04-01-2014 04:28 PM
Hi
I have been struggeling with this problem for one week and tried all configuration (except the right one)
I have Two Cisco (one RV215W and one SRP521)
the SRP521 was used as client - server configuration and works fine
I wanted to move into a site to site config behind an internet box (using NAT to make things more complex)
On Site G
(LAN)192.168.25.0/24 === 192.168.25.1(CISCO RV215X)192.168.10.161 192.168.10.1(xDSL) 88.B.C.D (where 88.B.C.D is my public adress on site G
On Site R
(LAN)192.168.15.0/24 === 192.168.15.1(CISCO SRP521)192.168.1.2 192.168.1.1(xDSL) 41.F.G.H (where 41.F.G.H is my public adress on site R
So I have NAT (So I have activated NAT traveral on both side)
On the RV215W (Site G)
IKE Policy Table
Mode:main
Local identifier : 192.168.10.161
Remote identifier 192.168.1.2
AES128/SHA1
DH Group2
xauth disabled
VPN policy table
Type:autopolicy
remote endpoint 41.F.G.H
Local 192.168.25.1/255.255.255.0
remote 192.168.15.1/255.255.255.0
AES128/SHA1
PFS Keygroup: disable
On site R (SRP521W)
IKE
Policy Name gnt
Exchange Mode Main
Encryption Algorithm AES128
Authentication Algorithm SHA-1
Diffie-Hellman (DH) Group Group 2 (1024 bit)
Auto Pre-Shared Key XXXXXXXXXX
Enable Dead Peer Detection Enable
DPD Interval 3600
DPD Timeout 3600
XAUTH client Disable
IP Sec
Status Enable
Policy Name rabat
Local Group Type IP Address & Subnet
Local Group IP Address 192.168.15.1
Local Group IP Subnet 255.255.255.0
Remote Endpoint IP Address
Remote security gateway address 192.168.10.161
Remote security domain name
Remote group type IP Address & Subnet
Remote group IP 192.168.25.1
Remote group Subnet Mask 255.255.255.0
Encrypted algorithm 3DES
Integrity algorithm SHA-1
Police type Auto
Manual encryption key
Manual auth key
Inbound SPI
Outbound SPI
PFS Disable
Key life time 7800
Now using IKE police gnt
This are the logs
6 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: sending notification PAYLOAD_MALFORMED to 41.F.G.H:4500
7 2014-04-02 0:08:05 AM debug pluto[22201]: | 46 5f b1 08 95 86 af 15 b4 06 f9 a4 5a f6 d8 ad
8 2014-04-02 0:08:05 AM debug pluto[22201]: | payload malformed after IV
9 2014-04-02 0:08:05 AM info pluto[22201]: "rabat" #2: malformed payload in packet
10 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: malformed payload in packet
11 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: byte 2 of ISAKMP Hash Payload must be zero, but is not
12 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: Dead Peer Detection (RFC 3706): enabled
13 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024}
14 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: new NAT mapping for #2, was 41.F.G.H:500, now 41.F.G.H:4500
15 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
16 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.2'
17 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: STATE_MAIN_R2: sent MR2, expecting MI3
18 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
19 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
20 2014-04-02 0:08:04 AM debug pluto[22201]: "rabat" #2: STATE_MAIN_R1: sent MR1, expecting MI2
21 2014-04-02 0:08:04 AM debug pluto[22201]: "rabat" #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
22 2014-04-02 0:08:04 AM debug pluto[22201]: "rabat" #2: responding to Main Mode
23 2014-04-02 0:08:04 AM debug pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
24 2014-04-02 0:08:04 AM debug pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
25 2014-04-02 0:08:04 AM debug pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
26 2014-04-02 0:08:04 AM debug pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
27 2014-04-02 0:08:04 AM debug pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [RFC 3947] method set to=109
28 2014-04-02 0:08:04 AM debug pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [Dead Peer Detection]
29 2014-04-02 0:08:04 AM debug pluto[22201]: packet from 41.F.G.H:500: ignoring unknown Vendor ID payload [4f4543714271574c644b7a41]
I guess that the error is byte 2 of ISAKMP Hash Payload must be zero, but is not
I could not find any real hint on the internet/forums about this error
06-21-2018 07:50 PM
Hi, Do you recall how you fixed this issue ?Facing same problem.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: