2

I'm using Openswan with ipsec and ipsec keeps complaining about the shared-key not being present. I'm running Ubuntu 14.04 .

I'm just experimenting on a couple of internal systems since I'm new to this.

Output:

root@ip-10-1-1-4:/etc# ipsec auto --up L2TP-PSK
104 "L2TP-PSK" #10: STATE_MAIN_I1: initiate
003 "L2TP-PSK" #10: received Vendor ID payload [Openswan (this version) 2.6.38 ]
003 "L2TP-PSK" #10: received Vendor ID payload [Dead Peer Detection]
003 "L2TP-PSK" #10: received Vendor ID payload [RFC 3947] method set to=115 
003 "L2TP-PSK" #10: Can't authenticate: no preshared key found for `10.1.1.4' and `10.1.1.36'.  Attribute OAKLEY_AUTHENTICATION_METHOD
003 "L2TP-PSK" #10: no acceptable Oakley Transform
214 "L2TP-PSK" #10: STATE_MAIN_I1: NO_PROPOSAL_CHOSEN

Server:

10.1.1.36 %any : PSK "69EA16F2C529E74A7D1B0FE99E69F6BDCD3E44"

Client:

%any 10.1.1.36 : PSK "69EA16F2C529E74A7D1B0FE99E69F6BDCD3E44"

I know that it doesn't necessarily matter which sides of the conversation are actually designated as "left" and "right" since it's detected automatically and I don't know if/how these relate to which of the two addresses is which in the two lines above. However, I've tried switching both values and using all IPs (so that there are no "%any" values). I'm also not sure which side of the conversation is originating the complaint.

Can someone with more experience give me a hint about where to do from here :) ?

Thanks. This is, of course, a little obscure for a newcomer.

3 Answers 3

0
  • Are you importing your .secrets file in /etc/ipsec.secrets? (this was my problem)
  • If so, try replacing the double quotes around your secret with single quotes. (I found this suggestion in the openswan documentation, but I haven't tested it both ways.)

  • Secret line must be followed by a blank line. (Same as above, suggested in the openswan docs, but haven't tested both ways)

0

For me it ended up that I needed to define the path to the secrets file here:

/etc/strongswan.d/charon/stroke.conf

For whatever reason, without that, it was not reading /etc/ipsec.secrets

0

In my case it was because I created the PSK inside /etc/ipsec.secret instead of the correct path /etc/ipsec.secrets. Minor but important difference!

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .