[Openswan Users] ISAKMP phase 1 hash error for a Lucent VPN Gateway

Rolando Zappacosta zappacor at yahoo.com.ar
Sun Feb 24 05:21:18 EST 2008 

One comment regarding 2 as it may lead to confussion,
my user name (the one I typed in the Windows client is
not "!@#$%". However, I think my actual user name
comes into play for phase 2 though.


--- Rolando Zappacosta <zappacor at yahoo.com.ar> wrote:

> Hi Paul,
> 
> thanks for your prompt answer. I modified the
> ipsec.conf but I still get this:
> 
> # ipsec auto --up Intranet
> 112 "Intranet" #1: STATE_AGGR_I1: initiate
> 003 "Intranet" #1: ignoring unknown Vendor ID
> payload
> [4c5647392e312e3235353a425249434b3a392e312e323535]
> 003 "Intranet" #1: received Hash Payload does not
> match computed value
> 223 "Intranet" #1: STATE_AGGR_I1:
> INVALID_HASH_INFORMATION
> 
> My ipsec.conf now looks like this:
> # cat ipsec.conf
> version 2.0
> config setup
>         klipsdebug=none
>         plutodebug=all
>         nat_traversal=yes
>         nhelpers=0
>         interfaces=%defaultroute
> 
> conn Intranet
>         ike=3des-sha1-modp1024
>         aggrmode=yes
>         xauth=yes
>         keyexchange=ike
>                 #keylife=24h
>         ikelifetime=24h
>         auth=esp
>         type=tunnel
>         authby=secret
>         left=%defaultroute
>         leftmodecfgclient=yes
>         leftxauthclient=yes
>         leftid="!@#$%"
>         right=<The URL, not the IP address, for the
> server was here>
>         rightmodecfgserver=yes
>         rightxauthserver=yes
>         modecfgpull=yes
>         pfs=no
>         compress=yes
>         auto=add
> 
> include /etc/ipsec/ipsec.d/examples/no_oe.conf
> 
> Some background information:
> 1) the server, as already stated, is a Lucent VPN
> Gateway (Brick) which I can succesfuly from Windoze
> by
> means of their Lucent VPN Client v7.1.2
> 
> 2) On Windoze, I had to include the first time my
> user
> name and a Group Key, which I included in
> ipsec.secrets as:
> # cat ipsec.secrets
> !@#$% <The URL, not the IP address, for the server
> was
> here> : PSK "<The Group Key was here>"
> This is OK, right?
> 
> 3) Under Windoze I also have to include each time
> the
> password, which is formed by a 4-digits PIN and a
> 6-digits number that comes from a RSA SecurID token.
> Not so sure how to handle this yet but I think it
> comes into play for phase 2 and I'm still stuck in
> phase 2. Correct me if I'm wrong.
> 
> 4) I figured out the client ID has to be USER_FQDN =
> "!@#$%", ike=3des-sha1-modp1024 sniffing the Windoze
> traffic.
> Yet another difference, guess not important but may
> be
> Lucent implemented some special kind of "hash" is
> they
> send specific Vendor IDs:
> 4C5647392E312E3235353A425249434B3A392E312E323535=
> "LVG9.1.255:BRICK:9.1.255" for their Lucent VPN
> Gateway and 
> 4C5643372E312E323A5850=
> "LVC7.1.2:XP" for their Lucent VPN Client v7.1.2 on
> a
> Windows XP computer.
> Can forward the Windoze sniff it if it could be of
> help.
> 
> 
> Thanks,
> Rolando.
> 
> 
> > --- Paul Wouters <paul at xelerance.com> wrote:
> > 
> > > On Sat, 23 Feb 2008, Rolando Zappacosta wrote:
> > > 
> > > > 	However, it's still impossible for me to get
> > the
> > > > phase 1 up as pluto always sends out an
> > > > "INVALID_HASH_INFORMATION" error even though I
> > > double
> > > > checked the PSK (to be the same than the
> "Group
> > > Key"
> > > > in the Windows client).
> > > 
> > > Not sure about this, but:
> > > 
> > > > conn Intranet
> > > >         ike=3des-sha1-modp1024
> > > >         aggrmode=yes
> > > >         xauth=yes
> > > >         keyexchange=ike
> > > >         ikelifetime=24h
> > > >         auth=esp
> > > >         type=tunnel
> > > >         authby=secret
> > > >         left=%defaultroute
> > > >         leftmodecfgclient=yes
> > > >         leftid="!@#$%"
> > > >         leftxauthclient=yes
> > > >         right=<The server URL was here>
> > > >         rightmodecfgserver=yes
> > > >         rightxauthclient=yes
> > > 
> > > I think you mean rightxauthserver=yes
> > > 
> > > Paul
> > > 
> > 
> > 
> > 
> > 
> >      
> >
>
____________________________________________________________________________________
> > Be a better friend, newshound, and 
> > know-it-all with Yahoo! Mobile.  Try it now. 
> >
>
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
> > 
> > 
> > 
> 
> 
> 
>      
>
____________________________________________________________________________________
> Be a better friend, newshound, and 
> know-it-all with Yahoo! Mobile.  Try it now. 
>
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
> 
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks
> with Openswan: 
>
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 



      ____________________________________________________________________________________
Looking for last minute shopping deals?  
Find them fast with Yahoo! Search.  http://tools.search.yahoo.com/newsearch/category.php?category=shopping

More information about the Users mailing list