[Swan] Problem connecting with shrew vpnclient with version 3.23

Fri Jun 8 13:47:09 UTC 2018

Sorry is version 3.23, 3.24 is not yet release :)


On 06/08/2018 03:30 PM, antonio wrote:
>
> Hi,
>
> cannot connect with shrew soft vpnclient to libreswan 3.24 (last 
> version that worked was in version 3.20)  with psk+xauth:
>
> Jun 08 15:27:46 sol pluto[18056]: packet from 192.168.10.170:33388: 
> IKEv1 Aggressive Mode with PSK is vulnerable to dictionary attacks and 
> is cracked on large scale by TLA's
> Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1] 192.168.10.170 #3: 
> Peer ID is ID_FQDN: '@'
> Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1] 192.168.10.170 #3: 
> responding to Aggressive Mode, state #3, connection "tunnel8-aggr"[1] 
> 192.168.10.170 from 192.168.10.170
> Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1] 192.168.10.170 #3: 
> STATE_AGGR_R1: sent AR1, expecting AI2
> Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1] 192.168.10.170 #3: 
> Peer ID is ID_IPV4_ADDR: '192.168.10.170'
> Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1] 192.168.10.170 #3: 
> received Hash Payload does not match computed value
> Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1] 192.168.10.170 #3: 
> sending encrypted notification INVALID_HASH_INFORMATION to 
> 192.168.10.170:33388
> Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1] 192.168.10.170 #3: 
> next payload type of ISAKMP Hash Payload has an unknown value: 218 (0xda)
> Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1] 192.168.10.170 #3: 
> malformed payload in packet
>
>
> I tried to force phase1 parameters with no success, i always get "Hash 
> Payload does not match computed value". Any idea what it could be the 
> issue here?
>
>
> The log when connecting with version 3.20:
>
> Jun 08 15:24:34 sol pluto[12290]: packet from 192.168.10.170:33388: 
> IKEv1 Aggressive Mode with PSK is vulnerable to dictionary attacks and 
> is cracked on large scale by TLA's
> Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[1] 192.168.10.170 #3: 
> Aggressive mode peer ID is ID_FQDN: '@'
> Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[1] 192.168.10.170 #3: 
> switched from "tunnel8-aggr"[1] 192.168.10.170 to "tunnel8-aggr"
> Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2] 192.168.10.170 #3: 
> deleting connection "tunnel8-aggr"[1] 192.168.10.170 instance with 
> peer 192.168.10.170 {isakmp=#0/ipsec=#0}
> Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2] 192.168.10.170 #3: 
> responding to Aggressive Mode, state #3, connection "tunnel8-aggr"[2] 
> 192.168.10.170 from 192.168.10.170
> Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2] 192.168.10.170 #3: 
> transition from state STATE_AGGR_R0 to state STATE_AGGR_R1
> Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2] 192.168.10.170 #3: 
> STATE_AGGR_R1: sent AR1, expecting AI2
> Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2] 192.168.10.170 #3: 
> transition from state STATE_AGGR_R1 to state STATE_AGGR_R2
> Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2] 192.168.10.170 #3: 
> new NAT mapping for #3, was 192.168.10.170:33388, now 192.168.10.170:40182
> Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2] 192.168.10.170 #3: 
> STATE_AGGR_R2: ISAKMP SA established {auth=PRESHARED_KEY 
> cipher=aes_256 integ=md5 group=MODP1024}
> Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2] 192.168.10.170 #3: 
> ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, 
> length=28
> Jun 08 15:24:34 sol pluto[12290]: | ISAKMP Notification Payload
> Jun 08 15:24:34 sol pluto[12290]: |   00 00 00 1c  00 00 00 01  01 10 
> 60 02
> Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2] 192.168.10.170 #3: 
> received and ignored informational message
> Jun 08 15:24:34 sol pluto[12290]: | event EVENT_v1_SEND_XAUTH #3 
> STATE_AGGR_R2
> Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2] 192.168.10.170 #3: 
> XAUTH: Sending Username/Password request (XAUTH_R0)
>
> -- 
> Saludos / Regards / Cumprimentos
> Anónio Silva
>
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan

-- 
Saludos / Regards / Cumprimentos
Anónio Silva

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20180608/b3c3c69d/attachment.html>