Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

malformed payload in packet. Probable authentication failure (mismatch of preshared secrets?)

I am trying to configure ipsec Site-to-site VPN between the Head and branch offices. The Head office is a Sophos UTM SG 210 configured as the responder (Repond-Only), and the branch Firewall is a Sophos XGS configured as the initiator.

The Head office SG210 firewall had three other site-to-site VPN connections all in respond-Only mode to the SG210

After the configuration was established the following error Log kept showing:

NAT-Traversal: Result using RFC 3947: no NAT detected
#37767: next payload type of ISAKMP Identification Payload has an unknown value: 187
#37767: Preshared secret failed to decrypt message. Trying next one.
#37767: next payload type of ISAKMP Identification Payload has an unknown value: 93
#37767: malformed payload in packet. Probable authentication failure (mismatch of preshared secrets?)
#37767: sending encrypted notification PAYLOAD_MALFORMED to 188.155.89.10:500
#37767: next payload type of ISAKMP Identification Payload has an unknown value: 93
#37767: malformed payload in packet. Probable authentication failure (mismatch of preshared secrets?)
Please I need help with the solution


This thread was automatically locked due to age.
Parents
  • Hello  ,

    Thank you for reaching out to the community, looks like a policy mismatch, request you to disable data compression, PFS and try again. I'd recommend create a custom policy rather than using any default policy.  And may we know firmware version currently active on SG 210 ? 

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case  | Security Advisories 
    Compare Sophos next-gen Firewall | Fortune Favors the prepared
    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • Hey  the keylife of phase 1 for UTM 9 is 7800 where as on XG it is set to 3600

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case  | Security Advisories 
    Compare Sophos next-gen Firewall | Fortune Favors the prepared
    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • The above pictures are the configurations of the two firewalls. Current firmware version:9.718-5Your firmware is up to date.

    The XGS firewall is an Azure NVA.

  • I have set the keylife  phase 1 to 7800 and phase 2 to 3600 on both firewalls but I still get the same error 

     responding to Main Mode from unknown peer 188.xx.xx.10
    2024:01:24-10:16:24 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.xx.10 #38366: ignoring Vendor ID payload [404bf439522ca3f6]
    2024:01:24-10:16:24 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.xx.10 #38366: received Vendor ID payload [XAUTH]
    2024:01:24-10:16:24 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.59.10 #38366: ignoring Vendor ID payload [da8e937880010000]
    2024:01:24-10:16:24 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.59.10 #38366: received Vendor ID payload [Dead Peer Detection]
    2024:01:24-10:16:24 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.59.10 #38366: NAT-Traversal: Result using RFC 3947: no NAT detected
    2024:01:24-10:16:24 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.59.10 #38366: next payload type of ISAKMP Identification Payload has an unknown value: 164
    2024:01:24-10:16:24 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.xx.10 #38366: Preshared secret failed to decrypt message. Trying next one.
    2024:01:24-10:16:24 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.xx.10 #38366: next payload type of ISAKMP Identification Payload has an unknown value: 160
    2024:01:24-10:16:24 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.xx.10 #38366: malformed payload in packet. Probable authentication failure (mismatch of preshared secrets?)
    2024:01:24-10:16:24 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.xx.10 #38366: sending encrypted notification PAYLOAD_MALFORMED to xx.xx.59.10:500
    2024:01:24-10:16:29 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.xx.10 #38366: next payload type of ISAKMP Identification Payload has an unknown value: 160
    2024:01:24-10:16:29 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.xx.10 #38366: malformed payload in packet. Probable authentication failure (mismatch of preshared secrets?)
    2024:01:24-10:16:29 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.xx.10 #38366: sending encrypted notification PAYLOAD_MALFORMED to xx.xx.59.10:500
    2024:01:24-10:16:41 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.xx.10 #38366: next payload type of ISAKMP Identification Payload has an unknown value: 160
    2024:01:24-10:16:41 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.xx.10 #38366: malformed payload in packet. Probable authentication failure (mismatch of preshared secrets?)
    2024:01:24-10:16:41 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.xx.10 #38366: sending encrypted notification PAYLOAD_MALFORMED to xx.xx.59.10:500
Reply
  • I have set the keylife  phase 1 to 7800 and phase 2 to 3600 on both firewalls but I still get the same error 

     responding to Main Mode from unknown peer 188.xx.xx.10
    2024:01:24-10:16:24 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.xx.10 #38366: ignoring Vendor ID payload [404bf439522ca3f6]
    2024:01:24-10:16:24 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.xx.10 #38366: received Vendor ID payload [XAUTH]
    2024:01:24-10:16:24 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.59.10 #38366: ignoring Vendor ID payload [da8e937880010000]
    2024:01:24-10:16:24 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.59.10 #38366: received Vendor ID payload [Dead Peer Detection]
    2024:01:24-10:16:24 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.59.10 #38366: NAT-Traversal: Result using RFC 3947: no NAT detected
    2024:01:24-10:16:24 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.59.10 #38366: next payload type of ISAKMP Identification Payload has an unknown value: 164
    2024:01:24-10:16:24 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.xx.10 #38366: Preshared secret failed to decrypt message. Trying next one.
    2024:01:24-10:16:24 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.xx.10 #38366: next payload type of ISAKMP Identification Payload has an unknown value: 160
    2024:01:24-10:16:24 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.xx.10 #38366: malformed payload in packet. Probable authentication failure (mismatch of preshared secrets?)
    2024:01:24-10:16:24 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.xx.10 #38366: sending encrypted notification PAYLOAD_MALFORMED to xx.xx.59.10:500
    2024:01:24-10:16:29 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.xx.10 #38366: next payload type of ISAKMP Identification Payload has an unknown value: 160
    2024:01:24-10:16:29 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.xx.10 #38366: malformed payload in packet. Probable authentication failure (mismatch of preshared secrets?)
    2024:01:24-10:16:29 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.xx.10 #38366: sending encrypted notification PAYLOAD_MALFORMED to xx.xx.59.10:500
    2024:01:24-10:16:41 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.xx.10 #38366: next payload type of ISAKMP Identification Payload has an unknown value: 160
    2024:01:24-10:16:41 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.xx.10 #38366: malformed payload in packet. Probable authentication failure (mismatch of preshared secrets?)
    2024:01:24-10:16:41 fw01-2 pluto[9147]: "S_Azurecloud"[216] 188.xx.xx.10 #38366: sending encrypted notification PAYLOAD_MALFORMED to xx.xx.59.10:500
Children