Unable to get past P1 Authentication with PSK because of Aggressive mode on Yamaha RTX



  • I have Site A (pfsense, static IP) and Site B (Yamaha RTX-810, dynamic IP + DDNS).
    The Yamaha is trying to connect to the pfsense.

    The Yamaha has no choice but to do IKEv1 in Aggressive Mode. No matter how I configure the Phase 1 IDs, I can't get this to authenticate!

    12[NET] <4> received packet: from 118.8.30.73[500] to 180.43.61.110[500] (328 bytes)
    Jul 1 18:27:43	charon		12[ENC] <4> parsed AGGRESSIVE request 0 [ SA KE No ID V ]
    Jul 1 18:27:43	charon		12[CFG] <4> looking for an ike config for 180.43.61.110...118.8.30.73
    Jul 1 18:27:43	charon		12[CFG] <4> candidate: %any...%any, prio 24
    Jul 1 18:27:43	charon		12[CFG] <4> candidate: 180.43.61.110...kai-annex.aa0.netvolante.jp, prio 3100
    Jul 1 18:27:43	charon		12[CFG] <4> found matching ike config: 180.43.61.110...kai-annex.aa0.netvolante.jp with prio 3100
    Jul 1 18:27:43	charon		12[IKE] <4> received DPD vendor ID
    Jul 1 18:27:43	charon		12[IKE] <4> 118.8.30.73 is initiating a Aggressive Mode IKE_SA
    Jul 1 18:27:43	charon		12[IKE] <4> IKE_SA (unnamed)[4] state change: CREATED => CONNECTING
    Jul 1 18:27:43	charon		12[CFG] <4> selecting proposal:
    Jul 1 18:27:43	charon		12[CFG] <4> proposal matches
    Jul 1 18:27:43	charon		12[CFG] <4> received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Jul 1 18:27:43	charon		12[CFG] <4> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Jul 1 18:27:43	charon		12[CFG] <4> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Jul 1 18:27:43	charon		12[CFG] <4> looking for pre-shared key peer configs matching 180.43.61.110...118.8.30.73[d1:d4:3f:33:b6:75:17:99:47:06:0e:61:d9:44:93:1c]
    Jul 1 18:27:43	charon		12[CFG] <4> candidate "bypasslan", match: 1/1/24 (me/other/ike)
    Jul 1 18:27:43	charon		12[IKE] <4> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode
    Jul 1 18:27:43	charon		12[IKE] <4> queueing INFORMATIONAL task
    Jul 1 18:27:43	charon		12[IKE] <4> activating new tasks
    Jul 1 18:27:43	charon		12[IKE] <4> activating INFORMATIONAL task
    Jul 1 18:27:43	charon		12[ENC] <4> generating INFORMATIONAL_V1 request 3541139542 [ N(AUTH_FAILED) ]
    Jul 1 18:27:43	charon		12[NET] <4> sending packet: from 180.43.61.110[500] to 118.8.30.73[500] (56 bytes)
    Jul 1 18:27:43	charon		12[IKE] <4> IKE_SA (unnamed)[4] state change: CONNECTING => DESTROYING
    


  • Specifically:

    found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode

    If my P1 entry is doing Aggressive with PSK for the "My IP address" and "Peer IP address" and it matches my proposals for hash and encryption...why can't it recognize my PSK?