This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

malformed payload in packet. Probable authentication failure (mismatch of preshared secrets?)

I am trying to configure ipsec Site-to-site VPN between the Head and branch offices. The Head office is a Sophos UTM SG 210 configured as the responder (Repond-Only), and the branch Firewall is a Sophos XGS configured as the initiator.

The Head office SG210 firewall had three other site-to-site VPN connections all in respond-Only mode to the SG210

After the configuration was established the following error Log kept showing:

NAT-Traversal: Result using RFC 3947: no NAT detected

#37767: next payload type of ISAKMP Identification Payload has an unknown value: 187

#37767: Preshared secret failed to decrypt message. Trying next one.

#37767: next payload type of ISAKMP Identification Payload has an unknown value: 93

#37767: malformed payload in packet. Probable authentication failure (mismatch of preshared secrets?)

#37767: sending encrypted notification PAYLOAD_MALFORMED to 188.155.89.10:500

#37767: next payload type of ISAKMP Identification Payload has an unknown value: 93

#37767: malformed payload in packet. Probable authentication failure (mismatch of preshared secrets?)

Please I need help with the solution

This thread was automatically locked due to age.

Top Replies

Vivek Jagad 8 months ago in reply to Izuchukwu Edeh +4 verified

pre-shared key looks good, try something very simple like just numeric only or alphabetic only and ensure to deactive the tunnel completely and then re-initiate it again. You can keep XG on respond only…

0 Erick Jan 8 months ago
Hi Izuchukwu Edeh,

Thank you for reaching out to Sophos Community.

Would you be so kind as to share also the logs from the Sophos Firewall?

Also are the configuration the exact match for both site?

For additional reference, kindly see below

Site to Site VPN issues between UTM and XG firewalls
Erick Jan
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad 8 months ago

Hello Izuchukwu Edeh ,

Thank you for reaching out to the community, looks like a policy mismatch, request you to disable data compression, PFS and try again. I'd recommend create a custom policy rather than using any default policy. And may we know firmware version currently active on SG 210 ?

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +1 Vote Down

Cancel
0 Izuchukwu Edeh 8 months ago in reply to Vivek Jagad
Cancel
Vote Up 0 Vote Down

Cancel
0 Izuchukwu Edeh 8 months ago in reply to Izuchukwu Edeh
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad 8 months ago in reply to Izuchukwu Edeh

Hey Izuchukwu Edeh the keylife of phase 1 for UTM 9 is 7800 where as on XG it is set to 3600

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Izuchukwu Edeh 8 months ago in reply to Izuchukwu Edeh

The above pictures are the configurations of the two firewalls. Current firmware version:9.718-5Your firmware is up to date.

The XGS firewall is an Azure NVA.
Cancel
Vote Up 0 Vote Down

Cancel
0 Izuchukwu Edeh 8 months ago in reply to Vivek Jagad

I have set the keylife phase 1 to 7800 and phase 2 to 3600 on both firewalls but I still get the same error

responding to Main Mode from unknown peer 188.xx.xx.10
2024:01:24-10:16:24 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.xx.10 #38366: ignoring Vendor ID payload [404bf439522ca3f6]
2024:01:24-10:16:24 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.xx.10 #38366: received Vendor ID payload [XAUTH]
2024:01:24-10:16:24 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.59.10 #38366: ignoring Vendor ID payload [da8e937880010000]
2024:01:24-10:16:24 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.59.10 #38366: received Vendor ID payload [Dead Peer Detection]
2024:01:24-10:16:24 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.59.10 #38366: NAT-Traversal: Result using RFC 3947: no NAT detected
2024:01:24-10:16:24 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.59.10 #38366: next payload type of ISAKMP Identification Payload has an unknown value: 164
2024:01:24-10:16:24 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.xx.10 #38366: Preshared secret failed to decrypt message. Trying next one.
2024:01:24-10:16:24 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.xx.10 #38366: next payload type of ISAKMP Identification Payload has an unknown value: 160
2024:01:24-10:16:24 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.xx.10 #38366: malformed payload in packet. Probable authentication failure (mismatch of preshared secrets?)
2024:01:24-10:16:24 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.xx.10 #38366: sending encrypted notification PAYLOAD_MALFORMED to xx.xx.59.10:500
2024:01:24-10:16:29 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.xx.10 #38366: next payload type of ISAKMP Identification Payload has an unknown value: 160
2024:01:24-10:16:29 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.xx.10 #38366: malformed payload in packet. Probable authentication failure (mismatch of preshared secrets?)
2024:01:24-10:16:29 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.xx.10 #38366: sending encrypted notification PAYLOAD_MALFORMED to xx.xx.59.10:500
2024:01:24-10:16:41 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.xx.10 #38366: next payload type of ISAKMP Identification Payload has an unknown value: 160
2024:01:24-10:16:41 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.xx.10 #38366: malformed payload in packet. Probable authentication failure (mismatch of preshared secrets?)
2024:01:24-10:16:41 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.xx.10 #38366: sending encrypted notification PAYLOAD_MALFORMED to xx.xx.59.10:500
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad 8 months ago in reply to Izuchukwu Edeh

Looks like a pre-shared key mismatch now, can you use something simple like alpha numeric...

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Izuchukwu Edeh 8 months ago in reply to Vivek Jagad

I did that already, but there is no change in the error message
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad 8 months ago in reply to Izuchukwu Edeh

As per the logs provided it shows the pre-share key mismatch
malformed payload in packet. Probable authentication failure (mismatch of preshared secrets?)

May I know the pre-share key you are using at both ends ?

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel