requests for an unknown ca
10[CFG] looking for peer configs matching 10.11.1.1[srv.strongswan.org]...10.10.0.1[c2-r1.strongswan.org]
10[CFG] selected peer config 'tt'
10[IKE] tried 1 shared key for 'srv.strongswan.org' - 'c2-r1.strongswan.org', but *but MAC mismatched mismatched*
10[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
10[NET] sending packet: from 10.11.1.1[500] to 10.10.0.1[500] (76 bytes)
09[NET] received packet: from 10.10.0.2[500] to 10.11.1.1[500] (448 bytes)
09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
</pre>
load-tester log(5.3.0):
<pre> =================================================================
[root@localhost charon]# ipsec restart --debug-all --nofork
Stopping strongSwan IPsec...
Starting strongSwan 5.3.0 IPsec [starter]...
no files found matching '/etc/ipsec.d/ipsec.conf'
Loading config setup
found netkey IPsec stack
Attempting to start charon...
00[DMN] Starting IKE charon daemon (strongSwan 5.3.0, Linux 3.10.0-327.el7.x86_64, x86_64)
00[CFG] loaded load-tester address pool 10.10.0.0/18 on ens255f0
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[LIB] opening '/etc/ipsec.d/private/myKey.der' failed: No such file or directory
00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 6 builders
00[CFG] loading private key from '/etc/ipsec.d/private/myKey.der' failed
00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr load-tester kernel-netlink resolve socket-default stroke updown xauth-generic
00[JOB] spawning 32 worker threads
06[CFG] assigning new lease to 'ext-2'
06[CFG] installed load-tester IP 10.10.0.1 on ens255f0
06[IKE] initiating IKE_SA load-test[1] to 10.11.1.1
charon (9580) started after 20 ms
06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
06[NET] sending packet: from 10.10.0.1[500] to 10.11.1.1[500] (448 bytes)
11[NET] received packet: from 10.11.1.1[500] to 10.10.0.1[500] (456 bytes)
11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
11[IKE] sending cert request for "CN=srv, OU=load-test, O=strongSwan"
11[IKE] authentication of 'c2-r1.strongswan.org' (myself) with pre-shared key
11[IKE] establishing CHILD_SA load-test
11[ENC] generating IKE_AUTH request 1 [ IDi CERTREQ IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
11[NET] sending packet: from 10.10.0.1[500] to 10.11.1.1[500] (300 bytes)
13[NET] received packet: from 10.11.1.1[500] to 10.10.0.1[500] (76 bytes)
13[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
13[IKE] received AUTHENTICATION_FAILED notify error
13[CFG] lease 10.10.0.1 by 'ext-2' went offline
</pre>
load-tester(strongswan 5.3.0) is used as client and strongswan 5.4.0 is used as server. Auth method is preshared key.Version is ikev2.
you will see that the preshared keys are totally the same on both sides, but the server can not authenticate the load-tester, always reporting mac mismatched. i checked and tried lots of times following the document's description. pls help me check the configs on both sides, and find the reason. thanks very much.
Best Wishes!
server side config:
<pre> ==========================================================
[root@localhost ln]# cat /etc/ipsec.secrets
: *: PSK "default-psk" "default-psk"*
[root@localhost ln]# cat /etc/ipsec/ipsec.conf
config setup
conn tt
reauth=no
rekey=no
dpdaction = none
keyingtries=%forever
keyexchange=ikev2
ike=aes128-sha1-modp2048
left=10.11.1.1
leftsubnet=0.0.0.0/0
leftauth=psk
right=%any
rightid = %any
leftid = srv.strongswan.org
rightauth=psk
rightsourceip=1.0.0.0/8
esp=aes-sha1!
mobike=no
auto=add
</pre>
load-tester config:
<pre> ========================================================================
[root@localhost charon]# cat load-tester.conf
# Section to configure the load-tester plugin, see LOAD TESTS in
# strongswan.conf(5) for details.
load-tester
{
load = yes
enable = yes
initiators = 1
iterations = 1
delay = 50
addrs
{
ens255f0 = 10.10.0.0/18
}
addrs_prefix = 8
responder = 10.11.1.1
proposal = aes128-sha1-modp2048
esp = aes128-sha1
initiator_auth = psk
responder_auth = psk
preshared_key *preshared_key = "default-psk" "default-psk"*
request_virtual_ip = yes
ike_rekey = 0
child_rekey = 0
initiator_tsr = 192.0.0.0/8
delete_after_established = no
shutdown_when_complete = no
}
</pre>
command to start:
<pre>
ipsec load-tester initiate 1 or ipsec start
</pre>
result on server side(5.4.0):
<pre> =======================================================================
[root@localhost ln]# ipsec restart --debug-all --nofork
Stopping strongSwan IPsec failed: starter is not running
Starting strongSwan 5.4.0 IPsec [starter]...
