Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
KPS
New Contributor III

Invalid ESP packet detected (payload not aligned).

Hi!

 

I am trying to setup a new VPN-tunnel, but I see strange messages:

Invalid ESP packet detected (payload not aligned).

Phase 1+2 seem to be running, but I do not get any packets from the tunnel.

 

Debug shows:

ike 0:XXX: invalid ESP 6 (payload not a multiple of block size) SPI c1acad49 seq 0000002d 36 1 xxx.xxx.xxx.xxx > yyy.yyy.yyy.yyy

 

I already checked Phase 2 policies and everything seems to be right. Do you have any idea, what this message could mean?

 

Thank you

KPS

1 Solution
Robin_Svanberg

Hi,

 

we have the same issue with an IPSEC VPN to Juniper.

 

It´s working when we choose SHA1 but not when choosing SHA256 (Juniper: HMAC-SHA-256-128)

 

Anyone else that have had this issue?

 

Robin Svanberg Network Consultant @ Ethersec AB in Östersund, Sweden

 

robin.svanberg@ethersec.se

View solution in original post

3 REPLIES 3
KPS
New Contributor III

Hi!

 

I could solve the problem. I do not know why, but Phase 2 with SHA-256 shows that issue - Phase 2 with SHA-1 is working fine.

Robin_Svanberg

Hi,

 

we have the same issue with an IPSEC VPN to Juniper.

 

It´s working when we choose SHA1 but not when choosing SHA256 (Juniper: HMAC-SHA-256-128)

 

Anyone else that have had this issue?

 

Robin Svanberg Network Consultant @ Ethersec AB in Östersund, Sweden

 

robin.svanberg@ethersec.se

emnoc
Esteemed Contributor III

It would  help to see you  phase1/2   configurations and diag vpn tunnel list to  get any ideal of the cipher  being used when the error is and is not present. This seems like  padding issues  btw. AES-GCM and AES-CBC for example are not the same and  block vrs streams will need padding in the former.

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan