[strongSwan] tearing my hair out over connection issue
hakke_007 at gmx.de
Fri Dec 11 20:00:25 CET 2015
On 12/11/2015 07:27 PM, Raina Matthews wrote:> I wish I could say it was
commented out or set to no, but alas it is
> enabled and marked as yes
Judging from your mail, your 'countless combinations of entering the
PSK' have covered all possibilities (quoted == ASCII, 0x-prefixed ==
hex, 0s-prefixed == base64) of encoding the PSK.
If you tell us the strongswan release you are using, the list may know
if you are sitting on a release that may have a general issue with PSK
(I personally do not know of any).
It seems, you already browsed through .
Any other clues in the log. Maybe posting a bit more log context can
> On 12/11/2015 00:04, Thomas Egerer wrote:
>> Hi Raina,
>> top posting, it's short!
>> I see you're using aggressive mode with PSK, so does your
>> strongswan.conf contain the line:
>> in the charon section?
>> Hope this keeps you from going bald!
>> On 12/11/2015 12:28 AM, Raina Matthews wrote:
>>> over the past week, I've spent anywhere from 2 to 4 hrs a night trying
>>> to figure out why my connection is failing
>>> I'm getting an error :-
>>> calculated HASH does not match HASH payload
>>> now looking over other references to this, it indicates my PSK is wrong.
>>> so I have tried countless combinations of entering said PSK into my
>>> ipsec.secrets file, and still no joy,
>>> I know that the PSK is right, based on a number of factors. 1) my Ipad
>>> can connect using this same PSK. 2) I can connect via shrewsoft on
>>> windows 7 using the same psk, and 3) I can get 'further' with vpnc
>>> using the same PSK
>>> so if my PSK is right, then either 1) I've got it entered in the wrong
>>> manner in my secrets file, or 2) there's some issue with encryption
>>> methods/handshakes thats causing the server to return one value and
>>> strongswan to send another.
>>> in my secrets file I have
>>> xxx.xxx.xxx.xxx : PSK "<KEYHERE>"
>>> I have tried the external IP of the box that runs the ipsec VPN, and
>>> also the internal IP (since it's natted in some way I didn't setup).
>>> Also reading something else somewhere there was the suggestion of using
>>> the Group ID, and another of leaving it blank and just having
>>> : PSK "<KEYHERE>"
>>> all end up with the same error
>>> so that makes me think there's some encryption handshake type issue.
>>> according to the shrewfsoft configuration which is known to work, it
>>> which to me means I need
>>> ike=aes256-sha1-modp1024 in my configuration
>>> it also has entries
>>> which to me means I need
>>> I've included below a copy of my current config, but I say current
>>> because I keep changing bits here and there in the hope that it'll
>>> suddenly start working, but throughout I've ended up with the same hash
>>> calculation error
>>> can anyone help?
>>> version 2
>>> config setup
>>> charondebug="ike 4, knl 4, cfg 4, enc 4, esp 4, chd 4"
>>> conn %default
>>> conn home
>>> leftid=<GroupName that I have to enter in the iOS GroupName
>>> Users mailing list
>>> Users at lists.strongswan.org
>> Users mailing list
>> Users at lists.strongswan.org
> Users mailing list
> Users at lists.strongswan.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 181 bytes
Desc: OpenPGP digital signature
More information about the Users