[strongSwan] tearing my hair out over connection issue
Thomas Egerer
hakke_007 at gmx.de
Sat Dec 12 14:42:01 CET 2015
Raina,
Another idea. A quote from [1] says:
<snip>
Convert a string of characters into a binary secret
A string between single or double quotes is treated as ASCII characters
A string prepended by 0x is treated as HEX and prepended by 0s as Base64
<snap>
Have you tried the line
: PSK 0sdG9wc2VjcmV0
with your PSK base64-encoded (topsecret in my case) *no* *quotes*!
Optionionally you can try to convert your base64 key to hex:
> psk='dG9wc2VjcmV0'; echo ": PSK 0x$(echo -n $psk | \
base64 -d | hexdump -v -e '1/1 "%02x"')"
which results in
: PSK 0x746f70736563726574
It *must* be the PSK.
Cheers,
Thomas
[1] src/libcharon/plugins/stroke/stroke_cred.c
On 12/12/2015 12:28 AM, Raina Matthews wrote:
>
>
> On 12/11/2015 11:00, Thomas Egerer wrote:
>> On 12/11/2015 07:27 PM, Raina Matthews wrote:> I wish I could say it was
>> commented out or set to no, but alas it is
>>> enabled and marked as yes
>> Dammit!
>>
>> Judging from your mail, your 'countless combinations of entering the
>> PSK' have covered all possibilities (quoted == ASCII, 0x-prefixed ==
>> hex, 0s-prefixed == base64) of encoding the PSK.
> I did try base64 encoding it, since that's how it's stored in the config
> I know works from shrewsoft. others methods I'd have to say no, because
> I'm not 100% sure what you mean by them
>>
>> If you tell us the strongswan release you are using, the list may know
>> if you are sitting on a release that may have a general issue with PSK
>> (I personally do not know of any).
> strongSwan U5.1.2/K4.2.0-16-generic (ubuntu 15.04)
> but have also tried
> Linux strongSwan U5.3.2/K3.18.20 (openwrt)
>>
>> It seems, you already browsed through [1].
> yes I did. it's where I got alot of possibile options that I've thrown
> into my config
>>
>> Any other clues in the log. Maybe posting a bit more log context can
>> enlighten us.
>
> the charon.log I have is fairly sparse
>
> Dec 11 23:02:40 04[IKE] <home|3> initiating Aggressive Mode IKE_SA
> home[3] to xxx.xxx.xxx.xxx
> Dec 11 23:02:40 04[ENC] <home|3> generating AGGRESSIVE request 0 [ SA KE
> No ID V V V V V ]
> Dec 11 23:02:40 04[NET] <home|3> sending packet: from 0.0.0.0[500] to
> 67.91.221.141[500] (410 bytes)
> Dec 11 23:02:40 03[NET] <home|3> received packet: from
> xxx.xxx.xxx.xxx[500] to 192.168.1.101[500] (328 bytes)
> Dec 11 23:02:40 03[ENC] <home|3> parsed AGGRESSIVE response 0 [ SA KE No
> ID V HASH ]
> Dec 11 23:02:40 03[IKE] <home|3> received DPD vendor ID
> Dec 11 23:02:41 03[IKE] <home|3> calculated HASH does not match HASH
> payload
> Dec 11 23:02:41 03[ENC] <home|3> generating INFORMATIONAL_V1 request
> 2698162911 [ HASH N(AUTH_FAILED) ]
> Dec 11 23:02:41 03[NET] <home|3> sending packet: from 192.168.1.101[500]
> to xxx.xxx.xxx.xxx[500] (92 bytes)
>
> I don't really have any logs from the otherside when strongswan
> connects.however I do when I connect via the iOS ipsec client.
>
> Dec 11 15:24:09 ForteXTM330 80BD06A80D951 (2015-12-11T23:24:09)
> iked[735]: (10.4.100.69<->yyy.yyy.yyy.yyy)Process INFO_EXCHANGE :
> Invalid payload 250
> Dec 11 15:24:10 ForteXTM330 80BD06A80D951 (2015-12-11T23:24:10)
> admd[739]: msg_id="1100-0004" Authentication of MUVPN user
> [AuthorizedUsernamehere] from 66.60.177.6 accepted
> Dec 11 15:24:10 ForteXTM330 80BD06A80D951 (2015-12-11T23:24:10)
> sessiond[721]: msg_id="3E00-0002" IPSec VPN user AuthorizedUsernamehere
> from yyy.yyy.yyy.yyy logged in assigned virtual IP is 10.10.10.80
> Dec 11 15:24:15 ForteXTM330 80BD06A80D951 (2015-12-11T23:24:15)
> iked[735]: (10.4.100.69<->yyy.yyy.yyy.yyy)Check Payloads : extra
> payload(218) after HASH in QuickMode current state
> Dec 11 15:24:15 ForteXTM330 80BD06A80D951 (2015-12-11T23:24:15)
> iked[735]: (10.4.100.69<->yyy.yyy.yyy.yyy)IkeQMProcessHashMsg :
> IkeCheckPayloads failed
> Dec 11 15:24:15 ForteXTM330 80BD06A80D951 (2015-12-11T23:24:15)
> iked[735]: (10.4.100.69<->yyy.yyy.yyy.yyy)QuickMode: <<3rd - failed to
> process HASH payload
> Dec 11 15:24:15 ForteXTM330 80BD06A80D951 (2015-12-11T23:24:15)
> iked[735]: msg_id="0207-0001" (10.4.100.69<->yyy.yyy.yyy.yyy)'GROUPNAME'
> MUVPN IPSec tunnel is established. local:0.0.0.0 remote:10.10.10.80/32
> in-SA:0xb0526314 out-SA:0x0fd52ea8 role:responder
>
> not having really looked at these that closely before on a successful
> connect, I do notice that there are hash failure references here too I
> wonder if this could mean that they're all failing on hash, but other
> clients are continuing to do something, while strongswan is stopping?
