This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Im facing the issue with site to site VPN from sophos to PAlo alto. Error- calculated HASH does not match HASH payload

Dear Techs,

Kindly help:

Im facing the issue with site to site VPN from sophos to Palo alto.

Error- calculated HASH does not match HASH payload

 

here is my setup:

sophos==NAT router==Site to site tunnel==Palo alto

We dont have any control on the palo alto side.

Detailed Log:

 

2019-10-08 11:31:31 11[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (DA0DBA3A) from other side
2019-10-08 11:31:31 12[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (B450165E) from other side
2019-10-08 11:31:39 30[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (DA0DBA3A) from other side
2019-10-08 11:31:39 16[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (B450165E) from other side
2019-10-08 11:33:49 16[CFG] rereading secrets
2019-10-08 11:33:49 16[CFG] loading secrets from '/_conf/ipsec/ipsec.secrets'
2019-10-08 11:33:49 16[CFG] loading secrets from '/_conf/ipsec/connections/IPSEC_DU.secrets'
2019-10-08 11:33:49 16[CFG]   loaded IKE secret for 192.168.2.93 XX.XX.XX.235.20
2019-10-08 11:33:49 16[CFG]   loaded IKE secret for ad09m.XX.XX.XX.ae XX.XX.XX.235.20
2019-10-08 11:33:49 10[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
2019-10-08 11:39:38 24[CFG] rereading secrets
2019-10-08 11:39:38 24[CFG] loading secrets from '/_conf/ipsec/ipsec.secrets'
2019-10-08 11:39:38 24[CFG] loading secrets from '/_conf/ipsec/connections/IPSEC_DU.secrets'
2019-10-08 11:39:38 24[CFG]   loaded IKE secret for 192.168.2.93 XX.XX.XX.235.20
2019-10-08 11:39:38 24[CFG]   loaded IKE secret for ad09m.XX.XX.XX.ae XX.XX.XX.235.20
2019-10-08 11:39:38 25[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
2019-10-08 11:39:39 15[CFG] vici initiate 'IPSEC_DU-2'
2019-10-08 11:39:39 20[IKE] <IPSEC_DU-1|4> initiating Aggressive Mode IKE_SA IPSEC_DU-1[4] to XX.XX.XX.235.20
2019-10-08 11:39:39 20[ENC] <IPSEC_DU-1|4> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
2019-10-08 11:39:39 20[NET] <IPSEC_DU-1|4> sending packet: from 192.168.2.93[500] to XX.XX.XX.235.20[500] (516 bytes)
2019-10-08 11:39:39 27[NET] <IPSEC_DU-1|4> received packet: from XX.XX.XX.235.20[500] to 192.168.2.93[500] (444 bytes)
2019-10-08 11:39:39 27[ENC] <IPSEC_DU-1|4> parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V V V ]
2019-10-08 11:39:39 27[IKE] <IPSEC_DU-1|4> received XAuth vendor ID
2019-10-08 11:39:39 27[IKE] <IPSEC_DU-1|4> received Cisco Unity vendor ID
2019-10-08 11:39:39 27[IKE] <IPSEC_DU-1|4> received FRAGMENTATION vendor ID
2019-10-08 11:39:39 27[IKE] <IPSEC_DU-1|4> received DPD vendor ID
2019-10-08 11:39:39 27[ENC] <IPSEC_DU-1|4> received unknown vendor ID: a9:b9:b1:03:4f:7e:50:a2:51:3b:47:b1:00:bb:85:a9
2019-10-08 11:39:39 27[IKE] <IPSEC_DU-1|4> calculated HASH does not match HASH payload
2019-10-08 11:39:39 27[ENC] <IPSEC_DU-1|4> generating INFORMATIONAL_V1 request 90879037 [ HASH N(AUTH_FAILED) ]
2019-10-08 11:39:39 27[NET] <IPSEC_DU-1|4> sending packet: from 192.168.2.93[500] to XX.XX.XX.235.20[500] (108 bytes)
2019-10-08 11:39:40 21[CFG] vici initiate 'IPSEC_DU-1'
2019-10-08 11:39:40 17[IKE] <IPSEC_DU-1|5> initiating Aggressive Mode IKE_SA IPSEC_DU-1[5] to XX.XX.XX.235.20
2019-10-08 11:39:40 17[ENC] <IPSEC_DU-1|5> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
2019-10-08 11:39:40 17[NET] <IPSEC_DU-1|5> sending packet: from 192.168.2.93[500] to XX.XX.XX.235.20[500] (516 bytes)
2019-10-08 11:39:40 25[NET] <IPSEC_DU-1|5> received packet: from XX.XX.XX.20[500] to 192.168.2.93[500] (444 bytes)
2019-10-08 11:39:40 25[ENC] <IPSEC_DU-1|5> parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V V V ]
2019-10-08 11:39:40 25[IKE] <IPSEC_DU-1|5> received XAuth vendor ID
2019-10-08 11:39:40 25[IKE] <IPSEC_DU-1|5> received Cisco Unity vendor ID
2019-10-08 11:39:40 25[IKE] <IPSEC_DU-1|5> received FRAGMENTATION vendor ID
2019-10-08 11:39:40 25[IKE] <IPSEC_DU-1|5> received DPD vendor ID
2019-10-08 11:39:40 25[ENC] <IPSEC_DU-1|5> received unknown vendor ID: a9:b9:b1:03:4f:7e:50:a2:51:3b:47:b1:00:bb:85:a9
2019-10-08 11:39:40 25[IKE] <IPSEC_DU-1|5> calculated HASH does not match HASH payload
2019-10-08 11:39:40 25[ENC] <IPSEC_DU-1|5> generating INFORMATIONAL_V1 request 3750323059 [ HASH N(AUTH_FAILED) ]
2019-10-08 11:39:40 25[NET] <IPSEC_DU-1|5> sending packet: from 192.168.2.93[500] to XX.XX.XX.20[500] (108 bytes)
201
2019-10-08 11:39:50 09[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (DAA36114) from other side
2019-10-08 11:39:51 15[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (D351871F) from other side
2019-10-08 11:39:58 06[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (DAA36114) from other side
2019-10-08 11:39:59 31[DMN] [GA

