Re: [strongSwan] reconect "loop" with: invalid HASH_V1 payload length, decryption failed

Noel Kuntze Wed, 04 Aug 2021 15:06:15 -0700

Hello Lorenzo,

Looks like the log is truncated between 08:04:33 and 08:10:03.
Please provide complete logs, and get logs from the other peer.
See the HelpRequests article on the wiki for useful debug levels[1].


Kind regards
Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests

Am 04.08.21 um 08:15 schrieb Lorenzo Milesi:

I've a tunnel between a Fortigate 50E and a StrongSwan 5.8.2 server. The tunnel 
is normally up and running but every x minutes the connection is dropped for 
one minute, and then comes up again.
I checked the FAQs about that error, so I tried explicitly setting PSK for the 
IP address (I had %any before), it seems to last longer but the drop is still 
happening regularly.
Why rekeying doesn't work if connection does?
thanks


Aug  4 08:04:32 vpn01 charon: 06[ENC] generating QUICK_MODE request 1670801381 
[ HASH SA No KE ID ID ]
Aug  4 08:04:32 vpn01 charon: 06[NET] sending packet: from strongswan_ip[4500] 
to forti_ip[4500] (588 bytes)
Aug  4 08:04:32 vpn01 charon: 07[NET] received packet: from forti_ip[4500] to 
strongswan_ip[4500] (92 bytes)
Aug  4 08:04:32 vpn01 charon: 07[ENC] parsed INFORMATIONAL_V1 request 
2622873796 [ HASH D ]
Aug  4 08:04:32 vpn01 charon: 07[IKE] received DELETE for ESP CHILD_SA with SPI 
168c51e3
Aug  4 08:04:32 vpn01 charon: 07[IKE] CHILD_SA not found, ignored
Aug  4 08:04:32 vpn01 charon: 08[NET] received packet: from forti_ip[4500] to 
strongswan_ip[4500] (92 bytes)
Aug  4 08:04:32 vpn01 charon: 08[ENC] parsed INFORMATIONAL_V1 request 474486553 
[ HASH D ]
Aug  4 08:04:32 vpn01 charon: 08[IKE] received DELETE for ESP CHILD_SA with SPI 
168c51e1
Aug  4 08:04:32 vpn01 charon: 08[IKE] CHILD_SA not found, ignored
Aug  4 08:04:32 vpn01 charon: 16[NET] received packet: from forti_ip[4500] to 
strongswan_ip[4500] (92 bytes)
Aug  4 08:04:32 vpn01 charon: 16[ENC] parsed INFORMATIONAL_V1 request 
3851758626 [ HASH D ]
Aug  4 08:04:32 vpn01 charon: 16[IKE] received DELETE for ESP CHILD_SA with SPI 
168c51e2
Aug  4 08:04:32 vpn01 charon: 16[IKE] CHILD_SA not found, ignored
Aug  4 08:04:32 vpn01 charon: 12[NET] received packet: from forti_ip[4500] to 
strongswan_ip[4500] (92 bytes)
Aug  4 08:04:32 vpn01 charon: 12[ENC] parsed INFORMATIONAL_V1 request 
3352306708 [ HASH D ]
Aug  4 08:04:32 vpn01 charon: 12[IKE] received DELETE for ESP CHILD_SA with SPI 
168c51e4
Aug  4 08:04:32 vpn01 charon: 12[IKE] CHILD_SA not found, ignored
Aug  4 08:04:32 vpn01 charon: 11[NET] received packet: from forti_ip[4500] to 
strongswan_ip[4500] (572 bytes)
Aug  4 08:04:32 vpn01 charon: 11[ENC] parsed QUICK_MODE request 2074613372 [ 
HASH SA No KE ID ID ]
Aug  4 08:04:32 vpn01 charon: 11[CFG] selected proposal: 
ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_3072/NO_EXT_SEQ
Aug  4 08:04:32 vpn01 charon: 11[IKE] received 3600s lifetime, configured 86400s
Aug  4 08:04:32 vpn01 charon: 15[IKE] remote host is behind NAT
Aug  4 08:04:32 vpn01 charon: 14[IKE] remote host is behind NAT
Aug  4 08:04:32 vpn01 charon: 11[ENC] generating QUICK_MODE response 2074613372 
[ HASH SA No KE ID ID ]
Aug  4 08:04:33 vpn01 charon: 11[NET] sending packet: from strongswan_ip[4500] 
to forti_ip[4500] (588 bytes)
Aug  4 08:04:33 vpn01 charon: 12[NET] received packet: from forti_ip[4500] to 
strongswan_ip[4500] (604 bytes)
Aug  4 08:04:33 vpn01 charon: 12[ENC] invalid HASH_V1 payload length, 
