[Openswan Users] ISAKMP phase 1 hash error for a Lucent VPN Gateway
Rolando Zappacosta
zappacor at yahoo.com.ar
Tue Feb 26 15:37:14 EST 2008
Hi all,
any suggestion? Someone told me it could be because of
the Windows client negotiating 864000 instead of
86400, as the maximum for Openswan is. However, I
changed that value, recompiled OpenSwan, configured it
to propose 864000 but no luck :-(
--- Rolando Zappacosta <zappacor at yahoo.com.ar> wrote:
> Hi Paul,
>
> thanks for your prompt answer. I modified the
> ipsec.conf but I still get this:
>
> # ipsec auto --up Intranet
> 112 "Intranet" #1: STATE_AGGR_I1: initiate
> 003 "Intranet" #1: ignoring unknown Vendor ID
> payload
> [4c5647392e312e3235353a425249434b3a392e312e323535]
> 003 "Intranet" #1: received Hash Payload does not
> match computed value
> 223 "Intranet" #1: STATE_AGGR_I1:
> INVALID_HASH_INFORMATION
>
> My ipsec.conf now looks like this:
> # cat ipsec.conf
> version 2.0
> config setup
> klipsdebug=none
> plutodebug=all
> nat_traversal=yes
> nhelpers=0
> interfaces=%defaultroute
>
> conn Intranet
> ike=3des-sha1-modp1024
> aggrmode=yes
> xauth=yes
> keyexchange=ike
> #keylife=24h
> ikelifetime=24h
> auth=esp
> type=tunnel
> authby=secret
> left=%defaultroute
> leftmodecfgclient=yes
> leftxauthclient=yes
> leftid="!@#$%"
> right=<The URL, not the IP address, for the
> server was here>
> rightmodecfgserver=yes
> rightxauthserver=yes
> modecfgpull=yes
> pfs=no
> compress=yes
> auto=add
>
> include /etc/ipsec/ipsec.d/examples/no_oe.conf
>
> Some background information:
> 1) the server, as already stated, is a Lucent VPN
> Gateway (Brick) which I can succesfuly from Windoze
> by
> means of their Lucent VPN Client v7.1.2
>
> 2) On Windoze, I had to include the first time my
> user
> name and a Group Key, which I included in
> ipsec.secrets as:
> # cat ipsec.secrets
> !@#$% <The URL, not the IP address, for the server
> was
> here> : PSK "<The Group Key was here>"
> This is OK, right?
>
> 3) Under Windoze I also have to include each time
> the
> password, which is formed by a 4-digits PIN and a
> 6-digits number that comes from a RSA SecurID token.
> Not so sure how to handle this yet but I think it
> comes into play for phase 2 and I'm still stuck in
> phase 2. Correct me if I'm wrong.
>
> 4) I figured out the client ID has to be USER_FQDN =
> "!@#$%", ike=3des-sha1-modp1024 sniffing the Windoze
> traffic.
> Yet another difference, guess not important but may
> be
> Lucent implemented some special kind of "hash" is
> they
> send specific Vendor IDs:
> 4C5647392E312E3235353A425249434B3A392E312E323535=
> "LVG9.1.255:BRICK:9.1.255" for their Lucent VPN
> Gateway and
> 4C5643372E312E323A5850=
> "LVC7.1.2:XP" for their Lucent VPN Client v7.1.2 on
> a
> Windows XP computer.
> Can forward the Windoze sniff it if it could be of
> help.
>
>
> Thanks,
> Rolando.
>
>
> > --- Paul Wouters <paul at xelerance.com> wrote:
> >
> > > On Sat, 23 Feb 2008, Rolando Zappacosta wrote:
> > >
> > > > However, it's still impossible for me to get
> > the
> > > > phase 1 up as pluto always sends out an
> > > > "INVALID_HASH_INFORMATION" error even though I
> > > double
> > > > checked the PSK (to be the same than the
> "Group
> > > Key"
> > > > in the Windows client).
> > >
> > > Not sure about this, but:
> > >
> > > > conn Intranet
> > > > ike=3des-sha1-modp1024
> > > > aggrmode=yes
> > > > xauth=yes
> > > > keyexchange=ike
> > > > ikelifetime=24h
> > > > auth=esp
> > > > type=tunnel
> > > > authby=secret
> > > > left=%defaultroute
> > > > leftmodecfgclient=yes
> > > > leftid="!@#$%"
> > > > leftxauthclient=yes
> > > > right=<The server URL was here>
> > > > rightmodecfgserver=yes
> > > > rightxauthclient=yes
> > >
> > > I think you mean rightxauthserver=yes
> > >
> > > Paul
> > >
> >
> >
> >
> >
> >
> >
>
____________________________________________________________________________________
> > Be a better friend, newshound, and
> > know-it-all with Yahoo! Mobile. Try it now.
> >
>
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
> >
> >
> >
>
>
>
>
>
____________________________________________________________________________________
> Be a better friend, newshound, and
> know-it-all with Yahoo! Mobile. Try it now.
>
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
>
>
>
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
More information about the Users
mailing list