ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

IPSEC Phase 1 Pre-Shared Key Mismatch

book

Article ID: 222545

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

Unable to establish an IPsec PSK Tunnel to the Web Security Service

Cause

A mismatched pre-shared key between the WSS Network location and the firewall/router VPN IPSec configuration profile.

Environment

Web Security Service

Resolution

Make sure that the PSK created in the WSS portal under Connectivity > Locations is the same as the one being used in your Firewall IPSec tunnel configuration.

Type in the password manually as copying/pasting could inadvertently add a blank space.

Additional Information

An error stating the fact that this value is mismatched is not printed in the log, instead, these messages are shown:

Log output from the initiator (Router/Firewall):

[ENC] invalid HASH_V1 payload length, decryption failed?
ENC] could not decrypt payloads
[IKE] message parsing failed

Log output from the responder (WSS):

[ENC] invalid ID_V1 payload length, decryption failed?
[ENC] could not decrypt payloads
[IKE] message parsing failed
[WSS]Initiator=xx.xx.xx.xx_IP, message parsing failed, sending PLD_MAL