[SOLVED] 2.2.2->2.2.3,IPSEC:"invalid HASH_V1 payload length, decryption failed?"
-
Hello,
after upgrading pfSense from the version 2.2.2 to 2.2.3 our IPSEC for mobile clients has stopped to work. All clients get the message "gateway authentication error".
In the logs appears the message "invalid HASH_V1 payload length, decryption failed?".We use Shrew Soft VPNCLIENT v.2.2.2 on Windows 7 and Windows XP.
Unfortunately we had to switch back to the version 2.2.2
Here is a cut from the log file (in the reversed order):
Jun 25 13:32:55 charon: 14[IKE] <con4|1>INFORMATIONAL_V1 request with message ID 2583112657 processing failed Jun 25 13:32:55 charon: 14[IKE] <con4|1>INFORMATIONAL_V1 request with message ID 2583112657 processing failed Jun 25 13:32:55 charon: 14[IKE] <con4|1>ignore malformed INFORMATIONAL request Jun 25 13:32:55 charon: 14[IKE] <con4|1>ignore malformed INFORMATIONAL request Jun 25 13:32:55 charon: 14[IKE] <con4|1>message parsing failed Jun 25 13:32:55 charon: 14[IKE] <con4|1>message parsing failed Jun 25 13:32:55 charon: 14[ENC] <con4|1>could not decrypt payloads Jun 25 13:32:55 charon: 14[ENC] <con4|1>invalid HASH_V1 payload length, decryption failed? Jun 25 13:32:55 charon: 14[NET] <con4|1>received packet: from XX.XX.XX.XX[4500] to YY.YY.YY.YY[4500] (92 bytes) Jun 25 13:32:55 charon: 12[IKE] <con4|1>AGGRESSIVE request with message ID 0 processing failed Jun 25 13:32:55 charon: 12[IKE] <con4|1>AGGRESSIVE request with message ID 0 processing failed Jun 25 13:32:55 charon: 12[NET] <con4|1>sending packet: from YY.YY.YY.YY[500] to XX.XX.XX.XX[500] (76 bytes) Jun 25 13:32:55 charon: 12[ENC] <con4|1>generating INFORMATIONAL_V1 request 4038421101 [ HASH N(PLD_MAL) ] Jun 25 13:32:55 charon: 12[IKE] <con4|1>message parsing failed Jun 25 13:32:55 charon: 12[IKE] <con4|1>message parsing failed Jun 25 13:32:55 charon: 12[ENC] <con4|1>could not decrypt payloads Jun 25 13:32:55 charon: 12[ENC] <con4|1>invalid HASH_V1 payload length, decryption failed? Jun 25 13:32:55 charon: 12[NET] <con4|1>received packet: from XX.XX.XX.XX[4500] to YY.YY.YY.YY[4500] (108 bytes) Jun 25 13:32:55 charon: 12[NET] <con4|1>sending packet: from YY.YY.YY.YY[500] to XX.XX.XX.XX[500] (432 bytes) Jun 25 13:32:55 charon: 12[ENC] <con4|1>generating AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V V V ] Jun 25 13:32:55 charon: 12[CFG] <1> selected peer config "con4" Jun 25 13:32:55 charon: 12[CFG] <1> looking for XAuthInitPSK peer configs matching YY.YY.YY.YY...XX.XX.XX.XX[vpn@xxxxx.xxxxx.xxx] Jun 25 13:32:55 charon: 12[IKE] <1> XX.XX.XX.XX is initiating a Aggressive Mode IKE_SA Jun 25 13:32:55 charon: 12[IKE] <1> XX.XX.XX.XX is initiating a Aggressive Mode IKE_SA Jun 25 13:32:55 charon: 12[IKE] <1> received Cisco Unity vendor ID Jun 25 13:32:55 charon: 12[IKE] <1> received Cisco Unity vendor ID Jun 25 13:32:55 charon: 12[ENC] <1> received unknown vendor ID: 84:04:ad:f9:cd:a0:57:60:b2:ca:29:2e:4b:ff:53:7b Jun 25 13:32:55 charon: 12[ENC] <1> received unknown vendor ID: 16:6f:93:2d:55:eb:64:d8:e4:df:4f:d3:7e:23:13:f0:d0:fd:84:51 Jun 25 13:32:55 charon: 12[ENC] <1> received unknown vendor ID: f1:4b:94:b7:bf:f1:fe:f0:27:73:b8:c4:9f:ed:ed:26 Jun 25 13:32:55 charon: 12[ENC] <1> received unknown vendor ID: 3b:90:31:dc:e4:fc:f8:8b:48:9a:92:39:63:dd:0c:49 Jun 25 13:32:55 charon: 12[IKE] <1> received DPD vendor ID Jun 25 13:32:55 charon: 12[IKE] <1> received DPD vendor ID Jun 25 13:32:55 charon: 12[IKE] <1> received FRAGMENTATION vendor ID Jun 25 13:32:55 charon: 12[IKE] <1> received FRAGMENTATION vendor ID Jun 25 13:32:55 charon: 12[IKE] <1> received NAT-T (RFC 3947) vendor ID Jun 25 