Thanks,

Ranjith



This thread was automatically locked due to age.
  • Seen similar with PSK mismatch already.

    Try a short, very simple PSK ... temporary.

    Some systems don't understand special characters or cut long keys.

    Dirk

  • Hala Ranjith and welcome to the UTM Community!

    I don't recognize that log format - is that from the Palo Alto device?

    I'm not familiar with the PA device, so you might also need to go to the equivalent community on their site.

    IPsec in the UTM does not accept Aggressive Mode, only Main Mode.  Once you've resolved that, if the connection still doesn't succeed, show us the IPsec log from the UTM:

    1. Confirm that Debug is not enabled.
    2. Disable the IPsec Connection.
    3. Start the IPsec Live Log and wait for it to begin to populate.
    4. Enable the IPsec Connection.
    5. Copy here about 60 lines from enabling through the error.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Dear Dirkkotte/ Bob,

    thanks for your inputs.

    however now tunnel is coming up but after some times (may 1 hour , 2 , 3 hr) tunnel going down automatically. see the logs below:


    2019-10-24 23:07:40 21[IKE] <DB_05P_TO_DU-1|20> nothing to initiate
    2019-10-24 23:07:40 04[NET] sending packet: from LOCAL IP[500] to REMOTE IP[500]
    2019-10-24 23:07:40 03[NET] received packet: from REMOTE IP[500] to LOCAL IP[500] on Port2_ppp
    2019-10-24 23:07:40 03[NET] waiting for data on sockets
    2019-10-24 23:07:40 11[NET] <DB_05P_TO_DU-1|20> received packet: from REMOTE IP[500] to LOCAL IP[500] (92 bytes)
    2019-10-24 23:07:40 11[ENC] <DB_05P_TO_DU-1|20> parsed INFORMATIONAL_V1 request 3546400854 [ HASH N(DPD_ACK) ]
    2019-10-24 23:07:40 11[IKE] <DB_05P_TO_DU-1|20> activating new tasks
    2019-10-24 23:07:40 11[IKE] <DB_05P_TO_DU-1|20> nothing to initiate
    2019-10-24 23:07:53 03[NET] received packet: from REMOTE IP[500] to LOCAL IP[500] on Port2_ppp
    2019-10-24 23:07:53 03[NET] waiting for data on sockets
    2019-10-24 23:07:53 17[NET] <DB_05P_TO_DU-1|19> received packet: from REMOTE IP[500] to LOCAL IP[500] (92 bytes)
    2019-10-24 23:07:53 17[ENC] <DB_05P_TO_DU-1|19> parsed INFORMATIONAL_V1 request 1335338711 [ HASH D ]
    2019-10-24 23:07:53 17[IKE] <DB_05P_TO_DU-1|19> received DELETE for IKE_SA DB_05P_TO_DU-1[19]
    2019-10-24 23:07:53 17[IKE] <DB_05P_TO_DU-1|19> deleting IKE_SA DB_05P_TO_DU-1[19] between LOCAL IP[db05p.tabreed.ae]...REMOTE IP[REMOTE IP]
    2019-10-24 23:07:53 17[IKE] <DB_05P_TO_DU-1|19> IKE_SA DB_05P_TO_DU-1[19] state change: ESTABLISHED => DELETING
    2019-10-24 23:07:53 17[IKE] <DB_05P_TO_DU-1|19> Found existing IKE_SA in state ESTABLISHED, skipping reestablishment.
    2019-10-24 23:07:53 17[MGR] <DB_05P_TO_DU-1|19> tried to checkin and delete nonexisting IKE_SA
    2019-10-24 23:07:53 17[IKE] <DB_05P_TO_DU-1|21> IKE_SA DB_05P_TO_DU-1[21] state change: CREATED => DESTROYING
    2019-10-24 23:07:53 17[IKE] <DB_05P_TO_DU-1|19> IKE_SA DB_05P_TO_DU-1[19] state change: DELETING => DELETING
