[strongSwan] IPSEC-SECRETS FILE file parsing issue results in "calculated HASH does not match HASH payload" and HASH N(AUTH_FAILED)

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Sun Nov 15 18:07:21 CET 2015 

Hi

Just to set it right..There is a typo in the peer2 config...it should be
2.2.2.5 (and not 2.2.2.25...my mistake while copy-paste editing on the mail
page)

thanks & regards
rajiv


On Sun, Nov 15, 2015 at 10:27 PM, Rajiv Kulkarni <rajivkulkarni69 at gmail.com>
wrote:

> Hi Strongswan Team
>
> I know this kind of issue (hash mismatch) has been occuring for a long
> time with users who use PSK, and i know that generally its due to the
> pre-shared-keys mismatch between the peers. I double-checked all the
> reported issues and your advice on each of them.
>
> But i am facing some different issue i guess..i dont know...
>
> please kindly help and advice...As per my layman's observation...its more
> to do with how the parsing of the "ipsec.secrets" file contenets or maybe
> the way the IDs-selectors are used or represented by strongswan.
>
> iam unable to establish a simple S2S tunnel between 2 peers, when one of
> the peers (peer1-DUT) has a specific type of configs as shown below.
>
> Here i have to use PSK (either for the road-warrior connection-entry or
> for the l2tp-ipsec connection entries)
>
> The tunnel is up and works if i remove both the road-warrior and the
> optional l2tp-ipsec connection entries on the peer1, bcos of which the main
> S2S tunnel is not coming up and failing with the message as in subject field
>
> You see, i have the below very simple setup with the configs in each of
> the peers as shown below:
>
>
>   [pc1]----[DUT](2.2.2.21)-------------(2.2.2.25)[PEER2]----[pc2]
> 192.168.33.0/24           <site-to-site-tunnel>        192.168.34.0/24
>
> Note: peer1/DUT will always initiate the S2S tunnel. It also acts as a
> road-warrior server and a l2tp-server (and more such as pptp-server too)
>
>
> ------------------------------
> Config on Peer1-GW (the DUT)
> ------------------------------
>
> root at OpenWrt:/etc#
> root at OpenWrt:/etc# cat ipsec.conf
> # /etc/ipsec.conf - strongSwan IPsec configuration file
>
> config setup
>     strictcrlpolicy=no
>     charondebug="ike 4, dmn 4, chd 4, knl 3, cfg 3, net 3, esp 1, enc 4,
> lib 4, mgr 4"
>
> conn %default
>     ikelifetime=3h
>     keylife=1h
>     mobike=no
>
> conn topeergw1
>     aggressive=yes
>     left=2.2.2.21
>     leftid=dut1.ciscosbr.com
>     leftsubnet=192.168.34.0/24
>     right=2.2.2.5
>     rightid=dut2.ciscosbr.com
>     rightsubnet=192.168.33.0/24
>     leftauth=psk
>     rightauth=psk
>     type=tunnel
>     keyexchange=ikev1
>     ike=aes256-sha1-modp1536
>     esp=aes256-sha1-modp1536
>     auto=route
>
> conn c2s_GroupName1
>     aggressive=yes
>     left=2.2.2.21
>     leftid=2.2.2.21
>     leftsubnet=192.168.34.0/24
>     right=%any
>     rightid=keyid:GroupName1
>     rightsourceip=10.11.11.0/24
>     leftauth=psk
>     rightauth=psk
>     rightauth2=xauth
>     xauth=server
>     modeconfig=pull
>     type=tunnel
>     keyexchange=ikev1
>     auto=add
> #
> #conn l2tp-conns
> #    aggressive=yes
> #    left=%any
> #    leftprotoport=17/1701
> #    right=%any
> #    rightprotoport=17/1701
> #    leftauth=psk
> #    rightauth=psk
> #    type=transport
> #    keyexchange=ikev1
> #    auto=add
> root at OpenWrt:/etc#
> root at OpenWrt:/etc#
>
> root at OpenWrt:/etc# cat ipsec.secrets
> # auto-generated config file from /tmp/etc/config/strongswan
> dut1.ciscosbr.com dut2.ciscosbr.com : PSK "123456789abc"
> 2.2.2.21 GroupName1 : PSK "config123abc"
> user2 : XAUTH "config123"
> #: PSK "hgdgfd$AKHKH$hfgdhsf$#$j6523"
>
> root at OpenWrt:/etc#
> ================================================
>
>
> -------------------------------------
> Config on Peer2-GW (a Ubuntu-Linux PC)
> -----------------------------------
>
> # /etc/ipsec.conf - strongSwan IPsec configuration file
>
> config setup
>     strictcrlpolicy=no
>     charondebug="ike 4, dmn 4, chd 4, knl 3, cfg 3, net 3, esp 1, enc 4,
> lib 4, mgr 4"
>
> conn %default
>     ikelifetime=3h
>     keylife=1h
>     mobike=no
>
> conn topeergw1
>     aggressive=yes
>     left=2.2.2.25
>     leftid=dut2.ciscosbr.com
>     leftsubnet=192.168.33.0/24
>     right=%any
>     rightid=dut1.ciscosbr.com
>     rightsubnet=192.168.34.0/24
>     leftauth=psk
>     rightauth=psk
>     type=tunnel
>     keyexchange=ikev1
>     ike=aes256-sha1-modp1536
>     esp=aes256-sha1-modp1536
>     auto=add
>
> root[/etc]# cat ipsec.secrets
> dut2.ciscosbr.com dut1.ciscosbr.com : PSK "123456789abc"
> ==========================================
>
> Please find attached the logs of the IKE/IPSec transaction captured on
> both the peers. Please Please take a look at the issue iam facing....i
> maybe doing a very simple mistake somewhere...but iam unable to get
> it....please advice
>
> Also any pointers of info on how the parsing of "ipsec.secrets" file is
> done...like is it a top-down approach (in which case why does it use the
> other PSK values in the file rather than the first one that should match?).
> Thanks in advance.
>
> thank you
> with regards
> rajiv
>
>
> thanks
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151115/589652a7/attachment.html>

More information about the Users mailing list