IPSEC Phase 1 Pre-Shared Key Mismatch


Article ID: 222545


Updated On:


Web Security Service - WSS


Unable to establish an IPsec PSK Tunnel to the Web Security Service


A mismatched pre-shared key between the WSS Network location and the firewall/router VPN IPSec configuration profile.


Web Security Service


Make sure that the PSK created in the WSS portal under Connectivity > Locations is the same as the one being used in your Firewall IPSec tunnel configuration.

Additional Information

An error stating the fact that this value is mismatched is not printed in the log, instead, these messages are shown:

Log output from the initiator (Router/Firewall):

[ENC] invalid HASH_V1 payload length, decryption failed?
ENC] could not decrypt payloads
[IKE] message parsing failed

Log output from the responder (WSS):

[ENC] invalid ID_V1 payload length, decryption failed?
[ENC] could not decrypt payloads
[IKE] message parsing failed
[WSS]Initiator=xx.xx.xx.xx_IP, message parsing failed, sending PLD_MAL