Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2285
Views
0
Helpful
1
Replies

site to site VPN RV215W and SRP521: malformed ISAKMP Hash Payload

lisamartin1
Level 1
Level 1

‎04-01-2014 04:28 PM

Hi
I have been struggeling with this problem for one week and tried all configuration (except the right one)

I have Two Cisco (one RV215W and one SRP521)

the SRP521 was used as client - server configuration and works fine
I wanted to move into a site to site config behind an internet box (using NAT to make things more complex)

On Site G
 (LAN)192.168.25.0/24  ===  192.168.25.1(CISCO RV215X)192.168.10.161   192.168.10.1(xDSL) 88.B.C.D (where 88.B.C.D is my public adress on site G

On Site R
 (LAN)192.168.15.0/24  ===  192.168.15.1(CISCO SRP521)192.168.1.2   192.168.1.1(xDSL) 41.F.G.H (where 41.F.G.H is my public adress on site R
 
 
 So I have NAT (So I have activated NAT traveral on both side)
 
 On the RV215W (Site G)
 IKE Policy Table
 Mode:main
 Local identifier : 192.168.10.161
 
 Remote identifier 192.168.1.2
 AES128/SHA1
 DH Group2
 xauth disabled
 
 
 VPN policy table
 Type:autopolicy
 remote endpoint 41.F.G.H
 Local 192.168.25.1/255.255.255.0
 remote 192.168.15.1/255.255.255.0
 AES128/SHA1
 PFS Keygroup: disable
 
 
 
 
 On site R (SRP521W)
 IKE
 Policy Name    gnt
Exchange Mode    Main
Encryption Algorithm    AES128
Authentication Algorithm    SHA-1
Diffie-Hellman (DH) Group    Group 2 (1024 bit)
Auto Pre-Shared Key    XXXXXXXXXX
Enable Dead Peer Detection    Enable
DPD Interval    3600
DPD Timeout    3600
XAUTH client     Disable


IP Sec
Status    Enable
Policy Name    rabat
Local Group Type    IP Address & Subnet
Local Group IP Address    192.168.15.1
Local Group IP Subnet    255.255.255.0
Remote Endpoint    IP Address
Remote security gateway address    192.168.10.161
Remote security domain name    
Remote group type    IP Address & Subnet
Remote group IP    192.168.25.1
Remote group Subnet Mask    255.255.255.0
Encrypted algorithm    3DES
Integrity algorithm    SHA-1
Police type    Auto
Manual encryption key    
Manual auth key    
Inbound SPI    
Outbound SPI    
PFS    Disable
Key life time    7800
Now using IKE police    gnt


This are the logs

 

6    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: sending notification PAYLOAD_MALFORMED to 41.F.G.H:4500    
7    2014-04-02 0:08:05 AM    debug    pluto[22201]: | 46 5f b1 08 95 86 af 15 b4 06 f9 a4 5a f6 d8 ad    
8    2014-04-02 0:08:05 AM    debug    pluto[22201]: | payload malformed after IV    
9    2014-04-02 0:08:05 AM    info    pluto[22201]: "rabat" #2: malformed payload in packet    
10    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: malformed payload in packet    
11    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: byte 2 of ISAKMP Hash Payload must be zero, but is not    
12    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: Dead Peer Detection (RFC 3706): enabled    
13    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024}    
14    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: new NAT mapping for #2, was 41.F.G.H:500, now 41.F.G.H:4500    
15    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3    
16    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.2'    
17    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: STATE_MAIN_R2: sent MR2, expecting MI3    
18    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2    
19    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed    
20    2014-04-02 0:08:04 AM    debug    pluto[22201]: "rabat" #2: STATE_MAIN_R1: sent MR1, expecting MI2    
21    2014-04-02 0:08:04 AM    debug    pluto[22201]: "rabat" #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1    
22    2014-04-02 0:08:04 AM    debug    pluto[22201]: "rabat" #2: responding to Main Mode    
23    2014-04-02 0:08:04 AM    debug    pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]    
24    2014-04-02 0:08:04 AM    debug    pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109    
25    2014-04-02 0:08:04 AM    debug    pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109    
26    2014-04-02 0:08:04 AM    debug    pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109    
27    2014-04-02 0:08:04 AM    debug    pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [RFC 3947] method set to=109     
28    2014-04-02 0:08:04 AM    debug    pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [Dead Peer Detection]    
29    2014-04-02 0:08:04 AM    debug    pluto[22201]: packet from 41.F.G.H:500: ignoring unknown Vendor ID payload [4f4543714271574c644b7a41]

 

 

I guess that the error is byte 2 of ISAKMP Hash Payload must be zero, but is not    

I could not find any real hint on the internet/forums about this error

Labels:
0 Helpful
1 Reply 1

ahmad82pkn
Level 2
Level 2

‎06-21-2018 07:50 PM

Hi, Do you recall how you fixed this issue ?Facing same problem.

0 Helpful
Customers Also Viewed These Support Documents