Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] 2.2.2->2.2.3,IPSEC:"invalid HASH_V1 payload length, decryption failed?"

    Scheduled Pinned Locked Moved IPsec
    5 Posts 4 Posters 7.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      yarick123
      last edited by

      Hello,

      after upgrading pfSense from the version 2.2.2 to 2.2.3 our IPSEC for mobile clients has stopped to work. All clients get the message "gateway authentication error".
      In the logs appears the message "invalid HASH_V1 payload length, decryption failed?".

      We use Shrew Soft VPNCLIENT v.2.2.2 on Windows 7 and Windows XP.

      Unfortunately we had to switch back to the version 2.2.2

      Here is a cut from the log file (in the reversed order):

      
      Jun 25 13:32:55	charon: 14[IKE] <con4|1>INFORMATIONAL_V1 request with message ID 2583112657 processing failed
      Jun 25 13:32:55	charon: 14[IKE] <con4|1>INFORMATIONAL_V1 request with message ID 2583112657 processing failed
      Jun 25 13:32:55	charon: 14[IKE] <con4|1>ignore malformed INFORMATIONAL request
      Jun 25 13:32:55	charon: 14[IKE] <con4|1>ignore malformed INFORMATIONAL request
      Jun 25 13:32:55	charon: 14[IKE] <con4|1>message parsing failed
      Jun 25 13:32:55	charon: 14[IKE] <con4|1>message parsing failed
      Jun 25 13:32:55	charon: 14[ENC] <con4|1>could not decrypt payloads
      Jun 25 13:32:55	charon: 14[ENC] <con4|1>invalid HASH_V1 payload length, decryption failed?
      Jun 25 13:32:55	charon: 14[NET] <con4|1>received packet: from XX.XX.XX.XX[4500] to YY.YY.YY.YY[4500] (92 bytes)
      Jun 25 13:32:55	charon: 12[IKE] <con4|1>AGGRESSIVE request with message ID 0 processing failed
      Jun 25 13:32:55	charon: 12[IKE] <con4|1>AGGRESSIVE request with message ID 0 processing failed
      Jun 25 13:32:55	charon: 12[NET] <con4|1>sending packet: from YY.YY.YY.YY[500] to XX.XX.XX.XX[500] (76 bytes)
      Jun 25 13:32:55	charon: 12[ENC] <con4|1>generating INFORMATIONAL_V1 request 4038421101 [ HASH N(PLD_MAL) ]
      Jun 25 13:32:55	charon: 12[IKE] <con4|1>message parsing failed
      Jun 25 13:32:55	charon: 12[IKE] <con4|1>message parsing failed
      Jun 25 13:32:55	charon: 12[ENC] <con4|1>could not decrypt payloads
      Jun 25 13:32:55	charon: 12[ENC] <con4|1>invalid HASH_V1 payload length, decryption failed?
      Jun 25 13:32:55	charon: 12[NET] <con4|1>received packet: from XX.XX.XX.XX[4500] to YY.YY.YY.YY[4500] (108 bytes)
      Jun 25 13:32:55	charon: 12[NET] <con4|1>sending packet: from YY.YY.YY.YY[500] to XX.XX.XX.XX[500] (432 bytes)
      Jun 25 13:32:55	charon: 12[ENC] <con4|1>generating AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V V V ]
      Jun 25 13:32:55	charon: 12[CFG] <1> selected peer config "con4"
      Jun 25 13:32:55	charon: 12[CFG] <1> looking for XAuthInitPSK peer configs matching YY.YY.YY.YY...XX.XX.XX.XX[vpn@xxxxx.xxxxx.xxx]
      Jun 25 13:32:55	charon: 12[IKE] <1> XX.XX.XX.XX is initiating a Aggressive Mode IKE_SA
      Jun 25 13:32:55	charon: 12[IKE] <1> XX.XX.XX.XX is initiating a Aggressive Mode IKE_SA
      Jun 25 13:32:55	charon: 12[IKE] <1> received Cisco Unity vendor ID
      Jun 25 13:32:55	charon: 12[IKE] <1> received Cisco Unity vendor ID
      Jun 25 13:32:55	charon: 12[ENC] <1> received unknown vendor ID: 84:04:ad:f9:cd:a0:57:60:b2:ca:29:2e:4b:ff:53:7b
      Jun 25 13:32:55	charon: 12[ENC] <1> received unknown vendor ID: 16:6f:93:2d:55:eb:64:d8:e4:df:4f:d3:7e:23:13:f0:d0:fd:84:51
      Jun 25 13:32:55	charon: 12[ENC] <1> received unknown vendor ID: f1:4b:94:b7:bf:f1:fe:f0:27:73:b8:c4:9f:ed:ed:26
      Jun 25 13:32:55	charon: 12[ENC] <1> received unknown vendor ID: 3b:90:31:dc:e4:fc:f8:8b:48:9a:92:39:63:dd:0c:49
      Jun 25 13:32:55	charon: 12[IKE] <1> received DPD vendor ID
      Jun 25 13:32:55	charon: 12[IKE] <1> received DPD vendor ID
      Jun 25 13:32:55	charon: 12[IKE] <1> received FRAGMENTATION vendor ID
      Jun 25 13:32:55	charon: 12[IKE] <1> received FRAGMENTATION vendor ID
      Jun 25 13:32:55	charon: 12[IKE] <1> received NAT-T (RFC 3947) vendor ID
      Jun 25 13:32:55	charon: 12[IKE] <1> received NAT-T (RFC 3947) vendor ID
      Jun 25 13:32:55	charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
      Jun 25 13:32:55	charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
      Jun 25 13:32:55	charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      Jun 25 13:32:55	charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      Jun 25 13:32:55	charon: 12[ENC] <1> received unknown vendor ID: 16:f6:ca:16:e4:a4:06:6d:83:82:1a:0f:0a:ea:a8:62
      Jun 25 13:32:55	charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
      Jun 25 13:32:55	charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
      Jun 25 13:32:55	charon: 12[IKE] <1> received XAuth vendor ID
      Jun 25 13:32:55	charon: 12[IKE] <1> received XAuth vendor ID
      Jun 25 13:32:55	charon: 12[ENC] <1> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V ]
      Jun 25 13:32:55	charon: 12[NET] <1> received packet: from XX.XX.XX.XX[500] to YY.YY.YY.YY[500] (1190 bytes)</con4|1></con4|1></con4|1></con4|1></con4|1></con4|1></con4|1></con4|1></con4|1></con4|1></con4|1></con4|1></con4|1></con4|1></con4|1></con4|1></con4|1></con4|1></con4|1></con4|1> 
      

