Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

site to site VPN RV215W and SRP521: malformed ISAKMP Hash Payload

Hi
I have been struggeling with this problem for one week and tried all configuration (except the right one)

I have Two Cisco (one RV215W and one SRP521)

the SRP521 was used as client - server configuration and works fine
I wanted to move into a site to site config behind an internet box (using NAT to make things more complex)

On Site G
 (LAN)192.168.25.0/24  ===  192.168.25.1(CISCO RV215X)192.168.10.161   192.168.10.1(xDSL) 88.B.C.D (where 88.B.C.D is my public adress on site G

On Site R
 (LAN)192.168.15.0/24  ===  192.168.15.1(CISCO SRP521)192.168.1.2   192.168.1.1(xDSL) 41.F.G.H (where 41.F.G.H is my public adress on site R
 
 
 So I have NAT (So I have activated NAT traveral on both side)
 
 On the RV215W (Site G)
 IKE Policy Table
 Mode:main
 Local identifier : 192.168.10.161
 
 Remote identifier 192.168.1.2
 AES128/SHA1
 DH Group2
 xauth disabled
 
 
 VPN policy table
 Type:autopolicy
 remote endpoint 41.F.G.H
 Local 192.168.25.1/255.255.255.0
 remote 192.168.15.1/255.255.255.0
 AES128/SHA1
 PFS Keygroup: disable
 
 
 
 
 On site R (SRP521W)
 IKE
 Policy Name    gnt
Exchange Mode    Main
Encryption Algorithm    AES128
Authentication Algorithm    SHA-1
Diffie-Hellman (DH) Group    Group 2 (1024 bit)
Auto Pre-Shared Key    XXXXXXXXXX
Enable Dead Peer Detection    Enable
DPD Interval    3600
DPD Timeout    3600
XAUTH client     Disable


IP Sec
Status    Enable
Policy Name    rabat
Local Group Type    IP Address & Subnet
Local Group IP Address    192.168.15.1
Local Group IP Subnet    255.255.255.0
Remote Endpoint    IP Address
Remote security gateway address    192.168.10.161
Remote security domain name    
Remote group type    IP Address & Subnet
Remote group IP    192.168.25.1
Remote group Subnet Mask    255.255.255.0
Encrypted algorithm    3DES
Integrity algorithm    SHA-1
Police type    Auto
Manual encryption key    
Manual auth key    
Inbound SPI    
Outbound SPI    
PFS    Disable
Key life time    7800
Now using IKE police    gnt


This are the logs

 

6    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: sending notification PAYLOAD_MALFORMED to 41.F.G.H:4500    
7    2014-04-02 0:08:05 AM    debug    pluto[22201]: | 46 5f b1 08 95 86 af 15 b4 06 f9 a4 5a f6 d8 ad    
8    2014-04-02 0:08:05 AM    debug    pluto[22201]: | payload malformed after IV    
9    2014-04-02 0:08:05 AM    info    pluto[22201]: "rabat" #2: malformed payload in packet    
10    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: malformed payload in packet    
11    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: byte 2 of ISAKMP Hash Payload must be zero, but is not    
12    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: Dead Peer Detection (RFC 3706): enabled    
13    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024}    
14    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: new NAT mapping for #2, was 41.F.G.H:500, now 41.F.G.H:4500    
15    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3    
16    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.2'    
17    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: STATE_MAIN_R2: sent MR2, expecting MI3    
18    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2    
19    2014-04-02 0:08:05 AM    debug    pluto[22201]: "rabat" #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed    
20    2014-04-02 0:08:04 AM    debug    pluto[22201]: "rabat" #2: STATE_MAIN_R1: sent MR1, expecting MI2    
21    2014-04-02 0:08:04 AM    debug    pluto[22201]: "rabat" #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1    
22    2014-04-02 0:08:04 AM    debug    pluto[22201]: "rabat" #2: responding to Main Mode    
23    2014-04-02 0:08:04 AM    debug    pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]    
24    2014-04-02 0:08:04 AM    debug    pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109    
25    2014-04-02 0:08:04 AM    debug    pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109    
26    2014-04-02 0:08:04 AM    debug    pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109    
27    2014-04-02 0:08:04 AM    debug    pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [RFC 3947] method set to=109     
28    2014-04-02 0:08:04 AM    debug    pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [Dead Peer Detection]    
29    2014-04-02 0:08:04 AM    debug    pluto[22201]: packet from 41.F.G.H:500: ignoring unknown Vendor ID payload [4f4543714271574c644b7a41]

 

 

I guess that the error is byte 2 of ISAKMP Hash Payload must be zero, but is not    

I could not find any real hint on the internet/forums about this error

  • VPN
Everyone's tags (2)
986
Views
0
Helpful
0
Replies