[Openswan Users] ISAKMP phase 1 hash error for a Lucent VPN Gateway

Rolando Zappacosta zappacor at yahoo.com.ar
Sat Feb 23 16:42:02 EST 2008


Hi all,

	I'm trying to connect OpenSwan to a Lucent VPN
Gateway, which according to its ASCII interpretation
of its Vendor ID payload is:
4C5647392E312E3235353A425249434B3A392E312E323535=
"LVG9.1.255:BRICK:9.1.255". I can connect to it by
means of the Lucent VPN Client on a Windows XP
computer (Vendor ID= 4C5643372E312E323A5850=
"LVC7.1.2:XP").

	I could manage to get a response from the server once
I used a sniff for the Windows client and got to know
it uses, mode= aggresive, ike= 3des-sha1-modp1024,
USER_FDQN= "!@#$%" and configured OpenSwan to mimic
it.

	However, it's still impossible for me to get the
phase 1 up as pluto always sends out an
"INVALID_HASH_INFORMATION" error even though I double
checked the PSK (to be the same than the "Group Key"
in the Windows client).

	Digging a bit on the net I could find this:
	  In Quick Mode, a HASH payload MUST
	  immediately follow the ISAKMP header and a SA
payload MUST
	  immediately follow the HASH. This HASH
authenticates the message and
	  also provides liveliness proofs.
So, as the order of the payloads I receive from the
server is different, can 
it be the reason for the hash error?:


Internet Security Association and Key Management
Protocol
    Initiator cookie: 0A61F1959389BBA7
    Responder cookie: 61B48DE78E5FDDB7
    Next payload: Security Association (1)
    Version: 1.0
    Exchange type: Aggressive (4)
    Flags: 0x00
        .... ...0 = Not encrypted
        .... ..0. = No commit
        .... .0.. = No authentication
    Message ID: 0x00000000
    Length: 308
    Security Association payload
        Next payload: Key Exchange (4)
        Payload length: 64
        Domain of interpretation: IPSEC (1)
        Situation: IDENTITY (1)
        Proposal payload # 1
            Next payload: NONE (0)
            Payload length: 52
            Proposal number: 1
            Protocol ID: ISAKMP (1)
            SPI Size: 8
            Proposal transforms: 1
            SPI: 0x61B48DE78E5FDDB7
            Transform payload # 4
                Next payload: NONE (0)
                Payload length: 36
                Transform number: 4
                Transform ID: KEY_IKE (1)
                Encryption-Algorithm (1): 3DES-CBC (5)
                Hash-Algorithm (2): SHA (2)
                Authentication-Method (3): PSK (1)
                Group-Description (4): Alternate
1024-bit MODP group (2)
                Life-Type (11): Seconds (1)
                Life-Duration (12): Duration-Value
(864000)
    Key Exchange payload
        Next payload: Nonce (10)
        Payload length: 132
        Key Exchange Data (128 bytes / 1024 bits)
    Nonce payload
        Next payload: Identification (5)
        Payload length: 20
        Nonce Data
    Identification payload
        Next payload: Hash (8)
        Payload length: 12
        ID type: 1
        ID type: IPV4_ADDR (1)
        Protocol ID: Unused
        Port: Unused
        Identification data: <THE SERVER IP WAS HERE>
    Hash payload
        Next payload: Vendor ID (13)
        Payload length: 24
        Hash Data
    Vendor ID:
4C5647392E312E3235353A425249434B3A392E312E323535
        Next payload: NONE (0)
        Payload length: 28
        Vendor ID:
4C5647392E312E3235353A425249434B3A392E312E323535


I attached the sniff for the Windows client and this
is my OpenSwan configuration and secrets files:

****************************
ipsec.conf:
****************************
version 2.0
config setup
        klipsdebug=none
        plutodebug=none
        nat_traversal=yes
        nhelpers=0
        interfaces=%defaultroute

conn Intranet
        ike=3des-sha1-modp1024
        aggrmode=yes
        xauth=yes
        keyexchange=ike
        ikelifetime=24h
        auth=esp
        type=tunnel
        authby=secret
        left=%defaultroute
        leftmodecfgclient=yes
        leftid="!@#$%"
        leftxauthclient=yes
        right=<The server URL was here>
        rightmodecfgserver=yes
        rightxauthclient=yes
        modecfgpull=yes
        pfs=no
        auto=add
include /etc/ipsec/ipsec.d/examples/no_oe.conf

****************************
ipsec.secrets:
****************************
!@#$% <The Server URL was here> : PSK "<The Group Key
was here>"


	Kind regards,
Rolando.


      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ISAKMP.txt
Url: http://lists.openswan.org/pipermail/users/attachments/20080223/ff5f5b7d/attachment-0001.txt 


More information about the Users mailing list