Hi All
I have a IPSEC VPN Tunnel that used to work but after they upgraded their Watchguard FW it doesnt work anymore.
During Phase 1 everything seems to be ok, but at Phase 2 i get an error message "hash verification failed".
Here's an sample from the debug log.
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block: src 1.1.1.1, dest 2.2.2.2
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP: default group 2
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 1.1.1.1, dest 2.2.2.2
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 1.1.1.1, dest 2.2.2.2
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP (0): beginning Quick Mode exchange, M-ID of -831163669:ce7572ebIPSEC(key_
engine): got a queue event...
IPSEC(spi_response): getting spi 0xc0425cbd(3225574589) for SA
from 1.1.1.1 to 2.2.2.2 for prot 3
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 1.1.1.1, dest 2.2.2.2
ISAKMP (0): hash verification failed for 4189674709!
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block: src 1.1.1.1, dest 2.2.2.2
ISAKMP: reserved not zero on payload 5!
ISAKMP (0): retransmitting phase 2...
crypto_isakmp_process_block: src 1.1.1.1, dest 2.2.2.2
ISAKMP (0): hash verification failed for 726304479!
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block: src 1.1.1.1, dest 2.2.2.2
ISAKMP: reserved not zero on payload 5!
Thanks for any answer's...
/eTTan
I have a IPSEC VPN Tunnel that used to work but after they upgraded their Watchguard FW it doesnt work anymore.
During Phase 1 everything seems to be ok, but at Phase 2 i get an error message "hash verification failed".
Here's an sample from the debug log.
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block: src 1.1.1.1, dest 2.2.2.2
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP: default group 2
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 1.1.1.1, dest 2.2.2.2
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 1.1.1.1, dest 2.2.2.2
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP (0): beginning Quick Mode exchange, M-ID of -831163669:ce7572ebIPSEC(key_
engine): got a queue event...
IPSEC(spi_response): getting spi 0xc0425cbd(3225574589) for SA
from 1.1.1.1 to 2.2.2.2 for prot 3
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 1.1.1.1, dest 2.2.2.2
ISAKMP (0): hash verification failed for 4189674709!
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block: src 1.1.1.1, dest 2.2.2.2
ISAKMP: reserved not zero on payload 5!
ISAKMP (0): retransmitting phase 2...
crypto_isakmp_process_block: src 1.1.1.1, dest 2.2.2.2
ISAKMP (0): hash verification failed for 726304479!
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block: src 1.1.1.1, dest 2.2.2.2
ISAKMP: reserved not zero on payload 5!
Thanks for any answer's...
/eTTan
