IPSEC Phase 1 Pre-Shared Key Mismatch

book

Article ID: 222545

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

Unable to establish an IPsec PSK Tunnel to the Web Security Service

Cause

A mismatched pre-shared key between the WSS Network location and the firewall/router VPN IPSec configuration profile.

Environment

Web Security Service

Resolution

Make sure that the PSK created in the WSS portal under Connectivity > Locations is the same as the one being used in your Firewall IPSec tunnel configuration.

Additional Information

An error stating the fact that this value is mismatched is not printed in the log, instead, these messages are shown:

Log output from the initiator (Router/Firewall):

[ENC] invalid HASH_V1 payload length, decryption failed?
ENC] could not decrypt payloads
[IKE] message parsing failed

Log output from the responder (WSS):

[ENC] invalid ID_V1 payload length, decryption failed?
[ENC] could not decrypt payloads
[IKE] message parsing failed
[WSS]Initiator=xx.xx.xx.xx_IP, message parsing failed, sending PLD_MAL