IPSec to BR1: Malformed payload


#1

We have a client with a Balance 580 with PepVPN/SpeedFusion being managed by InControl. We need to connect them to another client running a Max BR1. We’ve done this via IPSec before without issue but on this install we keep getting “Malformed payload, please verify the Preshared Key or other settings.” We’ve check the preshared key countless times, deleted everything and started from scratch, compared it to another Balance 580 to BR1 IPSec tunnel and just can’t see what’s wrong. The only thing different with this Balance 580 is that it is setup as High Availability but not sure why that would matter. The BR1 just logs “Initiating Main Mode connection to…” but the Balance gives the 'Malformed payload" error.

The Balance 580 is firmware 7.0.0 build 1904 and the BR1 is 7.0.0 build 2445. I’ve done this several times so I’m at a complete loss on this one. Thanks for any help.

John


#2

Hi @jgranade,

Please open a support ticket to facilitate investigation.

Thank you John.


#3

I figured it out but not sure if it’s a bug or it works different from what I imagined. The only difference on this Balance 580 is it’s an HA pair. Node #1 is .114, #2 is .115, and then the HA Virtual IP is .116. From the BR1, I was trying to connect to the VIP and the 580 gives that Malformed Packet error. If I change the BR1 to go to .114 for the Remote Gateway IP, it connects. But that means (I think) that if there’s a failure on Node #1 and the Slave takes over, our IPSec tunnels would be down.


#4

Just curious why using IPSec instead of PepVPN? This shouldn’t be a problem when using PepVPN.


#5

Glad you asked, I was just about to put this in as a feature request…I don’t think I can use PepVPN because it’s two different clients and 1 uses InControl to manage their PepVPN connections. So if there is a way, that would be great and we could actually use this to promote sells between two clients encouraging both sides to be PepLink. I think we can do it if we manage our PepVPN manually and not through InControl…but for a lot of clients using InControl2 for management is a big selling point. But unless I’m missing something, with InControl2 I can only add endpoints within an organization.

Thanks,

John