DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Vigor 3900 IPSec Aggressive Mode

  • adrian1981
  • Topic Author
  • User
  • User
More
12 Dec 2016 15:36 #1 by adrian1981
Vigor 3900 IPSec Aggressive Mode was created by adrian1981
Hi all,

I am trying to create n IPsec between the Vigor 3900 and a third party router (Westermo). I can get the IPsec to form in main mode but not aggressive.

Has anyone got any ideas why it is not forming based on these error logs.

Both of the routers that the VPN is being formed between are sitting behind a ISP broadband hub.
Any help would be appreciated.


<141>Dec 12 22:55:34 Vigor: pluto[701]: "WestermoVPN"[1] #6607: sending notification PAYLOAD_MALFORMED to :500
<141>Dec 12 22:55:44 Vigor: pluto[701]: "WestermoVPN"[1] #6606: max number of retransmissions (2) reached STATE_AGGR_R1
<141>Dec 12 22:55:44 Vigor: pluto[701]: "WestermoVPN"[1] #6606: deleting state #6606
<141>Dec 12 22:55:44 Vigor: pluto[701]: "WestermoVPN"[1] #6607: byte 2 of ISAKMP Hash Payload must be zero, but is not
<141>Dec 12 22:55:44 Vigor: pluto[701]: "WestermoVPN"[1] #6607: malformed payload in packet
<141>Dec 12 22:55:44 Vigor: pluto[701]: | payload malformed after IV
<141>Dec 12 22:55:44 Vigor: pluto[701]: | c0 83 a2 21 0e aa c1 f5 fa 82 5d 20 32 ce 72 51
<141>Dec 12 22:55:44 Vigor: pluto[701]: | ef 06 d0 87
<141>Dec 12 22:55:44 Vigor: pluto[701]: "WestermoVPN"[1] #6607: sending notification PAYLOAD_MALFORMED to :500
<141>Dec 12 22:55:54 Vigor: pluto[701]: "WestermoVPN"[1] #6608: Aggressive mode peer ID is ID_FQDN: '@.initiator'
<141>Dec 12 22:55:54 Vigor: pluto[701]: "WestermoVPN"[1] #6608: responding to Aggressive Mode, state #6608, connection "WestermoVPN" from
<141>Dec 12 22:55:54 Vigor: pluto[701]: "WestermoVPN"[1] #6608: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
<141>Dec 12 22:55:54 Vigor: pluto[701]: "WestermoVPN"[1] #6608: Aggressive mode peer ID is ID_FQDN: '@.initiator'
<141>Dec 12 22:55:54 Vigor: pluto[701]: "WestermoVPN"[1] #6608: received Hash Payload does not match computed value
<141>Dec 12 22:55:54 Vigor: pluto[701]: "WestermoVPN"[1] #6608: sending encrypted notification INVALID_HASH_INFORMATION to :500
<141>Dec 12 22:55:54 Vigor: pluto[701]: "WestermoVPN"[1] #6608: Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA



Kind Regards
Adrian

Please Log in or Create an account to join the conversation.

  • adrian1981
  • Topic Author
  • User
  • User
More
15 Dec 2016 09:11 #2 by adrian1981
Replied by adrian1981 on topic Re: Vigor 3900 IPSec Aggressive Mode
HI All,

Just an update on my progress.

I realized that i had made an errror in the remote subnet address.

Now the tunnel is up , i am trying to use it for GRE to carry OSFP. All the config guides show GRE used for load balancing but i only have one WAN.

Does anyone know why load balancing rules/pools need to be created for GRE to work.

Now the Aggressive Ipsec is up and working, as soon as i enable GRE in the GRE tab the ipsec tunnel drops.

Has anyone seen this or any ideas on why GRE drops the IPSec tunnel?
Thanks in advance

Please Log in or Create an account to join the conversation.