• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

IPsec invalid HASH_V1 payload length, decryption fail?

Scheduled Pinned Locked Moved IPsec
8 Posts 7 Posters 32.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    SaveFerris
    last edited by Feb 9, 2015, 7:02 PM

    We are seeing the following message in our IPsec logs:

    invalid HASH_V1 payload length, decryption fail?

    Could you help me understand what this means and how to correct it for a site-to-site VPN?  Thanks.

    1 Reply Last reply Reply Quote 0
    • E
      eri--
      last edited by Feb 9, 2015, 7:06 PM

      It is some mismatch on the ID or Phase1 configuration.

      1 Reply Last reply Reply Quote 0
      • T
        tlrnj
        last edited by Feb 11, 2015, 2:00 PM

        I'm having the same issue - I've recently upgraded from 2.1.5 where a site to site IPSEC tunnel was working fine.
        Now on 2.2 and suddenly the IPSEC tunnel refuses to connect.
        I've gone through line by line in both my phase 1 and phase 2 configurations and they are identical.
        What else could be causing this error?

        1 Reply Last reply Reply Quote 0
        • L
          lw9474
          last edited by Feb 11, 2015, 3:25 PM

          We upgrade a bunch of routers and are seeing similar messages in the logs and similar results.  The tunnel shows up on both ends but no traffic is passing.  If you down the tunnel on the remote and bring it back up it works.  Also if you go into diagnostics and do a ping to the remote end point routers private ip address over the lan port it loses traffic on the first try usually 1 of 3.  But, after that the tunnel starts passing traffic again.

          1 Reply Last reply Reply Quote 0
          • T
            tlrnj
            last edited by Feb 11, 2015, 3:48 PM

            I just got our IPSEC tunnels back online.

            My issue was in regards to both the "My Identifier" and "Peer Identifier" fields in the Phase 1 Proposal (authentication) section.

            After the upgrade, these were set to "distinguished name" with my original values - while the values matched, I do not believe my setting was "distinguished name" prior to the upgrade.
            I believe it was "user distinguished name" as this would not use the auto detected distinguished name but would instead use the user defined value.

            Rather than mess with this, I changed the setting to IP Address and I defined the public WAN IP address in each field - on both pfsense boxes.
            Once I did this, I restarted the IPSEC service and the tunnels came up - no more errors.

            I wonder if this is a bug in that during the upgrade process, it's not mapping our original configuration values properly between the 2.1.5 racoon and the 2.2 swan

            Hope this helps others.

            1 Reply Last reply Reply Quote 0
            • I
              inexces
              last edited by Sep 12, 2015, 5:34 PM

              I have this problem after upgrading to 2.2.4

              charon: 07[ENC] <con1|2>invalid HASH_V1 payload length, decryption failed?
              charon: 07[ENC] <con1|2>could not decrypt payloads
              charon: 07[IKE] <con1|2>message parsing failed

              I deleted both phase1 en phase2 entry, also the Shrewsoft VPN client config. ANd tried to setup the config with help of:
              http://www.hacktheory.org/index.php/projects/projects-by-eureka/pfsense-road-warrior-vpn-shrewsoft-ipsec-vpn-updated-pfsense-21-release/
              AND
              http://boredwookie.net/index.php/blog/how-get-pfsense-ipsec-vpn-work-bb10/

              Still the same problem, even if I set a wrong password or username.. sam error

              Shrewsoft error log:

              peer configured
              iskamp proposal configured
              esp proposal configured
              client configured
              local id configured
              remote id configured
              pre-shared key configured
              bringing up tunnel …
              gateway authentication error
              tunnel disabled
              detached from key daemon
              </con1|2></con1|2></con1|2>

              1 Reply Last reply Reply Quote 0
              • D
                dcandea
                last edited by Oct 25, 2015, 6:31 PM

                Based on strongswan
                https://wiki.strongswan.org/issues/460

                try with modeconfig=pull

                1 Reply Last reply Reply Quote 0
                • C
                  cmb
                  last edited by Oct 27, 2015, 1:52 AM

                  @inexces:

                  I have this problem after upgrading to 2.2.4

                  charon: 07[ENC] <con1|2>invalid HASH_V1 payload length, decryption failed?
                  charon: 07[ENC] <con1|2>could not decrypt payloads
                  charon: 07[IKE] <con1|2>message parsing failed</con1|2></con1|2></con1|2>

                  Upgrade to latest 2.2.5 snapshot (or release if it's out by the time you see this), that's probably the same root cause as this (which is confirmed fixed by several people in 2.2.5).

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received