[strongSwan] calculated HASH does not match HASH payload HASH N(AUTH_FAILED)
Daniel Kibe
dkibek at gmail.com
Fri Sep 25 15:14:42 CEST 2015
Hi,
I have Strongswan 5.3.2 client access Cisco ASA gateway that is failing to
establish connection with error HASH N(AUTH_FAILED). The conf is as below,
# ipsec.conf - strongSwan IPsec configuration file
version 2
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
strictcrlpolicy=no
#charondebug="ike 4, knl 4, cfg 4, enc 4, esp 4, chd 4" #useful
debugs
# Add connections here.
conn %default
ikelifetime=1440m
keylife=60m
rekeymargin=3m
dpdaction=restart
closeaction=restart
keyingtries=1
keyexchange=ikev1
authby=xauthpsk
conn " vpn"
keyexchange=ikev1
ikelifetime=1440m
keylife=60m
rekey=no
aggressive=yes
ike=3des-md5-modp1024!
esp=3des-md5!
xauth=client
left=X.X.X.X
leftid=hostname
leftsourceip=%config
leftfirewall=yes
leftauth=psk
rightauth=psk
leftauth2=xauth
right=Y.Y.Y.Y
rightsubnet=172.1.1.0/24
xauth_identity=abc
authby=xauthpsk
auto=start
The log output when starting is as below,
initiating Aggressive Mode IKE_SA vpn[5] to Y.Y.Y.Y
generating AGGRESSIVE request 0 [ SA KE No ID V V V V ]
sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (335 bytes)
received packet: from Y.Y.Y.Y [500] to X.X.X.X [500] (416 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V V NAT-D NAT-D V V ]
received Cisco Unity vendor ID
received XAuth vendor ID
received DPD vendor ID
received NAT-T (RFC 3947) vendor ID
received FRAGMENTATION vendor ID
received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
calculated HASH does not match HASH payload
generating INFORMATIONAL_V1 request 2360507816 [ HASH N(AUTH_FAILED) ]
sending packet: from X.X.X.X [500] to Y.Y.Y.Y[500] (84 bytes)
establishing connection 'vpn' failed
Kindly help is identifying the reason behind this failure.
Regards,
Daniel Kibe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150925/6b54bec8/attachment.html>
More information about the Users
mailing list