IPSec Tunnel IKEv1 - invalid ESP packed detected

Question

I was trying to establish a VPN IPSec tunnel against a Cisco Meraki MX90.
We are using FortiOS 7.2.11

Config matched on both sides.
P1
IKEv1 - AES256-SHA256 DH14

P2
AES256-SHA256 DH14

Both P1 and P2 were up, although, P2 was flapping sometimes.
No packets going through.
Found this in the logs:

Invalid ESP packet detected (payload not aligned)

After a Google search - Solved: Invalid ESP packet detected (payload not aligned). - Fortinet Community
When P2 was changed to SHA1 we were able to establish connectivity.

Does anyone know why does this happen?

tbarua · Answer

Hi Tiago_Silva,Upon researching the errors encountered, it appears that the issue may be related to the Cisco device using a different truncation method after the completion of Phase 1 and Phase 2 negotiations. Truncating is explained in RFC 4868: https://tools.ietf.org/html/rfc4868 SHA256 means, FGT is using HMAC-SHA-256-128 and may be the other end Cyberroam is not using the same HMAC for ESP instead. To verify this, you can perform a packet capture on the ESP protocol in Wireshark and decode the packets using decryption keys to confirm the HMAC used by Cisco for communication. You can take a pcap by the following cmd: diagnose sniffer packet any 'esp and host x.x.x.x' 6 0 a (Replace "x.x.x.x" with the remote end IP.)

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded