Clarification request on previous mobile VPN issue/Shrewsoft client ("invalid HASH_V1 payload length, decryption failed?")?



  • Hello:

    I just upgraded from 2.1.3 to 2.3.5p2 and as a result the mobile VPNs (using Shrewsoft 2.2.2 client) are no longer working. I found the following article that seems to address my problem:
    https://forum.netgate.com/topic/85740/solved-2-2-2-2-2-3-ipsec-invalid-hash_v1-payload-length-decryption-failed

    This article referred to an upgrade guide with the following info:
    "...Stricter Phase 1 Identifier Validation
    In 2.1x and earlier versions, racoon could accept mismatched phase 1 identifiers where using “IP Address” as the identifier. This is most commonly a problem where one of the endpoints is behind NAT and you’re using “My IP Address” and “Peer IP Address” for your identifiers. On the side with the private IP WAN, “My IP Address” will be its private WAN IP. On the opposite end, “Peer IP Address” will be the public IP of the opposite side. Hence, these two values don’t match, and should have resulted in a connection failure. racoon would fall back to checking the source IP of the initiating host as an identifier, where it found the match. Change the phase 1 identifiers so they really do match to resolve this..."

    I have a rudimentary understanding of VPN terminology (just enough to be confused). Would somebody have a moment to explain how this relates to the Shrewsoft client, i.e. which specific fields the above comment is referring to?

    If there's a better way to address my issue, that would also be great to know.

    Any help is much appreciated! Even if somebody could point on where to find a more detailed answer. :-)

    Thank you!

    SJ



  • An update:

    Changing the Shrewsoft setting on the Authentication tab for "Local Identity" from "Key Identifier" (which worked for the last several years) to UFQDN (using the same string) fixed the issue for me. I consider myself lucky to have found this, but maybe it makes sense to others.

    Thanks to anybody who gave this some thought. :-)

    SJ