found 1 matching config, but none allows pre-shared key authentication using Main Mode

Gorf · Sep 4, 2019, 3:59 PM

Howdy all. I have beat my head against the wall on this all weekend and I can not figure out what is the issue. I've got a libreswan instance in my AWS account setup pretty straight forward. I'm taking this one issue at a time and all I want to do is get past the phase1 negotiation. My PFSense config comes out looking like this:

config setup
	uniqueids = yes

conn bypasslan
	leftsubnet = 192.168.8.0/24
	rightsubnet = 192.168.8.0/24
	authby = never
	type = passthrough
	auto = route

conn con1000
	fragmentation = yes
	keyexchange = ikev2
	reauth = yes
	forceencaps = no
	mobike = no

	rekey = yes


	dpdaction = restart
	dpddelay = 10s
	dpdtimeout = 60s
	auto = route
	left = 73.109.32.142
	right = 34.209.168.28
	leftid = fqdn:whootis.hopto.org
	ikelifetime = 28800s
	ike = aes128-sha256-modp2048!
	leftauth = psk
	rightauth = psk
	rightid = 34.209.168.28

But when the session starts up, the system logs clearly show this error:

Sep 4 08:56:09	charon		02[IKE] <6969> found 1 matching config, but none allows pre-shared key authentication using Main Mode
Sep 4 08:56:09	charon		02[CFG] <6969> candidate "bypasslan", match: 1/1/24 (me/other/ike)
Sep 4 08:56:09	charon		02[CFG] <6969> looking for pre-shared key peer configs matching 73.109.32.142...34.209.168.28[10.2.0.11]

The config file clearly has "rightauth" and "leftauth" set to psk and the psk has the correct secret in it. I would love to tweak the config file on the firewall but I don't know how to do that without having it get overwritten.

Any thoughts?