Page 1 of 1

VPN/IPSec: Incorrect Pre-Shared Key

Posted: 21 Apr 2008, 13:11
by jono
This FAQ applies to:
  • Clavister Security Gateway 8.50.00 and up
When establishing the VPN tunnel, you get the error Incorrect pre-shared key, even though you are sure all keys are correct.

You are probably combining one (or several) Lan-to-Lan tunnels with a roaming tunnel (L2TP for Windows clients for example).

The roaming tunnel normally has all-nets as destination network and <none> as gateway. The following picture follows KB-article viewtopic.php?f=8&t=4491 for setting up the L2TP tunnel for Windows clients and has two Branch Offices, BO1 & BO2 with one tunnel each to HQ where this configuration is at.
VPN_IPSec_IncorrectPre-SharedKey1.png (16.41 KiB) Viewed 3223 times
This is a common mistake. The roaming tunnel above another tunnel. The HQ_BO2_VPN will not be established.

The roaming tunnel MUST be at the bottom of all IPSec Tunnels because the the traffic matches top to bottom, just as in the Rules section in the Manager. If the roaming tunnel is above any of the Lan-to-Lan tunnels, the traffic will match the roaming tunnel instead of the desired Lan-to-Lan tunnel and the Pre-Shared Key won't match, hence the error Incorrect pre-shared key.
VPN_IPSec_IncorrectPre-SharedKey2.png (15.98 KiB) Viewed 3223 times
This is what it should look like. The roaming tunnel below all other tunnels.

If you are not using the above mentioned combination of tunnels, you must verify the Pre-Shared Keys and how you are using them.

Re: VPN/IPSec: Incorrect Pre-Shared Key

Posted: 12 Dec 2016, 16:17
by ansj
Updated images - 2016-12-12