[Openswan Users] Questions on how to check the "hash" payload

Rolando Zappacosta zappacor at yahoo.com.ar
Sat Mar 1 05:41:43 EST 2008


Hi all,

	sorry for this question but I'm everything but an
expert on this stuff and I've some questions, three
actually:

1) Can someone tell me if the 52 bytes pointed here:
17:04:23 "Intranet" #1: Aggressive mode peer ID is
ID_IPV4_ADDR: '<Server's IP>'
17:04:23 | hashing 52 bytes of SA	<============== the
whole "Security Association" is 64 bytes (from a
traffic sniff)
17:04:23 | received HASH:  4b 2b 52 10  ac 68 84 b2 
b0 90 24 13  9b 7d f4 60
17:04:23 |   c6 9c cb 26
17:04:23 "Intranet" #1: received Hash Payload does not
match computed value
17:04:23 | complete state transition with (null)
17:04:23 "Intranet" #1: sending notification
INVALID_HASH_INFORMATION to <Server's IP>:500

are referencing these ones:
17:04:23 | ****parse ISAKMP Proposal Payload:
17:04:23 |    next payload type: ISAKMP_NEXT_NONE
17:04:23 |    length: 52	<==================== these,
what actually are for the "proposal payload"
17:04:23 |    proposal number: 0
17:04:23 |    protocol ID: PROTO_ISAKMP
17:04:23 |    SPI size: 8
17:04:23 |    number of transforms: 1
17:04:23 | parsing 8 raw bytes of ISAKMP Proposal
Payload into Oakley SPI
17:04:23 | Oakley SPI  9f 4d 14 3b  09 54 ff 73
17:04:23 | *****parse ISAKMP Transform Payload
(ISAKMP):
17:04:23 |    next payload type: ISAKMP_NEXT_NONE
17:04:23 |    length: 36
17:04:23 |    transform number: 0
17:04:23 |    transform ID: KEY_IKE
17:04:23 | ******parse ISAKMP Oakley attribute:
17:04:23 |    af+type: OAKLEY_LIFE_TYPE
17:04:23 |    length/value: 1
17:04:23 |    [1 is OAKLEY_LIFE_SECONDS]
17:04:23 | ******parse ISAKMP Oakley attribute:
17:04:23 |    af+type: OAKLEY_LIFE_DURATION (variable
length)
17:04:23 |    length/value: 4
17:04:23 |    long duration: 86400
17:04:23 | ******parse ISAKMP Oakley attribute:
17:04:23 |    af+type: OAKLEY_ENCRYPTION_ALGORITHM
17:04:23 |    length/value: 5
17:04:23 |    [5 is OAKLEY_3DES_CBC]
17:04:23 | ike_alg_enc_ok(ealg=5,key_len=0):
blocksize=8, keyminlen=192, keydeflen=192,
keymaxlen=192, ret=1
17:04:23 | ******parse ISAKMP Oakley attribute:
17:04:23 |    af+type: OAKLEY_HASH_ALGORITHM
17:04:23 |    length/value: 2
17:04:23 |    [2 is OAKLEY_SHA1]
17:04:23 | ******parse ISAKMP Oakley attribute:
17:04:23 |    af+type: OAKLEY_AUTHENTICATION_METHOD
17:04:23 |    length/value: 1
17:04:23 |    [1 is OAKLEY_PRESHARED_KEY]
17:04:23 | started looking for secret for
!@#$%-><Server's IP> of kind PPK_PSK
17:04:23 | actually looking for secret for
!@#$%-><Server's IP> of kind PPK_PSK
17:04:23 | 1: compared PSK !@#$% to !@#$% / <Server's
IP> -> 4
17:04:23 | best_match 0>5 best=0x8108ae0 (line=1)
17:04:23 | concluding with best_match=5 best=0x8108ae0
(lineno=1)
17:04:23 | ******parse ISAKMP Oakley attribute:
17:04:23 |    af+type: OAKLEY_GROUP_DESCRIPTION
17:04:23 |    length/value: 2
17:04:23 |    [2 is OAKLEY_GROUP_MODP1024]
17:04:23 | Oakley Transform 0 accepted

2) Besides, as far as I could see on some documents
around on the web when a "Hash" payload is received,
the receiver should apply the agreed hash algorithm to
what is specified in the DOI and then compare its
value against the received one. Am I understanding
this properly?

3) If yes, and as I got:
17:04:23 | ***parse ISAKMP Security Association
Payload:
17:04:23 |    next payload type: ISAKMP_NEXT_KE
17:04:23 |    length: 64
17:04:23 |    DOI: ISAKMP_DOI_IPSEC
17:04:23 | np=4 and sd=0

doesn't it mean the hash algorithm should be applied
to the "Identification" payload instead?

All this is because I'm still getting an
INVALID_HASH_INFORMATION while trying to connect to a
Lucent Brick with the right PSK (I'm now more than
sure after checked it against the hex output of the
"Preshared Key" value of a pluto debug dump).


Thank you all in advance,
Rolando.


      ____________________________________________________________________________________
Never miss a thing.  Make Yahoo your home page. 
http://www.yahoo.com/r/hs


More information about the Users mailing list