<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
I wish I could say it was commented out or set to no, but alas it is
enabled and marked as yes<br>
<br>
<br>
<div class="moz-cite-prefix">On 12/11/2015 00:04, Thomas Egerer
wrote:<br>
</div>
<blockquote cite="mid:566A839F.6020504@gmx.de" type="cite">
<pre wrap="">
Hi Raina,
top posting, it's short!
I see you're using aggressive mode with PSK, so does your
strongswan.conf contain the line:
i_dont_care_about_security_and_use_aggressive_mode_psk=yes
in the charon section?
Hope this keeps you from going bald!
Cheers,
Thomas
On 12/11/2015 12:28 AM, Raina Matthews wrote:
</pre>
<blockquote type="cite">
<pre wrap="">over the past week, I've spent anywhere from 2 to 4 hrs a night trying
to figure out why my connection is failing
I'm getting an error :-
calculated HASH does not match HASH payload
now looking over other references to this, it indicates my PSK is wrong.
so I have tried countless combinations of entering said PSK into my
ipsec.secrets file, and still no joy,
I know that the PSK is right, based on a number of factors. 1) my Ipad
can connect using this same PSK. 2) I can connect via shrewsoft on
windows 7 using the same psk, and 3) I can get 'further' with vpnc
using the same PSK
so if my PSK is right, then either 1) I've got it entered in the wrong
manner in my secrets file, or 2) there's some issue with encryption
methods/handshakes thats causing the server to return one value and
strongswan to send another.
in my secrets file I have
xxx.xxx.xxx.xxx : PSK "<KEYHERE>"
I have tried the external IP of the box that runs the ipsec VPN, and
also the internal IP (since it's natted in some way I didn't setup).
Also reading something else somewhere there was the suggestion of using
the Group ID, and another of leaving it blank and just having
: PSK "<KEYHERE>"
all end up with the same error
so that makes me think there's some encryption handshake type issue.
according to the shrewfsoft configuration which is known to work, it states
s:phase1-cipher:aes
n:phase1-keylen:256
s:phase1-hash:sha1
n:phase1-dhgroup:2
which to me means I need
ike=aes256-sha1-modp1024 in my configuration
it also has entries
s:phase2-transform:esp-aes
n:phase2-keylen:256
s:phase2-hmac:sha1
which to me means I need
esp=aes256-sha1
I've included below a copy of my current config, but I say current
because I keep changing bits here and there in the hope that it'll
suddenly start working, but throughout I've ended up with the same hash
calculation error
can anyone help?
version 2
config setup
charondebug="ike 4, knl 4, cfg 4, enc 4, esp 4, chd 4"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=xauthpsk
conn home
left=192.168.219.137
leftsourceip=%config
keyexchange=ikev1
ike=aes256-sha1-modp1024
esp=aes256-sha1
ikelifetime=1440m
keylife=60m
aggressive=yes
leftid=<GroupName that I have to enter in the iOS GroupName field>
leftauth=psk
leftauth2=xauth
leftfirewall=yes
rightfirewall=yes
right=xxx.xxx.xxx.xxx
rightid=%any
rightsourceip=%modeconfig
rightauth=psk
xauth_identity=MyUser
auto=add
xauth=client
dpdtimeout=180s
rekeymargin=3m
keyingtries=1
fragmentation=yes
_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a>
</pre>
</blockquote>
<pre wrap="">
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a></pre>
</blockquote>
<br>
</body>
</html>