04-01-2014 04:28 PM
Hi
I have been struggeling with this problem for one week and tried all configuration (except the right one)
I have Two Cisco (one RV215W and one SRP521)
the SRP521 was used as client - server configuration and works fine
I wanted to move into a site to site config behind an internet box (using NAT to make things more complex)
On Site G
(LAN)192.168.25.0/24 === 192.168.25.1(CISCO RV215X)192.168.10.161 192.168.10.1(xDSL) 88.B.C.D (where 88.B.C.D is my public adress on site G
On Site R
(LAN)192.168.15.0/24 === 192.168.15.1(CISCO SRP521)192.168.1.2 192.168.1.1(xDSL) 41.F.G.H (where 41.F.G.H is my public adress on site R
So I have NAT (So I have activated NAT traveral on both side)
On the RV215W (Site G)
IKE Policy Table
Mode:main
Local identifier : 192.168.10.161
Remote identifier 192.168.1.2
AES128/SHA1
DH Group2
xauth disabled
VPN policy table
Type:autopolicy
remote endpoint 41.F.G.H
Local 192.168.25.1/255.255.255.0
remote 192.168.15.1/255.255.255.0
AES128/SHA1
PFS Keygroup: disable
On site R (SRP521W)
IKE
Policy Name gnt
Exchange Mode Main
Encryption Algorithm AES128
Authentication Algorithm SHA-1
Diffie-Hellman (DH) Group Group 2 (1024 bit)
Auto Pre-Shared Key XXXXXXXXXX
Enable Dead Peer Detection Enable
DPD Interval 3600
DPD Timeout 3600
XAUTH client Disable
IP Sec
Status Enable
Policy Name rabat
Local Group Type IP Address & Subnet
Local Group IP Address 192.168.15.1
Local Group IP Subnet 255.255.255.0
Remote Endpoint IP Address
Remote security gateway address 192.168.10.161
Remote security domain name
Remote group type IP Address & Subnet
Remote group IP 192.168.25.1
Remote group Subnet Mask 255.255.255.0
Encrypted algorithm 3DES
Integrity algorithm SHA-1
Police type Auto
Manual encryption key
Manual auth key
Inbound SPI
Outbound SPI
PFS Disable
Key life time 7800
Now using IKE police gnt
This are the logs
6 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: sending notification PAYLOAD_MALFORMED to 41.F.G.H:4500
7 2014-04-02 0:08:05 AM debug pluto[22201]: | 46 5f b1 08 95 86 af 15 b4 06 f9 a4 5a f6 d8 ad
8 2014-04-02 0:08:05 AM debug pluto[22201]: | payload malformed after IV
9 2014-04-02 0:08:05 AM info pluto[22201]: "rabat" #2: malformed payload in packet
10 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: malformed payload in packet
11 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: byte 2 of ISAKMP Hash Payload must be zero, but is not
12 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: Dead Peer Detection (RFC 3706): enabled
13 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024}
14 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: new NAT mapping for #2, was 41.F.G.H:500, now 41.F.G.H:4500
15 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
16 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.2'
17 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: STATE_MAIN_R2: sent MR2, expecting MI3
18 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
19 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
20 2014-04-02 0:08:04 AM debug pluto[22201]: "rabat" #2: STATE_MAIN_R1: sent MR1, expecting MI2
21 2014-04-02 0:08:04 AM debug pluto[22201]: "rabat" #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
22 2014-04-02 0:08:04 AM debug pluto[22201]: "rabat" #2: responding to Main Mode
23 2014-04-02 0:08:04 AM debug pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
24 2014-04-02 0:08:04 AM debug pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
25 2014-04-02 0:08:04 AM debug pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
26 2014-04-02 0:08:04 AM debug pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
27 2014-04-02 0:08:04 AM debug pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [RFC 3947] method set to=109
28 2014-04-02 0:08:04 AM debug pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [Dead Peer Detection]
29 2014-04-02 0:08:04 AM debug pluto[22201]: packet from 41.F.G.H:500: ignoring unknown Vendor ID payload [4f4543714271574c644b7a41]
I guess that the error is byte 2 of ISAKMP Hash Payload must be zero, but is not
I could not find any real hint on the internet/forums about this error
06-21-2018 07:50 PM
Hi, Do you recall how you fixed this issue ?Facing same problem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide