found 1 matching config, but none allows pre-shared key authentication using Main Mode



  • Howdy all. I have beat my head against the wall on this all weekend and I can not figure out what is the issue. I've got a libreswan instance in my AWS account setup pretty straight forward. I'm taking this one issue at a time and all I want to do is get past the phase1 negotiation. My PFSense config comes out looking like this:

    config setup
    	uniqueids = yes
    
    conn bypasslan
    	leftsubnet = 192.168.8.0/24
    	rightsubnet = 192.168.8.0/24
    	authby = never
    	type = passthrough
    	auto = route
    
    conn con1000
    	fragmentation = yes
    	keyexchange = ikev2
    	reauth = yes
    	forceencaps = no
    	mobike = no
    
    	rekey = yes
    
    
    	dpdaction = restart
    	dpddelay = 10s
    	dpdtimeout = 60s
    	auto = route
    	left = 73.109.32.142
    	right = 34.209.168.28
    	leftid = fqdn:whootis.hopto.org
    	ikelifetime = 28800s
    	ike = aes128-sha256-modp2048!
    	leftauth = psk
    	rightauth = psk
    	rightid = 34.209.168.28
    

    But when the session starts up, the system logs clearly show this error:

    Sep 4 08:56:09	charon		02[IKE] <6969> found 1 matching config, but none allows pre-shared key authentication using Main Mode
    Sep 4 08:56:09	charon		02[CFG] <6969> candidate "bypasslan", match: 1/1/24 (me/other/ike)
    Sep 4 08:56:09	charon		02[CFG] <6969> looking for pre-shared key peer configs matching 73.109.32.142...34.209.168.28[10.2.0.11]
    

    The config file clearly has "rightauth" and "leftauth" set to psk and the psk has the correct secret in it. I would love to tweak the config file on the firewall but I don't know how to do that without having it get overwritten.

    Any thoughts?


Log in to reply