[solved] IPSec (defined with "Connections") doesn't find PSK anymore

Started by HGilch, January 23, 2024, 10:29:33 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 23, 2024, 10:29:33 AM Last Edit: January 24, 2024, 09:17:23 AM by HGilch
Hello,

i created some IPSec connections (with "Connections") and they work. Then i create another one, which works also at first, but one of the older ones won't reconnect after dropping it or IKE_REAUTH. The other side answers with AUTH_FAILED.
The only thing that gets it to work again is by deleting the PSK and creating it again.
But then i drop a different connection and then this one gets an AUTH_FAILED and after deleting and creating the PSK works again.
Does somebody know about this strange behavior?

Thank you,
Hubert
January 23, 2024, 11:48:23 AM #1 Last Edit: January 23, 2024, 11:50:31 AM by Monviech
The only things that I know are important:

- Each Pre-Shared Key should have a unique combination of a Local and Remote Identifier per external IP address of the Firewall.
- A Pre-Shared Key that only has a Local Identifier, but no Remote Identifier, can be the only PSK for one external IP address of the Firewall.
- A Pre-Shared Key that has a Remote Identifier, but no Local Identifier, can exist multiple times per one external IP address of the Firewall.

So if you only have one external IP Address, you should only use unique combinations of Local and Remote Identifiers.

I have some endpoints that don't accept a Remote Identifier, each of them has their own external IP address as Local Identifier, and the Remote Identifier is empty.
Hardware:
DEC740
January 23, 2024, 05:56:33 PM #2
Thank you, but i have only unique combinations of Identifiers. All Identifiers are the external IPs on both sides.

Hubert
January 23, 2024, 08:18:25 PM #3
Then I don't know, the behavior you described sounded like there are selection issues of strongswan because the pre shared keys and the remote and local identifiers of all connections arent totally unique.

I had exactly these auth failed issues in that scenario.

You should check the strongswan logs in depth for which pre shared key is selected or peer config is selected for connections that fail to authenticate after you made these changes.
Hardware:
DEC740
January 24, 2024, 09:15:07 AM #4
I checked in the logs and found:

Code Select
no IDi configured, fall back on IP address
authentication of '62.XXX.XXX.45' (myself) with pre-shared key

I actually did not have IDs configured for the PSK in the connection definition, i thought that it falls back to IP. It did, but only for the local side, not for remote! So the key it found was somewhat random, obviously depending on which PSK was configured last.

After filling in the IDs it looked that way:

Code Select
  IKE_AUTH task
authentication of '62.80.52.45' (myself) with pre-shared key
[ ... ]
received INITIAL_CONTACT notify
authentication of '213.XXX.XXX.228' with pre-shared key successful

Thank you for your help, i should have seen this myself.

Hubert
Print
Go Up Pages1
User actions