Mobile IPSec: no peer config found
-
Sep 23 22:05:31 charon: 14[IKE] <3> no peer config found Sep 23 22:05:31 charon: 14[CFG] looking for XAuthInitPSK peer configs matching 1.1.1.1...2.2.2.2[172.20.10.7]
The mobile IP Sec client was working in an old Alpha snap I was running–after upgrading to the latest beta snapshot the client would connect but it would fail to pass any traffic. I removed all of the existing configuration and rebuilt it and now it won't connect. The main difference appears to be lack of a "peer identifier" in the Phase 1.
PSKs currently exist for: any, allusers, myemailaddress
I've tried that email address in the group setting (OSX client) and blank in the group setting.
I've tried the Group Authentication under mobile client as none and system.
I've tried using different My Identifiers: IP, Distinguished Name, User Distinguished Name
Running this snapshot: 2.2-BETA (amd64) built on Tue Sep 23 13:29:41 CDT 2014
-
Can you share /var/etc/ipsec/ipsec.conf sanitized and your ipsec section from config.xml?
-
# This file is automatically generated. Do not edit config setup uniqueids = yes charondebug="" conn con1 aggressive = yes fragmentation = yes keyexchange = ikev1 reauth = no rekey = no reqid = 1 installpolicy = yes type = tunnel dpdaction = clear dpddelay = 10s dpdtimeout = 60s auto = add left = #.#.#.# right = %any leftid = #.#.#.# ikelifetime = 86400s lifetime = 28800s rightsourceip = 172.22.24.0/24 rightsubnet = 172.22.24.0/24 leftsubnet = 172.22.22.0/24 ike = 3des-sha1-modp1024! esp = aes256-sha1,aes192-sha1,aes128-sha1! leftauth = psk rightauth = psk
I noticed that the peer ID info is in the config, but there isn't anywhere to set it in the GUI.
<ipsec><preferoldsa><client><enable><user_source>Local Database</user_source> <group_source>none</group_source> <pool_address>172.22.24.0</pool_address> <pool_netbits>24</pool_netbits> <net_list><dns_server1>pfsenselanip</dns_server1> <dns_server2>8.8.8.8</dns_server2></net_list></enable></client> <enable><mobilekey><ident>any</ident> <pre-shared-key>presharedkey</pre-shared-key></mobilekey> <mobilekey><ident>allusers</ident> <pre-shared-key>presharedkey</pre-shared-key></mobilekey> <mobilekey><ident>my@mailaddress.com</ident> <pre-shared-key>presharedkey</pre-shared-key></mobilekey> <phase1><ikeid>1</ikeid> <iketype>ikev1</iketype> <interface>wan</interface> <mobile><mode>aggressive</mode> <protocol>inet</protocol> <myid_type>myaddress</myid_type> <myid_data><peerid_type>fqdn</peerid_type> <peerid_data><encryption-algorithm><name>3des</name></encryption-algorithm> <hash-algorithm>sha1</hash-algorithm> <dhgroup>2</dhgroup> <lifetime>86400</lifetime> <pre-shared-key><private-key><certref><caref><authentication_method>pre_shared_key</authentication_method> <nat_traversal>on</nat_traversal> <reauth_enable><rekey_enable><dpd_delay>10</dpd_delay> <dpd_maxfail>5</dpd_maxfail></rekey_enable></reauth_enable></caref></certref></private-key></pre-shared-key></peerid_data></myid_data></mobile></phase1> <phase2><ikeid>1</ikeid> <uniqid>54224312bae13</uniqid> <mode>tunnel</mode> <localid><type>lan</type></localid> <remoteid><type>mobile</type></remoteid> <protocol>esp</protocol> <encryption-algorithm-option><name>aes</name> <keylen>auto</keylen></encryption-algorithm-option> <hash-algorithm-option>hmac_sha1</hash-algorithm-option> <pfsgroup>0</pfsgroup> <lifetime>28800</lifetime></phase2></enable></preferoldsa></ipsec>