>>
>> Cheers,
>> Thomas
>>
>> [1]
>> https://lists.strongswan.org/pipermail/users/2015-September/008758.html
>>> On 12/11/2015 00:04, Thomas Egerer wrote:
>>>> Hi Raina,
>>>>
>>>> top posting, it's short!
>>>> I see you're using aggressive mode with PSK, so does your
>>>> strongswan.conf contain the line:
>>>>
>>>> i_dont_care_about_security_and_use_aggressive_mode_psk=yes
>>>>
>>>> in the charon section?
>>>> Hope this keeps you from going bald!
>>>>
>>>> Cheers,
>>>> Thomas
>>>>
>>>> On 12/11/2015 12:28 AM, Raina Matthews wrote:
>>>>> over the past week, I've spent anywhere from 2 to 4 hrs a night trying
>>>>> to figure out why my connection is failing
>>>>>
>>>>> I'm getting an error :-
>>>>>
>>>>> calculated HASH does not match HASH payload
>>>>>
>>>>>
>>>>> now looking over other references to this, it indicates my PSK is
>>>>> wrong.
>>>>> so I have tried countless combinations of entering said PSK into my
>>>>> ipsec.secrets file, and still no joy,
>>>>>
>>>>> I know that the PSK is right, based on a number of factors. 1) my
>>>>> Ipad
>>>>> can connect using this same PSK. 2) I can connect via shrewsoft on
>>>>> windows 7 using the same psk, and 3) I can get 'further' with vpnc
>>>>> using the same PSK
>>>>>
>>>>> so if my PSK is right, then either 1) I've got it entered in the wrong
>>>>> manner in my secrets file, or 2) there's some issue with encryption
>>>>> methods/handshakes thats causing the server to return one value and
>>>>> strongswan to send another.
>>>>>
>>>>> in my secrets file I have
>>>>>
>>>>> xxx.xxx.xxx.xxx : PSK "<KEYHERE>"
>>>>>
>>>>> I have tried the external IP of the box that runs the ipsec VPN, and
>>>>> also the internal IP (since it's natted in some way I didn't setup).
>>>>> Also reading something else somewhere there was the suggestion of
>>>>> using
>>>>> the Group ID, and another of leaving it blank and just having
>>>>>
>>>>> : PSK "<KEYHERE>"
>>>>>
>>>>> all end up with the same error
>>>>>
>>>>> so that makes me think there's some encryption handshake type issue.
>>>>> according to the shrewfsoft configuration which is known to work, it
>>>>> states
>>>>>
>>>>> s:phase1-cipher:aes
>>>>> n:phase1-keylen:256
>>>>> s:phase1-hash:sha1
>>>>> n:phase1-dhgroup:2
>>>>>
>>>>> which to me means I need
>>>>> ike=aes256-sha1-modp1024 in my configuration
>>>>>
>>>>> it also has entries
>>>>>
>>>>> s:phase2-transform:esp-aes
>>>>> n:phase2-keylen:256
>>>>> s:phase2-hmac:sha1
>>>>>
>>>>> which to me means I need
>>>>> esp=aes256-sha1
>>>>>
>>>>> I've included below a copy of my current config, but I say current
>>>>> because I keep changing bits here and there in the hope that it'll
>>>>> suddenly start working, but throughout I've ended up with the same
>>>>> hash
>>>>> calculation error
>>>>>
>>>>> can anyone help?
>>>>>
>>>>> version 2
>>>>> config setup
>>>>> charondebug="ike 4, knl 4, cfg 4, enc 4, esp 4, chd 4"
>>>>> conn %default
>>>>> ikelifetime=60m
>>>>> keylife=20m
>>>>> rekeymargin=3m
>>>>> keyingtries=1
>>>>> keyexchange=ikev1
>>>>> authby=xauthpsk
>>>>> conn home
>>>>> left=192.168.219.137
>>>>> leftsourceip=%config
>>>>> keyexchange=ikev1
>>>>> ike=aes256-sha1-modp1024
>>>>> esp=aes256-sha1
>>>>> ikelifetime=1440m
>>>>> keylife=60m
>>>>> aggressive=yes
>>>>> leftid=<GroupName that I have to enter in the iOS GroupName
>>>>> field>
>>>>> leftauth=psk
>>>>> leftauth2=xauth
>>>>> leftfirewall=yes
>>>>> rightfirewall=yes
>>>>> right=xxx.xxx.xxx.xxx
>>>>> rightid=%any
>>>>> rightsourceip=%modeconfig
>>>>> rightauth=psk
>>>>> xauth_identity=MyUser
>>>>> auto=add
>>>>> xauth=client
>>>>> dpdtimeout=180s
>>>>> rekeymargin=3m
>>>>> keyingtries=1
>>>>> fragmentation=yes
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at lists.strongswan.org
>>>>> https://lists.strongswan.org/mailman/listinfo/users
>>>>
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.strongswan.org
>>>> https://lists.strongswan.org/mailman/listinfo/users
>>>
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>>>
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151212/0075998d/attachment.pgp>
More information about the Users
mailing list