Invalid ESP packet detected (payload not aligned).

KPS · ‎11-14-2018

Hi!

I am trying to setup a new VPN-tunnel, but I see strange messages:

Phase 1+2 seem to be running, but I do not get any packets from the tunnel.

Debug shows:

ike 0:XXX: invalid ESP 6 (payload not a multiple of block size) SPI c1acad49 seq 0000002d 36 1 xxx.xxx.xxx.xxx > yyy.yyy.yyy.yyy

I already checked Phase 2 policies and everything seems to be right. Do you have any idea, what this message could mean?

Thank you

KPS

Robin_Svanberg · ‎12-28-2018

Hi,

we have the same issue with an IPSEC VPN to Juniper.

It´s working when we choose SHA1 but not when choosing SHA256 (Juniper: HMAC-SHA-256-128)

Anyone else that have had this issue?

Robin Svanberg Network Consultant @ Ethersec AB in Östersund, Sweden

robin.svanberg@ethersec.se

View solution in original post

KPS · ‎11-14-2018

Hi!

I could solve the problem. I do not know why, but Phase 2 with SHA-256 shows that issue - Phase 2 with SHA-1 is working fine.

Robin_Svanberg · ‎12-28-2018

Hi,

we have the same issue with an IPSEC VPN to Juniper.

It´s working when we choose SHA1 but not when choosing SHA256 (Juniper: HMAC-SHA-256-128)

Anyone else that have had this issue?

Robin Svanberg Network Consultant @ Ethersec AB in Östersund, Sweden

robin.svanberg@ethersec.se

emnoc · ‎12-28-2018

It would help to see you phase1/2 configurations and diag vpn tunnel list to get any ideal of the cipher being used when the error is and is not present. This seems like padding issues btw. AES-GCM and AES-CBC for example are not the same and block vrs streams will need padding in the former.

Ken Felix

PCNSE

NSE

StrongSwan

Invalid ESP packet detected (payload not aligned).

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website