Mobile IPSec: no peer config found



  • 
    Sep 23 22:05:31	charon: 14[IKE] <3> no peer config found
    Sep 23 22:05:31	charon: 14[CFG] looking for XAuthInitPSK peer configs matching 1.1.1.1...2.2.2.2[172.20.10.7]
    
    

    The mobile IP Sec client was working in an old Alpha snap I was running–after upgrading to the latest beta snapshot the client would connect but it would fail to pass any traffic.  I removed all of the existing configuration and rebuilt it and now it won't connect.  The main difference appears to be lack of a "peer identifier" in the Phase 1.

    PSKs currently exist for: any, allusers, myemailaddress

    I've tried that email address in the group setting (OSX client) and blank in the group setting.

    I've tried the Group Authentication under mobile client as none and system.

    I've tried using different My Identifiers: IP, Distinguished Name, User Distinguished Name

    Running this snapshot: 2.2-BETA (amd64) built on Tue Sep 23 13:29:41 CDT 2014



  • Can you share /var/etc/ipsec/ipsec.conf sanitized and your ipsec section from config.xml?



  • # This file is automatically generated. Do not edit
    config setup
            uniqueids = yes
            charondebug=""
    
    conn con1
            aggressive = yes
            fragmentation = yes
            keyexchange = ikev1
            reauth = no
            rekey = no
            reqid = 1
            installpolicy = yes
            type = tunnel
            dpdaction = clear
            dpddelay = 10s
            dpdtimeout = 60s
            auto = add
            left = #.#.#.#
            right = %any
            leftid = #.#.#.#
            ikelifetime = 86400s
            lifetime = 28800s
            rightsourceip = 172.22.24.0/24
            rightsubnet = 172.22.24.0/24
            leftsubnet = 172.22.22.0/24
            ike = 3des-sha1-modp1024!
            esp = aes256-sha1,aes192-sha1,aes128-sha1!
            leftauth = psk
            rightauth = psk
    
    

    I noticed that the peer ID info is in the config, but there isn't anywhere to set it in the GUI.

            <ipsec><preferoldsa><client><enable><user_source>Local Database</user_source>
                            <group_source>none</group_source>
                            <pool_address>172.22.24.0</pool_address>
                            <pool_netbits>24</pool_netbits>
                            <net_list><dns_server1>pfsenselanip</dns_server1>
                            <dns_server2>8.8.8.8</dns_server2></net_list></enable></client> 
                    <enable><mobilekey><ident>any</ident>
                            <pre-shared-key>presharedkey</pre-shared-key></mobilekey> 
                    <mobilekey><ident>allusers</ident>
                            <pre-shared-key>presharedkey</pre-shared-key></mobilekey> 
                    <mobilekey><ident>my@mailaddress.com</ident>
                            <pre-shared-key>presharedkey</pre-shared-key></mobilekey> 
                    <phase1><ikeid>1</ikeid>
                            <iketype>ikev1</iketype>
                            <interface>wan</interface>
                            <mobile><mode>aggressive</mode>
                            <protocol>inet</protocol>
                            <myid_type>myaddress</myid_type>
                            <myid_data><peerid_type>fqdn</peerid_type>
                            <peerid_data><encryption-algorithm><name>3des</name></encryption-algorithm> 
                            <hash-algorithm>sha1</hash-algorithm>
                            <dhgroup>2</dhgroup>
                            <lifetime>86400</lifetime>
                            <pre-shared-key><private-key><certref><caref><authentication_method>pre_shared_key</authentication_method>
    
                            <nat_traversal>on</nat_traversal>
                            <reauth_enable><rekey_enable><dpd_delay>10</dpd_delay>
                            <dpd_maxfail>5</dpd_maxfail></rekey_enable></reauth_enable></caref></certref></private-key></pre-shared-key></peerid_data></myid_data></mobile></phase1> 
                    <phase2><ikeid>1</ikeid>
                            <uniqid>54224312bae13</uniqid>
                            <mode>tunnel</mode>
                            <localid><type>lan</type></localid> 
                            <remoteid><type>mobile</type></remoteid> 
                            <protocol>esp</protocol>
                            <encryption-algorithm-option><name>aes</name>
                                    <keylen>auto</keylen></encryption-algorithm-option> 
                            <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
                            <pfsgroup>0</pfsgroup>
                            <lifetime>28800</lifetime></phase2></enable></preferoldsa></ipsec>