[strongSwan] calculated HASH does not match HASH payload HASH N(AUTH_FAILED)

Andreas Steffen andreas.steffen at strongswan.org
Sat Sep 26 15:49:43 CEST 2015 

Hi Daniel,

a wrong hash value usually indicates that the Pre-Shared Secrets used
by the peers do not match. In your case it is the group password used
for Aggressive Mode.

Regards

Andreas

On 09/25/2015 03:14 PM, Daniel Kibe wrote:
> Hi,
> 
>  
> 
> I have Strongswan 5.3.2 client access Cisco ASA gateway that is failing
> to establish connection with error  HASH N(AUTH_FAILED).  The conf is as
> below,
> 
>  
> 
> # ipsec.conf - strongSwan IPsec configuration file
> 
> version 2
> 
> # basic configuration
> 
>  
> 
> config setup
> 
>         # strictcrlpolicy=yes
> 
>         # uniqueids = no
> 
>         strictcrlpolicy=no
> 
>         #charondebug="ike 4, knl 4, cfg 4, enc 4, esp 4, chd 4"   
> #useful debugs
> 
>  
> 
> # Add connections here.
> 
> conn %default
> 
>         ikelifetime=1440m
> 
>         keylife=60m
> 
>         rekeymargin=3m
> 
>         dpdaction=restart
> 
>         closeaction=restart
> 
>         keyingtries=1
> 
>         keyexchange=ikev1
> 
>         authby=xauthpsk
> 
>  
> 
>  
> 
> conn " vpn"
> 
>         keyexchange=ikev1
> 
>         ikelifetime=1440m
> 
>         keylife=60m
> 
>         rekey=no
> 
>        aggressive=yes
> 
>         ike=3des-md5-modp1024!
> 
>         esp=3des-md5!                  
> 
>         xauth=client              
> 
>         left=X.X.X.X       
> 
>         leftid=hostname              
> 
>         leftsourceip=%config     
> 
>         leftfirewall=yes
> 
>         leftauth=psk
> 
>         rightauth=psk
> 
>         leftauth2=xauth          
> 
>         right=Y.Y.Y.Y       
> 
>         rightsubnet=172.1.1.0/24
> 
>         xauth_identity=abc   
> 
>         authby=xauthpsk
> 
>         auto=start
> 
>  
> 
> The log output when starting is as below,
> 
>  
> 
> initiating Aggressive Mode IKE_SA vpn[5] to Y.Y.Y.Y
> 
> generating AGGRESSIVE request 0 [ SA KE No ID V V V V ]
> 
> sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (335 bytes)
> 
> received packet: from Y.Y.Y.Y [500] to X.X.X.X [500] (416 bytes)
> 
> parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V V NAT-D NAT-D V V ]
> 
> received Cisco Unity vendor ID
> 
> received XAuth vendor ID
> 
> received DPD vendor ID
> 
> received NAT-T (RFC 3947) vendor ID
> 
> received FRAGMENTATION vendor ID
> 
> received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
> 
> calculated HASH does not match HASH payload
> 
> generating INFORMATIONAL_V1 request 2360507816 [ HASH N(AUTH_FAILED) ]
> 
> sending packet: from X.X.X.X [500] to Y.Y.Y.Y[500] (84 bytes)
> 
> establishing connection 'vpn' failed
> 
>  
> 
>  
> 
> Kindly help is identifying the reason behind this failure.
> 
>  
> 
> Regards,
> 
> *Daniel Kibe*
> 
>  
> 
>  
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4275 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150926/812d4677/attachment.bin>

More information about the Users mailing list