IPSEC Phase 1 Pre-Shared Key Mismatch


Article ID: 222545


Updated On:


Web Security Service - WSS


Unable to establish an IPsec PSK Tunnel to the Web Security Service


A mismatched pre-shared key between the WSS Network location and the firewall/router VPN IPSec configuration profile.


Web Security Service


Make sure that the PSK created in the WSS portal under Connectivity > Locations is the same as the one being used in your Firewall IPSec tunnel configuration.

Type in the password manually as copying/pasting could inadvertently add a blank space.

Additional Information

An error stating the fact that this value is mismatched is not printed in the log, instead, these messages are shown:

Log output from the initiator (Router/Firewall):

[ENC] invalid HASH_V1 payload length, decryption failed?
ENC] could not decrypt payloads
[IKE] message parsing failed

Log output from the responder (WSS):

[ENC] invalid ID_V1 payload length, decryption failed?
[ENC] could not decrypt payloads
[IKE] message parsing failed
[WSS]Initiator=xx.xx.xx.xx_IP, message parsing failed, sending PLD_MAL