VPN/IPSec: Incorrect Pre-Shared Key

Frequently Asked Questions
Locked
jono
Posts: 85
Joined: 18 Apr 2008, 10:46
Location: Clavister HQ - Örnsköldsvik

VPN/IPSec: Incorrect Pre-Shared Key

Post by jono » 21 Apr 2008, 13:11

This FAQ applies to:
  • Clavister Security Gateway 8.50.00 and up
Symptom:
When establishing the VPN tunnel, you get the error Incorrect pre-shared key, even though you are sure all keys are correct.

Solution:
You are probably combining one (or several) Lan-to-Lan tunnels with a roaming tunnel (L2TP for Windows clients for example).

The roaming tunnel normally has all-nets as destination network and <none> as gateway. The following picture follows KB-article viewtopic.php?f=8&t=4491 for setting up the L2TP tunnel for Windows clients and has two Branch Offices, BO1 & BO2 with one tunnel each to HQ where this configuration is at.
VPN_IPSec_IncorrectPre-SharedKey1.png
VPN_IPSec_IncorrectPre-SharedKey1.png (16.41 KiB) Viewed 1921 times
This is a common mistake. The roaming tunnel above another tunnel. The HQ_BO2_VPN will not be established.

The roaming tunnel MUST be at the bottom of all IPSec Tunnels because the the traffic matches top to bottom, just as in the Rules section in the Manager. If the roaming tunnel is above any of the Lan-to-Lan tunnels, the traffic will match the roaming tunnel instead of the desired Lan-to-Lan tunnel and the Pre-Shared Key won't match, hence the error Incorrect pre-shared key.
VPN_IPSec_IncorrectPre-SharedKey2.png
VPN_IPSec_IncorrectPre-SharedKey2.png (15.98 KiB) Viewed 1921 times
This is what it should look like. The roaming tunnel below all other tunnels.

If you are not using the above mentioned combination of tunnels, you must verify the Pre-Shared Keys and how you are using them.

ansj
Posts: 15
Joined: 15 Jul 2016, 08:53

Re: VPN/IPSec: Incorrect Pre-Shared Key

Post by ansj » 12 Dec 2016, 16:17

Updated images - 2016-12-12

Locked