IPsec invalid HASH_V1 payload length, decryption fail?



  • We are seeing the following message in our IPsec logs:

    invalid HASH_V1 payload length, decryption fail?

    Could you help me understand what this means and how to correct it for a site-to-site VPN?  Thanks.



  • It is some mismatch on the ID or Phase1 configuration.



  • I'm having the same issue - I've recently upgraded from 2.1.5 where a site to site IPSEC tunnel was working fine.
    Now on 2.2 and suddenly the IPSEC tunnel refuses to connect.
    I've gone through line by line in both my phase 1 and phase 2 configurations and they are identical.
    What else could be causing this error?



  • We upgrade a bunch of routers and are seeing similar messages in the logs and similar results.  The tunnel shows up on both ends but no traffic is passing.  If you down the tunnel on the remote and bring it back up it works.  Also if you go into diagnostics and do a ping to the remote end point routers private ip address over the lan port it loses traffic on the first try usually 1 of 3.  But, after that the tunnel starts passing traffic again.



  • I just got our IPSEC tunnels back online.

    My issue was in regards to both the "My Identifier" and "Peer Identifier" fields in the Phase 1 Proposal (authentication) section.

    After the upgrade, these were set to "distinguished name" with my original values - while the values matched, I do not believe my setting was "distinguished name" prior to the upgrade.
    I believe it was "user distinguished name" as this would not use the auto detected distinguished name but would instead use the user defined value.

    Rather than mess with this, I changed the setting to IP Address and I defined the public WAN IP address in each field - on both pfsense boxes.
    Once I did this, I restarted the IPSEC service and the tunnels came up - no more errors.

    I wonder if this is a bug in that during the upgrade process, it's not mapping our original configuration values properly between the 2.1.5 racoon and the 2.2 swan

    Hope this helps others.



  • I have this problem after upgrading to 2.2.4

    charon: 07[ENC] <con1|2>invalid HASH_V1 payload length, decryption failed?
    charon: 07[ENC] <con1|2>could not decrypt payloads
    charon: 07[IKE] <con1|2>message parsing failed

    I deleted both phase1 en phase2 entry, also the Shrewsoft VPN client config. ANd tried to setup the config with help of:
    http://www.hacktheory.org/index.php/projects/projects-by-eureka/pfsense-road-warrior-vpn-shrewsoft-ipsec-vpn-updated-pfsense-21-release/
    AND
    http://boredwookie.net/index.php/blog/how-get-pfsense-ipsec-vpn-work-bb10/

    Still the same problem, even if I set a wrong password or username.. sam error

    Shrewsoft error log:

    peer configured
    iskamp proposal configured
    esp proposal configured
    client configured
    local id configured
    remote id configured
    pre-shared key configured
    bringing up tunnel …
    gateway authentication error
    tunnel disabled
    detached from key daemon
    </con1|2></con1|2></con1|2>



  • Based on strongswan
    https://wiki.strongswan.org/issues/460

    try with modeconfig=pull



  • @inexces:

    I have this problem after upgrading to 2.2.4

    charon: 07[ENC] <con1|2>invalid HASH_V1 payload length, decryption failed?
    charon: 07[ENC] <con1|2>could not decrypt payloads
    charon: 07[IKE] <con1|2>message parsing failed</con1|2></con1|2></con1|2>

    Upgrade to latest 2.2.5 snapshot (or release if it's out by the time you see this), that's probably the same root cause as this (which is confirmed fixed by several people in 2.2.5).


Log in to reply