Invalid ESP packet detected (payload not aligned).

Forum|Forum|7 years ago
November 14, 2018
1 reply
9254 views

Hi!

I am trying to setup a new VPN-tunnel, but I see strange messages:

Phase 1+2 seem to be running, but I do not get any packets from the tunnel.

Debug shows:

ike 0:XXX: invalid ESP 6 (payload not a multiple of block size) SPI c1acad49 seq 0000002d 36 1 xxx.xxx.xxx.xxx > yyy.yyy.yyy.yyy

I already checked Phase 2 policies and everything seems to be right. Do you have any idea, what this message could mean?

Thank you

KPS

Best answer by Robin_Svanberg

Hi,

we have the same issue with an IPSEC VPN to Juniper.

It´s working when we choose SHA1 but not when choosing SHA256 (Juniper: HMAC-SHA-256-128)

Anyone else that have had this issue?

KPSAuthor

New Member

Hi!

I could solve the problem. I do not know why, but Phase 2 with SHA-256 shows that issue - Phase 2 with SHA-1 is working fine.

Robin_SvanbergAnswer

New Member

Hi,

we have the same issue with an IPSEC VPN to Juniper.

It´s working when we choose SHA1 but not when choosing SHA256 (Juniper: HMAC-SHA-256-128)

Anyone else that have had this issue?

emnoc

New Member

It would help to see you phase1/2 configurations and diag vpn tunnel list to get any ideal of the cipher being used when the error is and is not present. This seems like padding issues btw. AES-GCM and AES-CBC for example are not the same and block vrs streams will need padding in the former.

Ken Felix

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded