Discussion:
[strongSwan] Upgrade client to 5.6.3, get AUTH_FAILED
Hoggins!
2018-07-14 09:39:05 UTC
Permalink
Hello,

I bumped into a strange problem and I was wondering if you could help me :

Sun is my StrongSWAN "server" (concentrator), and has been running
StrongSWAN 5.6.3 for a few days, no problem.
Its "clients" have various StrongSWAN versions, including Moon which was
running StrongSWAN 5.6.1. No problem.

Then I upgraded Moon to StrongSWAN 5.6.3 and Moon cannot authenticate
anymore to Sun. Sun complains about a MAC mismatch :

Jul 13 20:26:15 webfront-2 strongswan[1363]: 01[CFG] selected peer
config 'net-net'
Jul 13 20:26:15 webfront-2 strongswan[1363]: 01[IKE] tried 12 shared
keys for '1.2.3.4' - 'netnetYomama', but MAC mismatched
Jul 13 20:26:15 webfront-2 strongswan[1363]: 01[IKE] peer supports
MOBIKE
Jul 13 20:26:15 webfront-2 strongswan[1363]: 01[ENC] generating
IKE_AUTH response 1 [ N(AUTH_FAILED) ]

Neither secrets nor config have changed on both peers, and are both
readable and listed, but the newly upgraded Moon cannot authenticate
properly and gets rejected.

Any idea?

    Thank you!

        Hoggins!
Hoggins!
2018-07-14 12:30:08 UTC
Permalink
Reverting back to 5.6.1 with a simple "make install" and "ipsec restart"
does the trick, and authentication performs successfully.

Both my 5.6.1 and 5.6.3 compilations are made with the same configure
options (i.e. none), and make install puts libraries and binaries under
the /usr/local/ prefix, so both of them will look for the same
ipsec.conf and ipsec.secrets config files.

Little lost here.
Post by Hoggins!
Hello,
Sun is my StrongSWAN "server" (concentrator), and has been running
StrongSWAN 5.6.3 for a few days, no problem.
Its "clients" have various StrongSWAN versions, including Moon which
was running StrongSWAN 5.6.1. No problem.
Then I upgraded Moon to StrongSWAN 5.6.3 and Moon cannot authenticate
Jul 13 20:26:15 webfront-2 strongswan[1363]: 01[CFG] selected peer
config 'net-net'
Jul 13 20:26:15 webfront-2 strongswan[1363]: 01[IKE] tried 12
shared keys for '1.2.3.4' - 'netnetYomama', but MAC mismatched
Jul 13 20:26:15 webfront-2 strongswan[1363]: 01[IKE] peer supports
MOBIKE
Jul 13 20:26:15 webfront-2 strongswan[1363]: 01[ENC] generating
IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Neither secrets nor config have changed on both peers, and are both
readable and listed, but the newly upgraded Moon cannot authenticate
properly and gets rejected.
Any idea?
    Thank you!
        Hoggins!
Tobias Brunner
2018-07-16 09:06:13 UTC
Permalink
Hi,

How do you configure strongSwan on client and server, in particular the
secrets (ipsec.secrets/swanctl.conf/vici/SQL/...)?
Post by Hoggins!
Then I upgraded Moon to StrongSWAN 5.6.3 and Moon cannot authenticate
Jul 13 20:26:15 webfront-2 strongswan[1363]: 01[CFG] selected peer
config 'net-net'
Jul 13 20:26:15 webfront-2 strongswan[1363]: 01[IKE] tried 12 shared
keys for '1.2.3.4' - 'netnetYomama', but MAC mismatched
Jul 13 20:26:15 webfront-2 strongswan[1363]: 01[IKE] peer supports
MOBIKE
Jul 13 20:26:15 webfront-2 strongswan[1363]: 01[ENC] generating
IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Neither secrets nor config have changed on both peers, and are both
readable and listed, but the newly upgraded Moon cannot authenticate
properly and gets rejected.
Sounds weird. Adding your config and more of the log might help (use
the log settings at [1]).

Regards,
Tobias

[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
Loading...