[strongSwan] tearing my hair out over connection issue

Thomas Egerer hakke_007 at gmx.de
Fri Dec 11 20:00:25 CET 2015


On 12/11/2015 07:27 PM, Raina Matthews wrote:> I wish I could say it was
commented out or set to no, but alas it is
> enabled and marked as yes
Dammit!

Judging from your mail, your 'countless combinations of entering the
PSK' have covered all possibilities (quoted == ASCII, 0x-prefixed ==
hex, 0s-prefixed == base64) of encoding the PSK.

If you tell us the strongswan release you are using, the list may know
if you are sitting on a release that may have a general issue with PSK
(I personally do not know of any).

It seems, you already browsed through [1].

Any other clues in the log. Maybe posting a bit more log context can
enlighten us.

Cheers,
Thomas

[1] https://lists.strongswan.org/pipermail/users/2015-September/008758.html
>
> On 12/11/2015 00:04, Thomas Egerer wrote:
>> Hi Raina,
>>
>> top posting, it's short!
>> I see you're using aggressive mode with PSK, so does your
>> strongswan.conf contain the line:
>>
>> i_dont_care_about_security_and_use_aggressive_mode_psk=yes
>>
>> in the charon section?
>> Hope this keeps you from going bald!
>>
>> Cheers,
>> Thomas
>>
>> On 12/11/2015 12:28 AM, Raina Matthews wrote:
>>> over the past week, I've spent anywhere from 2 to 4 hrs a night trying
>>> to figure out why my connection is failing
>>>
>>> I'm getting an error :-
>>>
>>> calculated HASH does not match HASH payload
>>>
>>>
>>> now looking over other references to this, it indicates my PSK is wrong.
>>> so I have tried countless combinations of entering said PSK into my
>>> ipsec.secrets file, and still no joy,
>>>
>>> I know that the PSK is right, based on a number of factors.  1) my Ipad
>>> can connect using this same PSK. 2) I can connect via shrewsoft on
>>> windows 7 using the same psk, and 3)  I can get 'further' with vpnc
>>> using the same PSK
>>>
>>> so if my PSK is right, then either 1) I've got it entered in the wrong
>>> manner in my secrets file, or 2) there's some issue with encryption
>>> methods/handshakes thats causing the server to return one value and
>>> strongswan to send another.
>>>
>>> in my secrets file I have
>>>
>>> xxx.xxx.xxx.xxx : PSK "<KEYHERE>"
>>>
>>> I have tried the external IP of the box that runs the ipsec VPN, and
>>> also the internal IP (since it's natted in some way I didn't setup).
>>> Also reading something else somewhere there was the suggestion of using
>>> the Group ID, and another of leaving it blank and just having
>>>
>>> : PSK "<KEYHERE>"
>>>
>>> all end up with the same error
>>>
>>> so that makes me think there's some encryption handshake type issue.
>>> according to the shrewfsoft configuration which is known to work, it
>>> states
>>>
>>> s:phase1-cipher:aes
>>> n:phase1-keylen:256
>>> s:phase1-hash:sha1
>>> n:phase1-dhgroup:2
>>>
>>> which to me means I need
>>> ike=aes256-sha1-modp1024 in my configuration
>>>
>>> it also has entries
>>>
>>> s:phase2-transform:esp-aes
>>> n:phase2-keylen:256
>>> s:phase2-hmac:sha1
>>>
>>> which to me means I need
>>> esp=aes256-sha1
>>>
>>> I've included below a copy of my current config, but I say current
>>> because I keep changing bits here and there in the hope that it'll
>>> suddenly start working, but throughout I've ended up with the same hash
>>> calculation error
>>>
>>> can anyone help?
>>>
>>> version 2
>>> config setup
>>>          charondebug="ike 4, knl 4, cfg 4, enc 4, esp 4, chd 4"
>>> conn %default
>>>          ikelifetime=60m
>>>          keylife=20m
>>>          rekeymargin=3m
>>>          keyingtries=1
>>>          keyexchange=ikev1
>>>          authby=xauthpsk
>>> conn home
>>>          left=192.168.219.137
>>>          leftsourceip=%config
>>>          keyexchange=ikev1
>>>          ike=aes256-sha1-modp1024
>>>          esp=aes256-sha1
>>>          ikelifetime=1440m
>>>          keylife=60m
>>>          aggressive=yes
>>>          leftid=<GroupName that I have to enter in the iOS GroupName
>>> field>
>>>          leftauth=psk
>>>          leftauth2=xauth
>>>          leftfirewall=yes
>>>          rightfirewall=yes
>>>          right=xxx.xxx.xxx.xxx
>>>          rightid=%any
>>>          rightsourceip=%modeconfig
>>>          rightauth=psk
>>>          xauth_identity=MyUser
>>>          auto=add
>>>          xauth=client
>>>          dpdtimeout=180s
>>>          rekeymargin=3m
>>>          keyingtries=1
>>>          fragmentation=yes
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151211/d2bcf88a/attachment.pgp>


More information about the Users mailing list