Loading config setup
Loading conn 'tt'
auto=add
dpdaction=none
esp=aes-sha1!
ike=aes128-sha1-modp2048
keyexchange=ikev2
keyingtries=%forever
left=10.11.1.1
leftauth=psk
leftid=srv.strongswan.org
leftsubnet=0.0.0.0/0
mobike=no
reauth=no
rekey=no
right=%any
rightauth=psk
rightid=%any
rightsourceip=1.0.0.0/8
found netkey IPsec stack
Attempting to start charon...
00[DMN] Starting IKE charon daemon (strongSwan 5.4.0, Linux 3.10.0-327.el7.x86_64, x86_64)
00[CFG] loading ca certificates from '/etc/ipsec/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/etc/ipsec/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec/ipsec.secrets'
00[CFG] loaded IKE secret for %any
00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown error-notify
00[JOB] spawning 16 worker threads
charon (7361) started after 540 ms
08[CFG] received stroke: add connection 'tt'
08[CFG] adding virtual IP address pool 1.0.0.0/8
08[CFG] added configuration 'tt'
15[NET] received packet: from 10.10.0.1[500] to 10.11.1.1[500] (448 bytes)
15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
15[IKE] 10.10.0.1 is initiating an IKE_SA
15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
15[NET] sending packet: from 10.11.1.1[500] to 10.10.0.1[500] (456 bytes)
10[NET] received packet: from 10.10.0.1[500] to 10.11.1.1[500] (300 bytes)
10[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
10[IKE] received 1 cert requests for an unknown ca
10[CFG] looking for peer configs matching 10.11.1.1[srv.strongswan.org]...10.10.0.1[c2-r1.strongswan.org]
10[CFG] selected peer config 'tt'
10[IKE] tried 1 shared key for 'srv.strongswan.org' - 'c2-r1.strongswan.org', but *but MAC mismatched mismatched*
10[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
10[NET] sending packet: from 10.11.1.1[500] to 10.10.0.1[500] (76 bytes)
09[NET] received packet: from 10.10.0.2[500] to 10.11.1.1[500] (448 bytes)
09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
</pre>
load-tester log(5.3.0):
<pre> =================================================================
[root@localhost charon]# ipsec restart --debug-all --nofork
Stopping strongSwan IPsec...
Starting strongSwan 5.3.0 IPsec [starter]...
no files found matching '/etc/ipsec.d/ipsec.conf'
Loading config setup
found netkey IPsec stack
Attempting to start charon...
00[DMN] Starting IKE charon daemon (strongSwan 5.3.0, Linux 3.10.0-327.el7.x86_64, x86_64)
00[CFG] loaded load-tester address pool 10.10.0.0/18 on ens255f0
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[LIB] opening '/etc/ipsec.d/private/myKey.der' failed: No such file or directory
00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 6 builders
00[CFG] loading private key from '/etc/ipsec.d/private/myKey.der' failed
00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr load-tester kernel-netlink resolve socket-default stroke updown xauth-generic
00[JOB] spawning 32 worker threads
06[CFG] assigning new lease to 'ext-2'
06[CFG] installed load-tester IP 10.10.0.1 on ens255f0
06[IKE] initiating IKE_SA load-test[1] to 10.11.1.1
charon (9580) started after 20 ms
06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
06[NET] sending packet: from 10.10.0.1[500] to 10.11.1.1[500] (448 bytes)
11[NET] received packet: from 10.11.1.1[500] to 10.10.0.1[500] (456 bytes)
11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
11[IKE] sending cert request for "CN=srv, OU=load-test, O=strongSwan"
11[IKE] authentication of 'c2-r1.strongswan.org' (myself) with pre-shared key
11[IKE] establishing CHILD_SA load-test
11[ENC] generating IKE_AUTH request 1 [ IDi CERTREQ IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
11[NET] sending packet: from 10.10.0.1[500] to 10.11.1.1[500] (300 bytes)
13[NET] received packet: from 10.11.1.1[500] to 10.10.0.1[500] (76 bytes)
13[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
13[IKE] received AUTHENTICATION_FAILED notify error
13[CFG] lease 10.10.0.1 by 'ext-2' went offline
</pre>