    2019-10-24 23:07:53 17[APP] <DB_05P_TO_DU-1|19> [SSO] (get_cfg) [CFG] sso: 0
    2019-10-24 23:07:53 17[APP] <DB_05P_TO_DU-1|19> [SSO] (sso_invoke_once) SSO is disabled.
    2019-10-24 23:07:53 17[APP] <DB_05P_TO_DU-1|19> [COP-UPDOWN] (cop_updown_invoke_once) no user identification is provided!
    2019-10-24 23:07:53 17[APP] <DB_05P_TO_DU-1|19> [COP-UPDOWN] (ref_counting) ref_count: 1 to 0 -- down -- (192.168.0.1/32#10.83.180.54/32)
    2019-10-24 23:07:53 17[APP] <DB_05P_TO_DU-1|19> [COP-UPDOWN] (ref_counting_remote) ref_count_remote: 2 to 1 -- down -- (LOCAL IP#REMOTE IP)
    2019-10-24 23:07:53 17[APP] <DB_05P_TO_DU-1|19> [COP-UPDOWN] (get_cfg) [CFG] IPtables: 1
    2019-10-24 23:07:53 17[APP] <DB_05P_TO_DU-1|19> [COP-UPDOWN] (get_cfg) [CFG] route: 1
    2019-10-24 23:07:53 17[APP] <DB_05P_TO_DU-1|19> [COP-UPDOWN] (get_cfg) [CFG] vti: 0

     I see that remote end sending delete message:

    2019-10-24 23:07:53 17[IKE] <DB_05P_TO_DU-1|19> received DELETE for IKE_SA DB_05P_TO_DU-1[19]

    Any thoughts on the above why PA sending the delete message to disconnect the tunnel (we don't have any access to remote Peer PA, not easy to get the logs as well )

    Appreciated your inputs.

    Thanks in advance,

    Ranji

  • A new/next problem?

    Do you enable/disable DPD at booth sides?

    Matches the IPSec Phase1 / Phase 2 timers at booth sides exactly?

    Dirk

  • I like Dirk's suggestion, Ranji - any luck?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Dear Dirk/Bob,

    Same vpn. Tunnel establishing now but disconnects frequently.

    Yes already configured DPD on both ends :

    Intervel- 30sec

    Retry-120 sec

    Many Thanks,

    Ranji

  • Ranji, please post the IPsec log from the UTM that corresponds to the times of the PA log in your post almost 14 hours ago.

    Also, show us pictures of the Edits of the IPsec Policy in both the UTM and the Palo Alto.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Dear Bob,

    Please note that we could collect only strongswan.log from the sophos fw that i forwarded in my last response.

    @PA Ph1:- (responder only)

    Ikev1,Aes 256, sha1,group5,aggresive,keylife- 28800sec, nattraversal-no

    @PA Ph2:

    Sha1, aes256, no pfs,keylife-3600sec

    Note: sophos has the corresponding settings (initiator)

    Thanks,

    Ranji

  • Ranji, I've been working with IPsec logs from the UTM for almost 15 years and I don't recognize the log you posted as having been generated by a UTM.  Do you have a different Sophos product like Cyberoam or XG Firewall or ???

    I'm a visual-tactile learner and, when solving problems, I need to look at original data, not descriptions of it.  If this is a UTM problem, please post the pictures I requested.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Dear Bob,

    Kindly note the product model  sophos  XG108 firewall with latest firmware.

    Thanks,

    Ranji