networking
auth_error
ai_generated
true
IPsec: IKE SA authentication failed with peer 203.0.113.5, pre-shared key mismatch
ID: networking/ipsec-ike-sa-authentication-failure
92%Fix Rate
88%Confidence
1Evidence
2023-09-12First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| strongSwan 5.9.8 | active | — | — | — |
| Libreswan 4.12 | active | — | — | — |
| Linux kernel 6.2 (XFRM) | active | — | — | — |
Root Cause
The Internet Key Exchange (IKE) security association could not be established because the pre-shared key (PSK) configured on the local device does not match the PSK on the remote peer, causing authentication failure during Phase 1 negotiation.
generic中文
互联网密钥交换(IKE)安全关联无法建立,因为本地设备配置的预共享密钥(PSK)与远程对端的PSK不匹配,导致第一阶段协商期间认证失败。
Official Documentation
https://docs.strongswan.org/docs/5.9/config/ipsecSecrets.htmlWorkarounds
-
95% success cat /etc/ipsec.secrets | grep 203.0.113.5
cat /etc/ipsec.secrets | grep 203.0.113.5
-
85% success In ipsec.conf, change 'authby=secret' to 'authby=rsasig' and configure certificates.
In ipsec.conf, change 'authby=secret' to 'authby=rsasig' and configure certificates.
中文步骤
cat /etc/ipsec.secrets | grep 203.0.113.5
In ipsec.conf, change 'authby=secret' to 'authby=rsasig' and configure certificates.
Dead Ends
Common approaches that don't work:
-
Restarting strongSwan or Libreswan to clear the error.
95% fail
Does not change the PSK configuration; the same mismatch persists after restart, and authentication will fail again.
-
Modifying the IKE proposal to use different algorithms in hopes of bypassing the error.
85% fail
The authentication failure is due to PSK mismatch, not algorithm incompatibility; changing proposals does not affect PSK validation.