Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unable to get past P1 Authentication with PSK because of Aggressive mode on Yamaha RTX

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 388 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kaijls
      last edited by

      I have Site A (pfsense, static IP) and Site B (Yamaha RTX-810, dynamic IP + DDNS).
      The Yamaha is trying to connect to the pfsense.

      The Yamaha has no choice but to do IKEv1 in Aggressive Mode. No matter how I configure the Phase 1 IDs, I can't get this to authenticate!

      12[NET] <4> received packet: from 118.8.30.73[500] to 180.43.61.110[500] (328 bytes)
Jul 1 18:27:43	charon		12[ENC] <4> parsed AGGRESSIVE request 0 [ SA KE No ID V ]
Jul 1 18:27:43	charon		12[CFG] <4> looking for an ike config for 180.43.61.110...118.8.30.73
Jul 1 18:27:43	charon		12[CFG] <4> candidate: %any...%any, prio 24
Jul 1 18:27:43	charon		12[CFG] <4> candidate: 180.43.61.110...kai-annex.aa0.netvolante.jp, prio 3100
Jul 1 18:27:43	charon		12[CFG] <4> found matching ike config: 180.43.61.110...kai-annex.aa0.netvolante.jp with prio 3100
Jul 1 18:27:43	charon		12[IKE] <4> received DPD vendor ID
Jul 1 18:27:43	charon		12[IKE] <4> 118.8.30.73 is initiating a Aggressive Mode IKE_SA
Jul 1 18:27:43	charon		12[IKE] <4> IKE_SA (unnamed)[4] state change: CREATED => CONNECTING
Jul 1 18:27:43	charon		12[CFG] <4> selecting proposal:
Jul 1 18:27:43	charon		12[CFG] <4> proposal matches
Jul 1 18:27:43	charon		12[CFG] <4> received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 1 18:27:43	charon		12[CFG] <4> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 1 18:27:43	charon		12[CFG] <4> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 1 18:27:43	charon		12[CFG] <4> looking for pre-shared key peer configs matching 180.43.61.110...118.8.30.73[d1:d4:3f:33:b6:75:17:99:47:06:0e:61:d9:44:93:1c]
Jul 1 18:27:43	charon		12[CFG] <4> candidate "bypasslan", match: 1/1/24 (me/other/ike)
Jul 1 18:27:43	charon		12[IKE] <4> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode
Jul 1 18:27:43	charon		12[IKE] <4> queueing INFORMATIONAL task
Jul 1 18:27:43	charon		12[IKE] <4> activating new tasks
Jul 1 18:27:43	charon		12[IKE] <4> activating INFORMATIONAL task
Jul 1 18:27:43	charon		12[ENC] <4> generating INFORMATIONAL_V1 request 3541139542 [ N(AUTH_FAILED) ]
Jul 1 18:27:43	charon		12[NET] <4> sending packet: from 180.43.61.110[500] to 118.8.30.73[500] (56 bytes)
Jul 1 18:27:43	charon		12[IKE] <4> IKE_SA (unnamed)[4] state change: CONNECTING => DESTROYING
      1 Reply Last reply Reply Quote 0
      • K
        kaijls
        last edited by

        Specifically:

        found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode

        If my P1 entry is doing Aggressive with PSK for the "My IP address" and "Peer IP address" and it matches my proposals for hash and encryption...why can't it recognize my PSK?

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.