decryption failed?
Aug  4 08:04:33 vpn01 charon: 12[ENC] could not decrypt payloads
Aug  4 08:04:33 vpn01 charon: 12[IKE] message parsing failed
Aug  4 08:04:33 vpn01 charon: 12[ENC] generating INFORMATIONAL_V1 request 
2030801044 [ HASH N(PLD_MAL) ]
Aug  4 08:10:03 vpn01 charon: 10[IKE] giving up after 5 retransmits
Aug  4 08:10:03 vpn01 charon: 10[IKE] restarting CHILD_SA remote01-lan
Aug  4 08:10:03 vpn01 charon: 10[IKE] initiating Main Mode IKE_SA 
remote01-base[151609] to forti_ip
Aug  4 08:10:03 vpn01 charon: 10[ENC] generating ID_PROT request 0 [ SA V V V V 
V ]
Aug  4 08:10:03 vpn01 charon: 10[NET] sending packet: from strongswan_ip[500] 
to forti_ip[500] (240 bytes)
Aug  4 08:10:03 vpn01 charon: 10[IKE] restarting CHILD_SA remote01-wifi
Aug  4 08:10:03 vpn01 charon: 11[NET] received packet: from forti_ip[500] to 
strongswan_ip[500] (188 bytes)
Aug  4 08:10:03 vpn01 charon: 11[ENC] parsed ID_PROT response 0 [ SA V V V V V ]
Aug  4 08:10:03 vpn01 charon: 11[IKE] received NAT-T (RFC 3947) vendor ID
Aug  4 08:10:03 vpn01 charon: 11[IKE] received DPD vendor ID
Aug  4 08:10:03 vpn01 charon: 11[ENC] received unknown vendor ID: 
82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
Aug  4 08:10:03 vpn01 charon: 11[IKE] received FRAGMENTATION vendor ID
Aug  4 08:10:03 vpn01 charon: 11[IKE] received FRAGMENTATION vendor ID
Aug  4 08:10:03 vpn01 charon: 11[CFG] selected proposal: 
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
Aug  4 08:10:03 vpn01 charon: 08[KNL] creating delete job for CHILD_SA 
ESP/0xc4e0d6cf/strongswan_ip
Aug  4 08:10:03 vpn01 charon: 08[JOB] CHILD_SA ESP/0xc4e0d6cf/strongswan_ip not 
found for delete
Aug  4 08:10:03 vpn01 charon: 06[KNL] creating delete job for CHILD_SA 
ESP/0xc0b04a54/strongswan_ip
Aug  4 08:10:03 vpn01 charon: 06[JOB] CHILD_SA ESP/0xc0b04a54/strongswan_ip not 
found for delete
Aug  4 08:10:03 vpn01 charon: 11[ENC] generating ID_PROT request 0 [ KE No 
NAT-D NAT-D ]
Aug  4 08:10:03 vpn01 charon: 11[NET] sending packet: from strongswan_ip[500] 
to forti_ip[500] (524 bytes)
Aug  4 08:10:03 vpn01 charon: 15[NET] received packet: from forti_ip[500] to 
strongswan_ip[500] (508 bytes)
Aug  4 08:10:03 vpn01 charon: 15[ENC] parsed ID_PROT response 0 [ KE No NAT-D 
NAT-D ]
Aug  4 08:10:04 vpn01 charon: 15[IKE] remote host is behind NAT
Aug  4 08:10:04 vpn01 charon: 15[ENC] generating ID_PROT request 0 [ ID HASH 
N(INITIAL_CONTACT) ]
Aug  4 08:10:04 vpn01 charon: 15[NET] sending packet: from strongswan_ip[4500] 
to forti_ip[4500] (108 bytes)
Aug  4 08:10:04 vpn01 charon: 05[NET] received packet: from forti_ip[4500] to 
strongswan_ip[4500] (92 bytes)
Aug  4 08:10:04 vpn01 charon: 05[ENC] parsed ID_PROT response 0 [ ID HASH ]

ipsec.conf:
conn remote01-base
     keyexchange=ikev1
     fragmentation=yes
     dpdaction=restart
     ike=aes256-sha256-modp3072
     esp=aes256-sha256-modp3072
     keyingtries=%forever
     leftsubnet=172.32.1.0/24
     lifetime=86400
     leftauth=psk
     rightauth=psk
     rightid=Exme
     auto=start
     right=forti_ip

conn remote01-lan
     also=remote01-base
     leftsubnet=172.32.1.0/24
     rightsubnet=192.168.2.0/24

conn remote01-wifi
     also=remote01-base
     leftsubnet=172.32.1.0/24
     rightsubnet=192.168.33.0/24


ipsec.secrets:
forti_ip : PSK abcde

OpenPGP_signature
Description: OpenPGP digital signature

Re: [strongSwan] reconect "loop" with: invalid HASH_V1 payload length, decryption failed

Reply via email to