[strongSwan] tearing my hair out over connection issue
Raina Matthews
rainamatthews at gmail.com
Fri Dec 11 19:27:17 CET 2015
I wish I could say it was commented out or set to no, but alas it is
enabled and marked as yes
On 12/11/2015 00:04, Thomas Egerer wrote:
> Hi Raina,
>
> top posting, it's short!
> I see you're using aggressive mode with PSK, so does your
> strongswan.conf contain the line:
>
> i_dont_care_about_security_and_use_aggressive_mode_psk=yes
>
> in the charon section?
> Hope this keeps you from going bald!
>
> Cheers,
> Thomas
>
> On 12/11/2015 12:28 AM, Raina Matthews wrote:
>> over the past week, I've spent anywhere from 2 to 4 hrs a night trying
>> to figure out why my connection is failing
>>
>> I'm getting an error :-
>>
>> calculated HASH does not match HASH payload
>>
>>
>> now looking over other references to this, it indicates my PSK is wrong.
>> so I have tried countless combinations of entering said PSK into my
>> ipsec.secrets file, and still no joy,
>>
>> I know that the PSK is right, based on a number of factors. 1) my Ipad
>> can connect using this same PSK. 2) I can connect via shrewsoft on
>> windows 7 using the same psk, and 3) I can get 'further' with vpnc
>> using the same PSK
>>
>> so if my PSK is right, then either 1) I've got it entered in the wrong
>> manner in my secrets file, or 2) there's some issue with encryption
>> methods/handshakes thats causing the server to return one value and
>> strongswan to send another.
>>
>> in my secrets file I have
>>
>> xxx.xxx.xxx.xxx : PSK "<KEYHERE>"
>>
>> I have tried the external IP of the box that runs the ipsec VPN, and
>> also the internal IP (since it's natted in some way I didn't setup).
>> Also reading something else somewhere there was the suggestion of using
>> the Group ID, and another of leaving it blank and just having
>>
>> : PSK "<KEYHERE>"
>>
>> all end up with the same error
>>
>> so that makes me think there's some encryption handshake type issue.
>> according to the shrewfsoft configuration which is known to work, it states
>>
>> s:phase1-cipher:aes
>> n:phase1-keylen:256
>> s:phase1-hash:sha1
>> n:phase1-dhgroup:2
>>
>> which to me means I need
>> ike=aes256-sha1-modp1024 in my configuration
>>
>> it also has entries
>>
>> s:phase2-transform:esp-aes
>> n:phase2-keylen:256
>> s:phase2-hmac:sha1
>>
>> which to me means I need
>> esp=aes256-sha1
>>
>> I've included below a copy of my current config, but I say current
>> because I keep changing bits here and there in the hope that it'll
>> suddenly start working, but throughout I've ended up with the same hash
>> calculation error
>>
>> can anyone help?
>>
>> version 2
>> config setup
>> charondebug="ike 4, knl 4, cfg 4, enc 4, esp 4, chd 4"
>> conn %default
>> ikelifetime=60m
>> keylife=20m
>> rekeymargin=3m
>> keyingtries=1
>> keyexchange=ikev1
>> authby=xauthpsk
>> conn home
>> left=192.168.219.137
>> leftsourceip=%config
>> keyexchange=ikev1
>> ike=aes256-sha1-modp1024
>> esp=aes256-sha1
>> ikelifetime=1440m
>> keylife=60m
>> aggressive=yes
>> leftid=<GroupName that I have to enter in the iOS GroupName field>
>> leftauth=psk
>> leftauth2=xauth
>> leftfirewall=yes
>> rightfirewall=yes
>> right=xxx.xxx.xxx.xxx
>> rightid=%any
>> rightsourceip=%modeconfig
>> rightauth=psk
>> xauth_identity=MyUser
>> auto=add
>> xauth=client
>> dpdtimeout=180s
>> rekeymargin=3m
>> keyingtries=1
>> fragmentation=yes
>>
>>
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151211/77e67991/attachment.html>
More information about the Users
mailing list