[strongSwan] calculated HASH does not match HASH payload HASH N(AUTH_FAILED)

Daniel Kibe dkibek at gmail.com
Fri Sep 25 15:11:01 CEST 2015


Hi,

 

I have Strongswan 5.3.2 client access Cisco ASA gateway that is failing to
establish connection with error  HASH N(AUTH_FAILED).  The conf is as below,

 

# ipsec.conf - strongSwan IPsec configuration file

version 2

# basic configuration

 

config setup

        # strictcrlpolicy=yes

        # uniqueids = no

        strictcrlpolicy=no

        #charondebug="ike 4, knl 4, cfg 4, enc 4, esp 4, chd 4"    #useful
debugs

 

# Add connections here.

conn %default

        ikelifetime=1440m

        keylife=60m

        rekeymargin=3m

        dpdaction=restart

        closeaction=restart

        keyingtries=1

        keyexchange=ikev1

        authby=xauthpsk

 

 

conn " vpn"

        keyexchange=ikev1

        ikelifetime=1440m

        keylife=60m

        rekey=no

       aggressive=yes

        ike=3des-md5-modp1024!

        esp=3des-md5!                   

        xauth=client              

        left=X.X.X.X        

        leftid=hostname               

        leftsourceip=%config      

        leftfirewall=yes

        leftauth=psk

        rightauth=psk

        leftauth2=xauth           

        right=Y.Y.Y.Y        

        rightsubnet=172.1.1.0/24

        xauth_identity=abc    

        authby=xauthpsk

        auto=start

 

The log output when starting is as below,

 

initiating Aggressive Mode IKE_SA vpn[5] to Y.Y.Y.Y

generating AGGRESSIVE request 0 [ SA KE No ID V V V V ]

sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (335 bytes)

received packet: from Y.Y.Y.Y [500] to X.X.X.X [500] (416 bytes)

parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V V NAT-D NAT-D V V ]

received Cisco Unity vendor ID

received XAuth vendor ID

received DPD vendor ID

received NAT-T (RFC 3947) vendor ID

received FRAGMENTATION vendor ID

received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00

calculated HASH does not match HASH payload

generating INFORMATIONAL_V1 request 2360507816 [ HASH N(AUTH_FAILED) ]

sending packet: from X.X.X.X [500] to Y.Y.Y.Y[500] (84 bytes)

establishing connection 'vpn' failed

 

 

Kindly help is identifying the reason behind this failure.

 

Regards,

Daniel Kibe

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150925/53abb0bd/attachment-0001.html>


More information about the Users mailing list