      We have the following IPSEC Phase 1 configuration:

      Key Exchange version: V1
      Internet Protocol: IPv4
      Interface: YY.YY.YY.YY (WAN-CARP)

      Phase 1 proposal  (Authentication)

      Authentication method: Mutual PSK + Xauth
      Negotiation mode: Aggressive
      My identifier: My IP address
      Peer identifier: User destinguished name - vpn@xxxxx.xxxxx.xxx
      Pre-Shared Key: …..............................................

      Phase 1 proposal (Algorithms)

      Encryption algorithm: AES 256 bit
      Hash algorithm: SHA1
      DH key group: 2 (1024 bit)

      Lifetime: 36000 seconds

      Advanced Options

      Disable Rekey: NO
      Responder Only: NO
      NAT Traversal: Force
      Dead Peer Detection: NO

      Best regards
      yarick123

      1 Reply Last reply Reply Quote 0
      • P
        Philander
        last edited by

        I'm seeing the same issue with mobile IPSec connections from iOS and OS X that were working with 2.2.2. The client gets a notification "The VPN Shared Secret is incorrect" and the HASH_V1 error pops up in the pfSense logs.

        I have another 2.2.2 installation I can use for my mobile clients and the site-to-site IPSec tunnels are working fine between 2.2.2 and 2.2.3, but nothing I have reconfigured with the 2.2.3 installation works for mobile IPSec.

        1 Reply Last reply Reply Quote 0
        • Y
          yarick123
          last edited by

          The problem seems to be solved by upgrade 2.2.2 -> 2.2.4.

          Thank you very much!

          Regards
          yarick123

          1 Reply Last reply Reply Quote 0
          • O
            ocz
            last edited by

            Can you really confirm, that your described behaviour is solved by upgrading 2.2.2 -> 2.2.4 ?

            I tried my slightly different configuration, which was working with 2.1.X versions and upgraded to 2.2.4
            But I still get the error of "invalid HASH_V1 payload length, decryption failed".

            After that I changed my configuration exactly to what you reported, still I get the same error …
            Therefore my question, if you really can confirm that is is solved for you with updating to 2.2.4

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              @ocz:

              Can you really confirm, that your described behaviour is solved by upgrading 2.2.2 -> 2.2.4 ?

              Where the root problem is the same, yes, upgrading will fix it. For any IPsec issues on 2.2.x versions along the lines of what you're seeing, first upgrade to 2.2.4.

              Since you're already there and seeing the same, that's likely a circumstance where the configuration was wrong to begin with, but happened to work. Primarily the situation described here:
              https://doc.pfsense.org/index.php/Upgrade_Guide#Stricter_Phase_1_Identifier_Validation

              You're best off starting a new thread describing what you're doing, what logs you're getting, etc. There are countless possible reasons you can get decryption failed logs, and the circumstance OP described is definitely fine in 2.2.4.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.