Unable to get past P1 Authentication with PSK because of Aggressive mode on Yamaha RTX
-
I have Site A (pfsense, static IP) and Site B (Yamaha RTX-810, dynamic IP + DDNS).
The Yamaha is trying to connect to the pfsense.The Yamaha has no choice but to do IKEv1 in Aggressive Mode. No matter how I configure the Phase 1 IDs, I can't get this to authenticate!
12[NET] <4> received packet: from 118.8.30.73[500] to 180.43.61.110[500] (328 bytes) Jul 1 18:27:43 charon 12[ENC] <4> parsed AGGRESSIVE request 0 [ SA KE No ID V ] Jul 1 18:27:43 charon 12[CFG] <4> looking for an ike config for 180.43.61.110...118.8.30.73 Jul 1 18:27:43 charon 12[CFG] <4> candidate: %any...%any, prio 24 Jul 1 18:27:43 charon 12[CFG] <4> candidate: 180.43.61.110...kai-annex.aa0.netvolante.jp, prio 3100 Jul 1 18:27:43 charon 12[CFG] <4> found matching ike config: 180.43.61.110...kai-annex.aa0.netvolante.jp with prio 3100 Jul 1 18:27:43 charon 12[IKE] <4> received DPD vendor ID Jul 1 18:27:43 charon 12[IKE] <4> 118.8.30.73 is initiating a Aggressive Mode IKE_SA Jul 1 18:27:43 charon 12[IKE] <4> IKE_SA (unnamed)[4] state change: CREATED => CONNECTING Jul 1 18:27:43 charon 12[CFG] <4> selecting proposal: Jul 1 18:27:43 charon 12[CFG] <4> proposal matches Jul 1 18:27:43 charon 12[CFG] <4> received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Jul 1 18:27:43 charon 12[CFG] <4> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Jul 1 18:27:43 charon 12[CFG] <4> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Jul 1 18:27:43 charon 12[CFG] <4> looking for pre-shared key peer configs matching 180.43.61.110...118.8.30.73[d1:d4:3f:33:b6:75:17:99:47:06:0e:61:d9:44:93:1c] Jul 1 18:27:43 charon 12[CFG] <4> candidate "bypasslan", match: 1/1/24 (me/other/ike) Jul 1 18:27:43 charon 12[IKE] <4> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode Jul 1 18:27:43 charon 12[IKE] <4> queueing INFORMATIONAL task Jul 1 18:27:43 charon 12[IKE] <4> activating new tasks Jul 1 18:27:43 charon 12[IKE] <4> activating INFORMATIONAL task Jul 1 18:27:43 charon 12[ENC] <4> generating INFORMATIONAL_V1 request 3541139542 [ N(AUTH_FAILED) ] Jul 1 18:27:43 charon 12[NET] <4> sending packet: from 180.43.61.110[500] to 118.8.30.73[500] (56 bytes) Jul 1 18:27:43 charon 12[IKE] <4> IKE_SA (unnamed)[4] state change: CONNECTING => DESTROYING
-
Specifically:
found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode
If my P1 entry is doing Aggressive with PSK for the "My IP address" and "Peer IP address" and it matches my proposals for hash and encryption...why can't it recognize my PSK?