[strongSwan] tearing my hair out over connection issue

Raina Matthews rainamatthews at gmail.com
Fri Dec 11 00:28:56 CET 2015 

over the past week, I've spent anywhere from 2 to 4 hrs a night trying 
to figure out why my connection is failing

I'm getting an error :-

calculated HASH does not match HASH payload


now looking over other references to this, it indicates my PSK is wrong. 
so I have tried countless combinations of entering said PSK into my 
ipsec.secrets file, and still no joy,

I know that the PSK is right, based on a number of factors.  1) my Ipad 
can connect using this same PSK. 2) I can connect via shrewsoft on 
windows 7 using the same psk, and 3)  I can get 'further' with vpnc 
using the same PSK

so if my PSK is right, then either 1) I've got it entered in the wrong 
manner in my secrets file, or 2) there's some issue with encryption 
methods/handshakes thats causing the server to return one value and 
strongswan to send another.

in my secrets file I have

xxx.xxx.xxx.xxx : PSK "<KEYHERE>"

I have tried the external IP of the box that runs the ipsec VPN, and 
also the internal IP (since it's natted in some way I didn't setup).  
Also reading something else somewhere there was the suggestion of using 
the Group ID, and another of leaving it blank and just having

: PSK "<KEYHERE>"

all end up with the same error

so that makes me think there's some encryption handshake type issue.  
according to the shrewfsoft configuration which is known to work, it states

s:phase1-cipher:aes
n:phase1-keylen:256
s:phase1-hash:sha1
n:phase1-dhgroup:2

which to me means I need
ike=aes256-sha1-modp1024 in my configuration

it also has entries

s:phase2-transform:esp-aes
n:phase2-keylen:256
s:phase2-hmac:sha1

which to me means I need
esp=aes256-sha1

I've included below a copy of my current config, but I say current 
because I keep changing bits here and there in the hope that it'll 
suddenly start working, but throughout I've ended up with the same hash 
calculation error

can anyone help?

version 2
config setup
         charondebug="ike 4, knl 4, cfg 4, enc 4, esp 4, chd 4"
conn %default
         ikelifetime=60m
         keylife=20m
         rekeymargin=3m
         keyingtries=1
         keyexchange=ikev1
         authby=xauthpsk
conn home
         left=192.168.219.137
         leftsourceip=%config
         keyexchange=ikev1
         ike=aes256-sha1-modp1024
         esp=aes256-sha1
         ikelifetime=1440m
         keylife=60m
         aggressive=yes
         leftid=<GroupName that I have to enter in the iOS GroupName field>
         leftauth=psk
         leftauth2=xauth
         leftfirewall=yes
         rightfirewall=yes
         right=xxx.xxx.xxx.xxx
         rightid=%any
         rightsourceip=%modeconfig
         rightauth=psk
         xauth_identity=MyUser
         auto=add
         xauth=client
         dpdtimeout=180s
         rekeymargin=3m
         keyingtries=1
         fragmentation=yes

More information about the Users mailing list