[vpn-help] connect to befsx41

Kevin VPN kvpn at live.com
Thu Mar 15 21:48:25 CDT 2012 

On 03/15/2012 11:00 AM, Bill Wallick wrote:
>> From further investigation I believe that what is happening is that the
> Linksys is expecting to see the shared key,,, but it does not send out the
> shared key... However the client software is expecting to both send and
> receive the shared key, and doesn't seem to have an option to allow this to
> be only one way.
>
> -----Original Message-----
> From: vpn-help-bounces at lists.shrew.net
> [mailto:vpn-help-bounces at lists.shrew.net]On Behalf Of Kevin VPN
> Sent: Wednesday, March 14, 2012 7:04 PM
> To: vpn-help at lists.shrew.net
> Subject: Re: [vpn-help] connect to befsx41
>
>
> On 03/14/2012 04:34 PM, Bill Wallick wrote:
>> I am getting an "invalid hash size". can anyone shed some light on this
> ???
>> here is the log.
>>
>> 12/03/14 12:14:45<<   : security association payload
>> 12/03/14 12:14:45<<   : - propsal #1 payload
>> 12/03/14 12:14:45<<   : -- transform #1 payload
>> 12/03/14 12:14:45 ii : matched isakmp proposal #1 transform #1
>> 12/03/14 12:14:45 ii : - transform    = ike
>> 12/03/14 12:14:45 ii : - cipher type  = 3des
>> 12/03/14 12:14:45 ii : - key length   = default
>> 12/03/14 12:14:45 ii : - hash type    = md5
>> 12/03/14 12:14:45 ii : - dh group     = modp-1024
>> 12/03/14 12:14:45 ii : - auth type    = psk
>> 12/03/14 12:14:45 ii : - life seconds = 3600
>> 12/03/14 12:14:45 ii : - life kbytes  = 0
>> 12/03/14 12:14:45<<   : key exchange payload
>> 12/03/14 12:14:45<<   : nonce payload
>> 12/03/14 12:14:45<<   : identification payload
>> 12/03/14 12:14:45 ii : phase1 id target is any
>> 12/03/14 12:14:45 ii : phase1 id match
>> 12/03/14 12:14:45 ii : received = ipv4-host 192.168.0.10
>> 12/03/14 12:14:45<<   : hash payload
>> 12/03/14 12:14:45 !! : invalid hash size ( 0 != 16 )
>>
>
> Hi Bill,
>
> I'm not sure what is causing this message.  My guess would be that there
> is still something mismatched in the settings.  Perhaps the BEFSX41 uses
> SHA1 Hash Algorithm instead of MD5.
>
> Another possibility is that Shrew is expecting one kind of message from
> the Linksys (identification payload) but the VPN gateway is sending
> something different.
>
> For example, maybe it does not recognize the Shrew client because the
> Authentication->Local Identity in Shrew do not match what is configured
> in the BEFSX41 for the remote site/client.
>
> So while Shrew is waiting for the next packet in the connect sequence,
> the BEFSX41 is sending back an "unrecognized peer" message.
>
> Can you look on the Cisco/Linksys box to see what its logs say?
>

Hi Bill,

I don't exactly know exactly how the Pre-Shared Key process works, but I 
would guess that both ends rely on it to identify the opposite end of 
the connection.  So I would expect that both sides should send the PSK.

I would suggest that if the gateway (Linksys) is not sending the key, 
then perhaps there is still a setting mismatch between Shrew and the 
Linksys.

My guess today would be to check the connection Mode defined between the 
Linksys and Shrew.  Check to see that both are using Aggressive mode 
(instead of Main mode).  On the Cisco, check the Operation Mode field in 
the Advanced VPN Tunnel Setup, and in Shrew it is called Exchange Type 
on the Phase 1 tab of the site configuration.

More information about the vpn-help mailing list