IPSEC pfsense and fortigate: could not decrypt payloads

GB13 · Sep 23, 2021, 10:06 AM

Hi,
We're facing issue with VPN ipsec between pfsense and fortigate firewall. Tunnel randomly go down, on IPSEC log we see this:

Sep 23 11:38:05	charon	4357	08[NET] <con100000|11101> sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (76 bytes)
Sep 23 11:38:05	charon	4357	08[ENC] <con100000|11101> generating INFORMATIONAL_V1 request 3006923544 [ HASH N(PLD_MAL) ]
Sep 23 11:38:05	charon	4357	08[ENC] <con100000|11101> could not decrypt payloads
Sep 23 11:38:05	charon	4357	08[ENC] <con100000|11101> invalid HASH_V1 payload length, decryption failed?
Sep 23 11:38:05	charon	4357	08[NET] <con100000|11101> received packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (428 bytes)

jimp · Sep 23, 2021, 12:18 PM

Your pre-shared key does not exactly match the key at the far side.

https://docs.netgate.com/pfsense/en/latest/troubleshooting/ipsec.html#phase-1-pre-shared-key-mismatch

If it works sometimes and not others, it may be that it only works when initiating in one direction. It could still be a problem with the key, but perhaps something more subtle like an extra space at the start/end that is ignored when checking on one side but not the other.