On 03/15/2012 11:00 AM, Bill Wallick wrote:
From further investigation I believe that what is happening is that the
Linksys is expecting to see the shared key,,, but it does not send out the
shared key... However the client software is expecting to both send and
receive the shared key, and doesn't seem to have an option to allow this to
be only one way.
-----Original Message-----
From: [email protected]
[mailto:[email protected]]On Behalf Of Kevin VPN
Sent: Wednesday, March 14, 2012 7:04 PM
To: [email protected]
Subject: Re: [vpn-help] connect to befsx41
On 03/14/2012 04:34 PM, Bill Wallick wrote:
I am getting an "invalid hash size". can anyone shed some light on this
???
here is the log.
12/03/14 12:14:45<< : security association payload
12/03/14 12:14:45<< : - propsal #1 payload
12/03/14 12:14:45<< : -- transform #1 payload
12/03/14 12:14:45 ii : matched isakmp proposal #1 transform #1
12/03/14 12:14:45 ii : - transform = ike
12/03/14 12:14:45 ii : - cipher type = 3des
12/03/14 12:14:45 ii : - key length = default
12/03/14 12:14:45 ii : - hash type = md5
12/03/14 12:14:45 ii : - dh group = modp-1024
12/03/14 12:14:45 ii : - auth type = psk
12/03/14 12:14:45 ii : - life seconds = 3600
12/03/14 12:14:45 ii : - life kbytes = 0
12/03/14 12:14:45<< : key exchange payload
12/03/14 12:14:45<< : nonce payload
12/03/14 12:14:45<< : identification payload
12/03/14 12:14:45 ii : phase1 id target is any
12/03/14 12:14:45 ii : phase1 id match
12/03/14 12:14:45 ii : received = ipv4-host 192.168.0.10
12/03/14 12:14:45<< : hash payload
12/03/14 12:14:45 !! : invalid hash size ( 0 != 16 )
Hi Bill,
I'm not sure what is causing this message. My guess would be that there
is still something mismatched in the settings. Perhaps the BEFSX41 uses
SHA1 Hash Algorithm instead of MD5.
Another possibility is that Shrew is expecting one kind of message from
the Linksys (identification payload) but the VPN gateway is sending
something different.
For example, maybe it does not recognize the Shrew client because the
Authentication->Local Identity in Shrew do not match what is configured
in the BEFSX41 for the remote site/client.
So while Shrew is waiting for the next packet in the connect sequence,
the BEFSX41 is sending back an "unrecognized peer" message.
Can you look on the Cisco/Linksys box to see what its logs say?
Hi Bill,
I don't exactly know exactly how the Pre-Shared Key process works, but I
would guess that both ends rely on it to identify the opposite end of
the connection. So I would expect that both sides should send the PSK.
I would suggest that if the gateway (Linksys) is not sending the key,
then perhaps there is still a setting mismatch between Shrew and the
Linksys.
My guess today would be to check the connection Mode defined between the
Linksys and Shrew. Check to see that both are using Aggressive mode
(instead of Main mode). On the Cisco, check the Operation Mode field in
the Advanced VPN Tunnel Setup, and in Shrew it is called Exchange Type
on the Phase 1 tab of the site configuration.
_______________________________________________
vpn-help mailing list
[email protected]
http://lists.shrew.net/mailman/listinfo/vpn-help
