[Openswan Users] ISAKMP phase 1 hash error for a Lucent VPN Gateway

Rolando Zappacosta zappacor at yahoo.com.ar
Sun Feb 24 05:01:51 EST 2008


Hi Paul,

thanks for your prompt answer. I modified the
ipsec.conf but I still get this:

# ipsec auto --up Intranet
112 "Intranet" #1: STATE_AGGR_I1: initiate
003 "Intranet" #1: ignoring unknown Vendor ID payload
[4c5647392e312e3235353a425249434b3a392e312e323535]
003 "Intranet" #1: received Hash Payload does not
match computed value
223 "Intranet" #1: STATE_AGGR_I1:
INVALID_HASH_INFORMATION

My ipsec.conf now looks like this:
# cat ipsec.conf
version 2.0
config setup
        klipsdebug=none
        plutodebug=all
        nat_traversal=yes
        nhelpers=0
        interfaces=%defaultroute

conn Intranet
        ike=3des-sha1-modp1024
        aggrmode=yes
        xauth=yes
        keyexchange=ike
                #keylife=24h
        ikelifetime=24h
        auth=esp
        type=tunnel
        authby=secret
        left=%defaultroute
        leftmodecfgclient=yes
        leftxauthclient=yes
        leftid="!@#$%"
        right=<The URL, not the IP address, for the
server was here>
        rightmodecfgserver=yes
        rightxauthserver=yes
        modecfgpull=yes
        pfs=no
        compress=yes
        auto=add

include /etc/ipsec/ipsec.d/examples/no_oe.conf

Some background information:
1) the server, as already stated, is a Lucent VPN
Gateway (Brick) which I can succesfuly from Windoze by
means of their Lucent VPN Client v7.1.2

2) On Windoze, I had to include the first time my user
name and a Group Key, which I included in
ipsec.secrets as:
# cat ipsec.secrets
!@#$% <The URL, not the IP address, for the server was
here> : PSK "<The Group Key was here>"
This is OK, right?

3) Under Windoze I also have to include each time the
password, which is formed by a 4-digits PIN and a
6-digits number that comes from a RSA SecurID token.
Not so sure how to handle this yet but I think it
comes into play for phase 2 and I'm still stuck in
phase 2. Correct me if I'm wrong.

4) I figured out the client ID has to be USER_FQDN =
"!@#$%", ike=3des-sha1-modp1024 sniffing the Windoze
traffic.
Yet another difference, guess not important but may be
Lucent implemented some special kind of "hash" is they
send specific Vendor IDs:
4C5647392E312E3235353A425249434B3A392E312E323535=
"LVG9.1.255:BRICK:9.1.255" for their Lucent VPN
Gateway and 
4C5643372E312E323A5850=
"LVC7.1.2:XP" for their Lucent VPN Client v7.1.2 on a
Windows XP computer.
Can forward the Windoze sniff it if it could be of
help.


Thanks,
Rolando.


> --- Paul Wouters <paul at xelerance.com> wrote:
> 
> > On Sat, 23 Feb 2008, Rolando Zappacosta wrote:
> > 
> > > 	However, it's still impossible for me to get
> the
> > > phase 1 up as pluto always sends out an
> > > "INVALID_HASH_INFORMATION" error even though I
> > double
> > > checked the PSK (to be the same than the "Group
> > Key"
> > > in the Windows client).
> > 
> > Not sure about this, but:
> > 
> > > conn Intranet
> > >         ike=3des-sha1-modp1024
> > >         aggrmode=yes
> > >         xauth=yes
> > >         keyexchange=ike
> > >         ikelifetime=24h
> > >         auth=esp
> > >         type=tunnel
> > >         authby=secret
> > >         left=%defaultroute
> > >         leftmodecfgclient=yes
> > >         leftid="!@#$%"
> > >         leftxauthclient=yes
> > >         right=<The server URL was here>
> > >         rightmodecfgserver=yes
> > >         rightxauthclient=yes
> > 
> > I think you mean rightxauthserver=yes
> > 
> > Paul
> > 
> 
> 
> 
> 
>      
>
____________________________________________________________________________________
> Be a better friend, newshound, and 
> know-it-all with Yahoo! Mobile.  Try it now. 
>
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
> 
> 
> 



      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ 



More information about the Users mailing list