13:32:55 charon: 12[IKE] <1> received NAT-T (RFC 3947) vendor ID Jun 25 13:32:55 charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-03 vendor ID Jun 25 13:32:55 charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-03 vendor ID Jun 25 13:32:55 charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Jun 25 13:32:55 charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Jun 25 13:32:55 charon: 12[ENC] <1> received unknown vendor ID: 16:f6:ca:16:e4:a4:06:6d:83:82:1a:0f:0a:ea:a8:62 Jun 25 13:32:55 charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-00 vendor ID Jun 25 13:32:55 charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-00 vendor ID Jun 25 13:32:55 charon: 12[IKE] <1> received XAuth vendor ID Jun 25 13:32:55 charon: 12[IKE] <1> received XAuth vendor ID Jun 25 13:32:55 charon: 12[ENC] <1> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V ] Jun 25 13:32:55 charon: 12[NET] <1> received packet: from XX.XX.XX.XX[500] to YY.YY.YY.YY[500] (1190 bytes)</con4|1></con4|1></con4|1></con4|1></con4|1></con4|1></con4|1></con4|1></con4|1></con4|1></con4|1></con4|1></con4|1></con4|1></con4|1></con4|1></con4|1></con4|1></con4|1></con4|1>
We have the following IPSEC Phase 1 configuration:
Key Exchange version: V1
Internet Protocol: IPv4
Interface: YY.YY.YY.YY (WAN-CARP)Phase 1 proposal (Authentication)
Authentication method: Mutual PSK + Xauth
Negotiation mode: Aggressive
My identifier: My IP address
Peer identifier: User destinguished name - vpn@xxxxx.xxxxx.xxx
Pre-Shared Key: …..............................................Phase 1 proposal (Algorithms)
Encryption algorithm: AES 256 bit
Hash algorithm: SHA1
DH key group: 2 (1024 bit)Lifetime: 36000 seconds
Advanced Options
Disable Rekey: NO
Responder Only: NO
NAT Traversal: Force
Dead Peer Detection: NOBest regards
yarick123 -
I'm seeing the same issue with mobile IPSec connections from iOS and OS X that were working with 2.2.2. The client gets a notification "The VPN Shared Secret is incorrect" and the HASH_V1 error pops up in the pfSense logs.
I have another 2.2.2 installation I can use for my mobile clients and the site-to-site IPSec tunnels are working fine between 2.2.2 and 2.2.3, but nothing I have reconfigured with the 2.2.3 installation works for mobile IPSec.
-
The problem seems to be solved by upgrade 2.2.2 -> 2.2.4.
Thank you very much!
Regards
yarick123 -
Can you really confirm, that your described behaviour is solved by upgrading 2.2.2 -> 2.2.4 ?
I tried my slightly different configuration, which was working with 2.1.X versions and upgraded to 2.2.4
But I still get the error of "invalid HASH_V1 payload length, decryption failed".After that I changed my configuration exactly to what you reported, still I get the same error …
Therefore my question, if you really can confirm that is is solved for you with updating to 2.2.4 -
@ocz:
Can you really confirm, that your described behaviour is solved by upgrading 2.2.2 -> 2.2.4 ?
Where the root problem is the same, yes, upgrading will fix it. For any IPsec issues on 2.2.x versions along the lines of what you're seeing, first upgrade to 2.2.4.
Since you're already there and seeing the same, that's likely a circumstance where the configuration was wrong to begin with, but happened to work. Primarily the situation described here:
https://doc.pfsense.org/index.php/Upgrade_Guide#Stricter_Phase_1_Identifier_ValidationYou're best off starting a new thread describing what you're doing, what logs you're getting, etc. There are countless possible reasons you can get decryption failed logs, and the circumstance OP described is definitely fine in 2.2.4.