[Openswan Users] ISAKMP phase 1 hash error for a Lucent VPN Gateway

Rolando Zappacosta zappacor at yahoo.com.ar
Sun Feb 24 04:29:03 EST 2008 

Hi Paul,

thanks for your prompt answer. I modified the
ipsec.conf but I still get this:

# ipsec auto --up Intranet
112 "Intranet" #1: STATE_AGGR_I1: initiate
003 "Intranet" #1: ignoring unknown Vendor ID payload
[4c5647392e312e3235353a425249434b3a392e312e323535]
003 "Intranet" #1: received Hash Payload does not
match computed value
223 "Intranet" #1: STATE_AGGR_I1:
INVALID_HASH_INFORMATION

My ipsec.conf now looks like this:
# cat ipsec.conf
version 2.0
config setup
        klipsdebug=none
        plutodebug=all
        nat_traversal=yes
        nhelpers=0
        interfaces=%defaultroute

conn Intranet
        ike=3des-sha1-modp1024
        aggrmode=yes
        xauth=yes
        keyexchange=ike
                #keylife=24h
        ikelifetime=24h
        auth=esp
        type=tunnel
        authby=secret
        left=%defaultroute
        leftmodecfgclient=yes
        leftxauthclient=yes
        leftid="!@#$%"
        right=<The URL, not the IP address, for the
server was here>
        rightmodecfgserver=yes
        rightxauthserver=yes
        modecfgpull=yes
        pfs=no
        compress=yes
        auto=add

include /etc/ipsec/ipsec.d/examples/no_oe.conf

Some background information:
1) the server, as already stated, is a Lucent VPN
Gateway (Brick) which I can succesfuly from Windoze by
means of their Lucent VPN Client v7.1.2

2) On Windoze, I had to include the first time my user
name and a Group Key, which I included in
ipsec.secrets as:
# cat ipsec.secrets
!@#$% <The URL, not the IP address, for the server was
here> : PSK "<The Group Key was here>"
This is OK, right?

3) Under Windoze I also have to include each time the
password, which is formed by a 4-digits PIN and a
6-digits number that comes from a RSA SecurID token.
Not so sure how to handle this yet but I think it
comes into play for phase 2 and I'm still stuck in
phase 2. Correct me if I'm wrong.

4) I figured out the client ID has to be USER_FQDN =
"!@#$%", ike=3des-sha1-modp1024 sniffing the Windoze
traffic.
Yet another difference, guess not important but may be
Lucent implemented some special kind of "hash" is they
send specific Vendor IDs:
4C5647392E312E3235353A425249434B3A392E312E323535=
"LVG9.1.255:BRICK:9.1.255" for their Lucent VPN
Gateway and 
4C5643372E312E323A5850=
"LVC7.1.2:XP" for their Lucent VPN Client v7.1.2 on a
Windows XP computer.
Can forward the Windoze sniff it if it could be of
help.


Thanks,
Rolando.

--- Paul Wouters <paul at xelerance.com> wrote:

> On Sat, 23 Feb 2008, Rolando Zappacosta wrote:
> 
> > 	However, it's still impossible for me to get the
> > phase 1 up as pluto always sends out an
> > "INVALID_HASH_INFORMATION" error even though I
> double
> > checked the PSK (to be the same than the "Group
> Key"
> > in the Windows client).
> 
> Not sure about this, but:
> 
> > conn Intranet
> >         ike=3des-sha1-modp1024
> >         aggrmode=yes
> >         xauth=yes
> >         keyexchange=ike
> >         ikelifetime=24h
> >         auth=esp
> >         type=tunnel
> >         authby=secret
> >         left=%defaultroute
> >         leftmodecfgclient=yes
> >         leftid="!@#$%"
> >         leftxauthclient=yes
> >         right=<The server URL was here>
> >         rightmodecfgserver=yes
> >         rightxauthclient=yes
> 
> I think you mean rightxauthserver=yes
> 
> Paul
> 




      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

More information about the Users mailing list