[Openswan Users] ISAKMP phase 1 hash error for a Lucent VPN Gateway
Rolando Zappacosta
zappacor at yahoo.com.ar
Sun Feb 24 05:01:51 EST 2008
Hi Paul,
thanks for your prompt answer. I modified the
ipsec.conf but I still get this:
# ipsec auto --up Intranet
112 "Intranet" #1: STATE_AGGR_I1: initiate
003 "Intranet" #1: ignoring unknown Vendor ID payload
[4c5647392e312e3235353a425249434b3a392e312e323535]
003 "Intranet" #1: received Hash Payload does not
match computed value
223 "Intranet" #1: STATE_AGGR_I1:
INVALID_HASH_INFORMATION
My ipsec.conf now looks like this:
# cat ipsec.conf
version 2.0
config setup
klipsdebug=none
plutodebug=all
nat_traversal=yes
nhelpers=0
interfaces=%defaultroute
conn Intranet
ike=3des-sha1-modp1024
aggrmode=yes
xauth=yes
keyexchange=ike
#keylife=24h
ikelifetime=24h
auth=esp
type=tunnel
authby=secret
left=%defaultroute
leftmodecfgclient=yes
leftxauthclient=yes
leftid="!@#$%"
right=<The URL, not the IP address, for the
server was here>
rightmodecfgserver=yes
rightxauthserver=yes
modecfgpull=yes
pfs=no
compress=yes
auto=add
include /etc/ipsec/ipsec.d/examples/no_oe.conf
Some background information:
1) the server, as already stated, is a Lucent VPN
Gateway (Brick) which I can succesfuly from Windoze by
means of their Lucent VPN Client v7.1.2
2) On Windoze, I had to include the first time my user
name and a Group Key, which I included in
ipsec.secrets as:
# cat ipsec.secrets
!@#$% <The URL, not the IP address, for the server was
here> : PSK "<The Group Key was here>"
This is OK, right?
3) Under Windoze I also have to include each time the
password, which is formed by a 4-digits PIN and a
6-digits number that comes from a RSA SecurID token.
Not so sure how to handle this yet but I think it
comes into play for phase 2 and I'm still stuck in
phase 2. Correct me if I'm wrong.
4) I figured out the client ID has to be USER_FQDN =
"!@#$%", ike=3des-sha1-modp1024 sniffing the Windoze
traffic.
Yet another difference, guess not important but may be
Lucent implemented some special kind of "hash" is they
send specific Vendor IDs:
4C5647392E312E3235353A425249434B3A392E312E323535=
"LVG9.1.255:BRICK:9.1.255" for their Lucent VPN
Gateway and
4C5643372E312E323A5850=
"LVC7.1.2:XP" for their Lucent VPN Client v7.1.2 on a
Windows XP computer.
Can forward the Windoze sniff it if it could be of
help.
Thanks,
Rolando.
> --- Paul Wouters <paul at xelerance.com> wrote:
>
> > On Sat, 23 Feb 2008, Rolando Zappacosta wrote:
> >
> > > However, it's still impossible for me to get
> the
> > > phase 1 up as pluto always sends out an
> > > "INVALID_HASH_INFORMATION" error even though I
> > double
> > > checked the PSK (to be the same than the "Group
> > Key"
> > > in the Windows client).
> >
> > Not sure about this, but:
> >
> > > conn Intranet
> > > ike=3des-sha1-modp1024
> > > aggrmode=yes
> > > xauth=yes
> > > keyexchange=ike
> > > ikelifetime=24h
> > > auth=esp
> > > type=tunnel
> > > authby=secret
> > > left=%defaultroute
> > > leftmodecfgclient=yes
> > > leftid="!@#$%"
> > > leftxauthclient=yes
> > > right=<The server URL was here>
> > > rightmodecfgserver=yes
> > > rightxauthclient=yes
> >
> > I think you mean rightxauthserver=yes
> >
> > Paul
> >
>
>
>
>
>
>
____________________________________________________________________________________
> Be a better friend, newshound, and
> know-it-all with Yahoo! Mobile. Try it now.
>
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
>
>
>
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
More information about the Users
mailing list