[strongSwan] tearing my hair out over connection issue
Raina Matthews
rainamatthews at gmail.com
Sat Dec 12 00:28:50 CET 2015
On 12/11/2015 11:00, Thomas Egerer wrote:
> On 12/11/2015 07:27 PM, Raina Matthews wrote:> I wish I could say it was
> commented out or set to no, but alas it is
>> enabled and marked as yes
> Dammit!
>
> Judging from your mail, your 'countless combinations of entering the
> PSK' have covered all possibilities (quoted == ASCII, 0x-prefixed ==
> hex, 0s-prefixed == base64) of encoding the PSK.
I did try base64 encoding it, since that's how it's stored in the config
I know works from shrewsoft. others methods I'd have to say no, because
I'm not 100% sure what you mean by them
>
> If you tell us the strongswan release you are using, the list may know
> if you are sitting on a release that may have a general issue with PSK
> (I personally do not know of any).
strongSwan U5.1.2/K4.2.0-16-generic (ubuntu 15.04)
but have also tried
Linux strongSwan U5.3.2/K3.18.20 (openwrt)
>
> It seems, you already browsed through [1].
yes I did. it's where I got alot of possibile options that I've thrown
into my config
>
> Any other clues in the log. Maybe posting a bit more log context can
> enlighten us.
the charon.log I have is fairly sparse
Dec 11 23:02:40 04[IKE] <home|3> initiating Aggressive Mode IKE_SA
home[3] to xxx.xxx.xxx.xxx
Dec 11 23:02:40 04[ENC] <home|3> generating AGGRESSIVE request 0 [ SA KE
No ID V V V V V ]
Dec 11 23:02:40 04[NET] <home|3> sending packet: from 0.0.0.0[500] to
67.91.221.141[500] (410 bytes)
Dec 11 23:02:40 03[NET] <home|3> received packet: from
xxx.xxx.xxx.xxx[500] to 192.168.1.101[500] (328 bytes)
Dec 11 23:02:40 03[ENC] <home|3> parsed AGGRESSIVE response 0 [ SA KE No
ID V HASH ]
Dec 11 23:02:40 03[IKE] <home|3> received DPD vendor ID
Dec 11 23:02:41 03[IKE] <home|3> calculated HASH does not match HASH payload
Dec 11 23:02:41 03[ENC] <home|3> generating INFORMATIONAL_V1 request
2698162911 [ HASH N(AUTH_FAILED) ]
Dec 11 23:02:41 03[NET] <home|3> sending packet: from 192.168.1.101[500]
to xxx.xxx.xxx.xxx[500] (92 bytes)
I don't really have any logs from the otherside when strongswan
connects.however I do when I connect via the iOS ipsec client.
Dec 11 15:24:09 ForteXTM330 80BD06A80D951 (2015-12-11T23:24:09)
iked[735]: (10.4.100.69<->yyy.yyy.yyy.yyy)Process INFO_EXCHANGE :
Invalid payload 250
Dec 11 15:24:10 ForteXTM330 80BD06A80D951 (2015-12-11T23:24:10)
admd[739]: msg_id="1100-0004" Authentication of MUVPN user
[AuthorizedUsernamehere] from 66.60.177.6 accepted
Dec 11 15:24:10 ForteXTM330 80BD06A80D951 (2015-12-11T23:24:10)
sessiond[721]: msg_id="3E00-0002" IPSec VPN user AuthorizedUsernamehere
from yyy.yyy.yyy.yyy logged in assigned virtual IP is 10.10.10.80
Dec 11 15:24:15 ForteXTM330 80BD06A80D951 (2015-12-11T23:24:15)
iked[735]: (10.4.100.69<->yyy.yyy.yyy.yyy)Check Payloads : extra
payload(218) after HASH in QuickMode current state
Dec 11 15:24:15 ForteXTM330 80BD06A80D951 (2015-12-11T23:24:15)
iked[735]: (10.4.100.69<->yyy.yyy.yyy.yyy)IkeQMProcessHashMsg :
IkeCheckPayloads failed
Dec 11 15:24:15 ForteXTM330 80BD06A80D951 (2015-12-11T23:24:15)
iked[735]: (10.4.100.69<->yyy.yyy.yyy.yyy)QuickMode: <<3rd - failed to
process HASH payload
Dec 11 15:24:15 ForteXTM330 80BD06A80D951 (2015-12-11T23:24:15)
iked[735]: msg_id="0207-0001" (10.4.100.69<->yyy.yyy.yyy.yyy)'GROUPNAME'
MUVPN IPSec tunnel is established. local:0.0.0.0 remote:10.10.10.80/32
in-SA:0xb0526314 out-SA:0x0fd52ea8 role:responder
not having really looked at these that closely before on a successful
connect, I do notice that there are hash failure references here too I
wonder if this could mean that they're all failing on hash, but other
clients are continuing to do something, while strongswan is stopping?
