[strongSwan] tearing my hair out over connection issue

Thomas Egerer hakke_007 at gmx.de
Fri Dec 11 09:04:47 CET 2015 

Hi Raina,

top posting, it's short!
I see you're using aggressive mode with PSK, so does your
strongswan.conf contain the line:

i_dont_care_about_security_and_use_aggressive_mode_psk=yes

in the charon section?
Hope this keeps you from going bald!

Cheers,
Thomas

On 12/11/2015 12:28 AM, Raina Matthews wrote:
> over the past week, I've spent anywhere from 2 to 4 hrs a night trying
> to figure out why my connection is failing
> 
> I'm getting an error :-
> 
> calculated HASH does not match HASH payload
> 
> 
> now looking over other references to this, it indicates my PSK is wrong.
> so I have tried countless combinations of entering said PSK into my
> ipsec.secrets file, and still no joy,
> 
> I know that the PSK is right, based on a number of factors.  1) my Ipad
> can connect using this same PSK. 2) I can connect via shrewsoft on
> windows 7 using the same psk, and 3)  I can get 'further' with vpnc
> using the same PSK
> 
> so if my PSK is right, then either 1) I've got it entered in the wrong
> manner in my secrets file, or 2) there's some issue with encryption
> methods/handshakes thats causing the server to return one value and
> strongswan to send another.
> 
> in my secrets file I have
> 
> xxx.xxx.xxx.xxx : PSK "<KEYHERE>"
> 
> I have tried the external IP of the box that runs the ipsec VPN, and
> also the internal IP (since it's natted in some way I didn't setup). 
> Also reading something else somewhere there was the suggestion of using
> the Group ID, and another of leaving it blank and just having
> 
> : PSK "<KEYHERE>"
> 
> all end up with the same error
> 
> so that makes me think there's some encryption handshake type issue. 
> according to the shrewfsoft configuration which is known to work, it states
> 
> s:phase1-cipher:aes
> n:phase1-keylen:256
> s:phase1-hash:sha1
> n:phase1-dhgroup:2
> 
> which to me means I need
> ike=aes256-sha1-modp1024 in my configuration
> 
> it also has entries
> 
> s:phase2-transform:esp-aes
> n:phase2-keylen:256
> s:phase2-hmac:sha1
> 
> which to me means I need
> esp=aes256-sha1
> 
> I've included below a copy of my current config, but I say current
> because I keep changing bits here and there in the hope that it'll
> suddenly start working, but throughout I've ended up with the same hash
> calculation error
> 
> can anyone help?
> 
> version 2
> config setup
>         charondebug="ike 4, knl 4, cfg 4, enc 4, esp 4, chd 4"
> conn %default
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
>         keyingtries=1
>         keyexchange=ikev1
>         authby=xauthpsk
> conn home
>         left=192.168.219.137
>         leftsourceip=%config
>         keyexchange=ikev1
>         ike=aes256-sha1-modp1024
>         esp=aes256-sha1
>         ikelifetime=1440m
>         keylife=60m
>         aggressive=yes
>         leftid=<GroupName that I have to enter in the iOS GroupName field>
>         leftauth=psk
>         leftauth2=xauth
>         leftfirewall=yes
>         rightfirewall=yes
>         right=xxx.xxx.xxx.xxx
>         rightid=%any
>         rightsourceip=%modeconfig
>         rightauth=psk
>         xauth_identity=MyUser
>         auto=add
>         xauth=client
>         dpdtimeout=180s
>         rekeymargin=3m
>         keyingtries=1
>         fragmentation=yes
> 
> 
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151211/e9df9fe2/attachment-0001.pgp>

More information about the Users mailing list