search

hwdsl2 / docker-ipsec-vpn-server

Docker image to run an IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2
https://hub.docker.com/r/hwdsl2/ipsec-vpn-server
Other
6.35k stars 1.38k forks source link

authentication failed: peer attempted PSK authentication but we want rsasig #435

Closed ThirtySix361 closed 2 months ago

ThirtySix361 commented 2 months ago

i am trying to troubleshoot my error since 2 hours now.

i found the way to enable libreswan logging and then was able to find out why the authentication fails: authentication failed: peer attempted PSK authentication but we want rsasig

i just want to connect with my native android client from S24 which uses: "IKEv2/IPSEC PSK"

but i cannot get it to work.

is this even possible with this container?

//edit: i also tryed this:

If you still want to connect using IPsec/L2TP mode, you must first edit /etc/ipsec.conf on the VPN server. Find the line ike=... and append ,aes256-sha2;modp1024,aes128-sha1;modp1024 at the end. Save the file and run service ipsec restart.

but it was not successful :(

additional logs:

fd05206056cb:/opt/src# tail -f -n 0 /var/log/auth.log
2024-06-20T19:47:09.053005+00:00 fd05206056cb pluto[601]: "ikev2-cp"[3] <my ip> #3: proposal 2:IKE=AES_GCM_C_256-HMAC_SHA2_256-ECP_256 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[better-match]
2024-06-20T19:47:09.053059+00:00 fd05206056cb pluto[601]: "ikev2-cp"[3] <my ip> #3: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting DH19
2024-06-20T19:47:09.053103+00:00 fd05206056cb pluto[601]: "ikev2-cp"[3] <my ip> #3: responding to IKE_SA_INIT message (ID 0) from <my ip>:40031 with unencrypted notification INVALID_KE_PAYLOAD
2024-06-20T19:47:09.053136+00:00 fd05206056cb pluto[601]: "ikev2-cp"[3] <my ip> #3: encountered fatal error in state STATE_V2_PARENT_R0
2024-06-20T19:47:09.053288+00:00 fd05206056cb pluto[601]: "ikev2-cp"[3] <my ip> #3: deleting IKE SA (processing IKE_SA_INIT request)
2024-06-20T19:47:09.053368+00:00 fd05206056cb pluto[601]: "ikev2-cp"[3] <my ip>: deleting connection instance with peer <my ip>
2024-06-20T19:47:09.062256+00:00 fd05206056cb pluto[601]: "ikev2-cp"[4] <my ip> #4: proposal 2:IKE=AES_GCM_C_256-HMAC_SHA2_256-ECP_256 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=ECP_256;DH=DH24;DH=ECP_384;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=ECP_256;DH=DH24;DH=ECP_384;DH=MODP2048;DH=MODP1536[better-match]
2024-06-20T19:47:09.065522+00:00 fd05206056cb pluto[601]: "ikev2-cp"[4] <my ip> #4: processed IKE_SA_INIT request from <my ip>:UDP/40031 {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_256 group=DH19}
2024-06-20T19:47:09.078085+00:00 fd05206056cb pluto[601]: "ikev2-cp"[4] <my ip> #4: processing decrypted IKE_AUTH request: SK{IDi,AUTH,CP,SA,TSi,TSr,N(MOBIKE_SUPPORTED),N(ADDITIONAL_IP6_ADDRESS),N(EAP_ONLY_AUTHENTICATION),N(IKEV2_MESSAGE_ID_SYNC_SUPPORTED)}
2024-06-20T19:47:09.078213+00:00 fd05206056cb pluto[601]: "ikev2-cp"[4] <my ip> #4: authentication failed: peer attempted PSK authentication but we want rsasig
2024-06-20T19:47:09.078262+00:00 fd05206056cb pluto[601]: "ikev2-cp"[4] <my ip> #4: responding to IKE_AUTH message (ID 1) from <my ip>:60660 with encrypted notification AUTHENTICATION_FAILED
2024-06-20T19:47:09.078311+00:00 fd05206056cb pluto[601]: "ikev2-cp"[4] <my ip> #4: encountered fatal error in state STATE_V2_PARENT_R1
2024-06-20T19:47:09.078456+00:00 fd05206056cb pluto[601]: "ikev2-cp"[4] <my ip> #4: deleting IKE SA (sent IKE_SA_INIT (or IKE_INTERMEDIATE) response)
2024-06-20T19:47:09.078543+00:00 fd05206056cb pluto[601]: "ikev2-cp"[4] <my ip>: deleting connection instance with peer <my ip>
hwdsl2 commented 2 months ago

@ThirtySix361 Hello! Your use case, which is connecting using IKEv2/IPsec PSK mode, is not currently supported in this project. This project only supports IKEv2 with certificate-based authentication, not IKEv2 with PSK.

Please see Configure IKEv2 VPN clients for more details on how to configure your Android device(s) to connect to the VPN.

For IPsec/L2TP mode, add VPN_ENABLE_MODP1024=yes to your env file, then re-create the Docker container (reference). This is less secure and therefore not recommended.