>
> Cheers,
> Thomas
>
> [1] https://lists.strongswan.org/pipermail/users/2015-September/008758.html
>> On 12/11/2015 00:04, Thomas Egerer wrote:
>>> Hi Raina,
>>>
>>> top posting, it's short!
>>> I see you're using aggressive mode with PSK, so does your
>>> strongswan.conf contain the line:
>>>
>>> i_dont_care_about_security_and_use_aggressive_mode_psk=yes
>>>
>>> in the charon section?
>>> Hope this keeps you from going bald!
>>>
>>> Cheers,
>>> Thomas
>>>
>>> On 12/11/2015 12:28 AM, Raina Matthews wrote:
>>>> over the past week, I've spent anywhere from 2 to 4 hrs a night trying
>>>> to figure out why my connection is failing
>>>>
>>>> I'm getting an error :-
>>>>
>>>> calculated HASH does not match HASH payload
>>>>
>>>>
>>>> now looking over other references to this, it indicates my PSK is wrong.
>>>> so I have tried countless combinations of entering said PSK into my
>>>> ipsec.secrets file, and still no joy,
>>>>
>>>> I know that the PSK is right, based on a number of factors. 1) my Ipad
>>>> can connect using this same PSK. 2) I can connect via shrewsoft on
>>>> windows 7 using the same psk, and 3) I can get 'further' with vpnc
>>>> using the same PSK
>>>>
>>>> so if my PSK is right, then either 1) I've got it entered in the wrong
>>>> manner in my secrets file, or 2) there's some issue with encryption
>>>> methods/handshakes thats causing the server to return one value and
>>>> strongswan to send another.
>>>>
>>>> in my secrets file I have
>>>>
>>>> xxx.xxx.xxx.xxx : PSK "<KEYHERE>"
>>>>
>>>> I have tried the external IP of the box that runs the ipsec VPN, and
>>>> also the internal IP (since it's natted in some way I didn't setup).
>>>> Also reading something else somewhere there was the suggestion of using
>>>> the Group ID, and another of leaving it blank and just having
>>>>
>>>> : PSK "<KEYHERE>"
>>>>
>>>> all end up with the same error
>>>>
>>>> so that makes me think there's some encryption handshake type issue.
>>>> according to the shrewfsoft configuration which is known to work, it
>>>> states
>>>>
>>>> s:phase1-cipher:aes
>>>> n:phase1-keylen:256
>>>> s:phase1-hash:sha1
>>>> n:phase1-dhgroup:2
>>>>
>>>> which to me means I need
>>>> ike=aes256-sha1-modp1024 in my configuration
>>>>
>>>> it also has entries
>>>>
>>>> s:phase2-transform:esp-aes
>>>> n:phase2-keylen:256
>>>> s:phase2-hmac:sha1
>>>>
>>>> which to me means I need
>>>> esp=aes256-sha1
>>>>
>>>> I've included below a copy of my current config, but I say current
>>>> because I keep changing bits here and there in the hope that it'll
>>>> suddenly start working, but throughout I've ended up with the same hash
>>>> calculation error
>>>>
>>>> can anyone help?
>>>>
>>>> version 2
>>>> config setup
>>>> charondebug="ike 4, knl 4, cfg 4, enc 4, esp 4, chd 4"
>>>> conn %default
>>>> ikelifetime=60m
>>>> keylife=20m
>>>> rekeymargin=3m
>>>> keyingtries=1
>>>> keyexchange=ikev1
>>>> authby=xauthpsk
>>>> conn home
>>>> left=192.168.219.137
>>>> leftsourceip=%config
>>>> keyexchange=ikev1
>>>> ike=aes256-sha1-modp1024
>>>> esp=aes256-sha1
>>>> ikelifetime=1440m
>>>> keylife=60m
>>>> aggressive=yes
>>>> leftid=<GroupName that I have to enter in the iOS GroupName
>>>> field>
>>>> leftauth=psk
>>>> leftauth2=xauth
>>>> leftfirewall=yes
>>>> rightfirewall=yes
>>>> right=xxx.xxx.xxx.xxx
>>>> rightid=%any
>>>> rightsourceip=%modeconfig
>>>> rightauth=psk
>>>> xauth_identity=MyUser
>>>> auto=add
>>>> xauth=client
>>>> dpdtimeout=180s
>>>> rekeymargin=3m
>>>> keyingtries=1
>>>> fragmentation=yes
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.strongswan.org
>>>> https://lists.strongswan.org/mailman/listinfo/users
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151211/600f07d3/attachment-0001.html>
More information about the Users
mailing list