[strongSwan] IPSEC-SECRETS FILE file parsing issue results in "calculated HASH does not match HASH payload" and HASH N(AUTH_FAILED)

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Tue Nov 17 15:26:57 CET 2015 

Hi

Can somebody take a look and advice and suggest a solution to this issue
iam facing.?
Any other methods to employ to move ahead with solving this issue?

thank you
-rajiv


On Sun, Nov 15, 2015 at 10:37 PM, Rajiv Kulkarni <rajivkulkarni69 at gmail.com>
wrote:

> Hi
>
> Just to set it right..There is a typo in the peer2 config...it should be
> 2.2.2.5 (and not 2.2.2.25...my mistake while copy-paste editing on the mail
> page)
>
> thanks & regards
> rajiv
>
>
> On Sun, Nov 15, 2015 at 10:27 PM, Rajiv Kulkarni <
> rajivkulkarni69 at gmail.com> wrote:
>
>> Hi Strongswan Team
>>
>> I know this kind of issue (hash mismatch) has been occuring for a long
>> time with users who use PSK, and i know that generally its due to the
>> pre-shared-keys mismatch between the peers. I double-checked all the
>> reported issues and your advice on each of them.
>>
>> But i am facing some different issue i guess..i dont know...
>>
>> please kindly help and advice...As per my layman's observation...its more
>> to do with how the parsing of the "ipsec.secrets" file contenets or maybe
>> the way the IDs-selectors are used or represented by strongswan.
>>
>> iam unable to establish a simple S2S tunnel between 2 peers, when one of
>> the peers (peer1-DUT) has a specific type of configs as shown below.
>>
>> Here i have to use PSK (either for the road-warrior connection-entry or
>> for the l2tp-ipsec connection entries)
>>
>> The tunnel is up and works if i remove both the road-warrior and the
>> optional l2tp-ipsec connection entries on the peer1, bcos of which the main
>> S2S tunnel is not coming up and failing with the message as in subject field
>>
>> You see, i have the below very simple setup with the configs in each of
>> the peers as shown below:
>>
>>
>>   [pc1]----[DUT](2.2.2.21)-------------(2.2.2.25)[PEER2]----[pc2]
>> 192.168.33.0/24           <site-to-site-tunnel>        192.168.34.0/24
>>
>> Note: peer1/DUT will always initiate the S2S tunnel. It also acts as a
>> road-warrior server and a l2tp-server (and more such as pptp-server too)
>>
>>
>> ------------------------------
>> Config on Peer1-GW (the DUT)
>> ------------------------------
>>
>> root at OpenWrt:/etc#
>> root at OpenWrt:/etc# cat ipsec.conf
>> # /etc/ipsec.conf - strongSwan IPsec configuration file
>>
>> config setup
>>     strictcrlpolicy=no
>>     charondebug="ike 4, dmn 4, chd 4, knl 3, cfg 3, net 3, esp 1, enc 4,
>> lib 4, mgr 4"
>>
>> conn %default
>>     ikelifetime=3h
>>     keylife=1h
>>     mobike=no
>>
>> conn topeergw1
>>     aggressive=yes
>>     left=2.2.2.21
>>     leftid=dut1.ciscosbr.com
>>     leftsubnet=192.168.34.0/24
>>     right=2.2.2.5
>>     rightid=dut2.ciscosbr.com
>>     rightsubnet=192.168.33.0/24
>>     leftauth=psk
>>     rightauth=psk
>>     type=tunnel
>>     keyexchange=ikev1
>>     ike=aes256-sha1-modp1536
>>     esp=aes256-sha1-modp1536
>>     auto=route
>>
>> conn c2s_GroupName1
>>     aggressive=yes
>>     left=2.2.2.21
>>     leftid=2.2.2.21
>>     leftsubnet=192.168.34.0/24
>>     right=%any
>>     rightid=keyid:GroupName1
>>     rightsourceip=10.11.11.0/24
>>     leftauth=psk
>>     rightauth=psk
>>     rightauth2=xauth
>>     xauth=server
>>     modeconfig=pull
>>     type=tunnel
>>     keyexchange=ikev1
>>     auto=add
>> #
>> #conn l2tp-conns
>> #    aggressive=yes
>> #    left=%any
>> #    leftprotoport=17/1701
>> #    right=%any
>> #    rightprotoport=17/1701
>> #    leftauth=psk
>> #    rightauth=psk
>> #    type=transport
>> #    keyexchange=ikev1
>> #    auto=add
>> root at OpenWrt:/etc#
>> root at OpenWrt:/etc#
>>
>> root at OpenWrt:/etc# cat ipsec.secrets
>> # auto-generated config file from /tmp/etc/config/strongswan
>> dut1.ciscosbr.com dut2.ciscosbr.com : PSK "123456789abc"
>> 2.2.2.21 GroupName1 : PSK "config123abc"
>> user2 : XAUTH "config123"
>> #: PSK "hgdgfd$AKHKH$hfgdhsf$#$j6523"
>>
>> root at OpenWrt:/etc#
>> ================================================
>>
>>
>> -------------------------------------
>> Config on Peer2-GW (a Ubuntu-Linux PC)
>> -----------------------------------
>>
>> # /etc/ipsec.conf - strongSwan IPsec configuration file
>>
>> config setup
>>     strictcrlpolicy=no
>>     charondebug="ike 4, dmn 4, chd 4, knl 3, cfg 3, net 3, esp 1, enc 4,
>> lib 4, mgr 4"
>>
>> conn %default
>>     ikelifetime=3h
>>     keylife=1h
>>     mobike=no
>>
>> conn topeergw1
>>     aggressive=yes
>>     left=2.2.2.25
>>     leftid=dut2.ciscosbr.com
>>     leftsubnet=192.168.33.0/24
>>     right=%any
>>     rightid=dut1.ciscosbr.com
>>     rightsubnet=192.168.34.0/24
>>     leftauth=psk
>>     rightauth=psk
>>     type=tunnel
>>     keyexchange=ikev1
>>     ike=aes256-sha1-modp1536
>>     esp=aes256-sha1-modp1536
>>     auto=add
>>
>> root[/etc]# cat ipsec.secrets
>> dut2.ciscosbr.com dut1.ciscosbr.com : PSK "123456789abc"
>> ==========================================
>>
>> Please find attached the logs of the IKE/IPSec transaction captured on
>> both the peers. Please Please take a look at the issue iam facing....i
>> maybe doing a very simple mistake somewhere...but iam unable to get
>> it....please advice
>>
>> Also any pointers of info on how the parsing of "ipsec.secrets" file is
>> done...like is it a top-down approach (in which case why does it use the
>> other PSK values in the file rather than the first one that should match?).
>> Thanks in advance.
>>
>> thank you
>> with regards
>> rajiv
>>
>>
>> thanks
>>
>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151117/fd755f0a/attachment.html>

More information about the Users mailing list