[strongSwan] OS X IPSec/L2TP and strongSwan results in INVALID_HASH_INFORMATION
Benoit Foucher
benoit at bittrap.com
Fri Dec 3 15:59:52 CET 2010
Hi,
Ok, next issue :). I'm trying to setup an OS X client IPSec/L2TP connection to strongSwan 4.5.0.
The strongSwan server and the OS X client are both behind a NAT. I managed to find the configuration to get the tunnel establishment to pass phase 1 but it fails in phase 2. The OS X client (raccoon) fails to match its computed HASH(2) with strongSwan's hash passed with the STATE_QUICK_R0 message. I've attached the strongSwan debug traces and raccoon debug traces to this email. Any ideas why raccoon and strongSwan don't agree on the hash value?
Someone reported a similar issue last month and indicated that things were working when the strongSwan server was NOT behind a NAT but failed when it was behind a NAT.
Here's the config I'm using:
conn rw
esp=aes128-sha1
ike=aes128-sha-modp1024
keyexchange=ikev1
keyingtries=3
type=transport
left=%defaultroute
leftsubnet=aa.aa.aa.aa/32
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
rightsubnetwithin=0.0.0.0/0
authby=psk
pfs=no
compress=no
auto=add
Cheers,
Benoit.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: racoon.log
Type: application/octet-stream
Size: 6462 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101203/b170a5f0/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pluto2.log
Type: application/octet-stream
Size: 13266 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101203/b170a5f0/attachment-0001.obj>
More information about the Users
mailing list