Support Center > Search Results > SecureKnowledge Details
VPN tunnel can not be established / no traffic passes when SHA-384 is configured for data integrity
Symptoms
  • VPN tunnel can not be established / no traffic passes over VPN tunnel when SHA-384 is configured for data integrity.

  • IPsec VPN tunnel can not be established between peers in the following scenario:

    1. SHA-384 is selected for data integrity for IKE Phase 1 (IPSec VPN community properties - "Encryption" pane - in section "Encryption Suite", select "Custom" - click on "Custom Encryption..." button - go to section "IKE Security Association (Phase 1) Properties" - in the field "Perform data integrity with", select "SHA-384")
    2. one peer is R77.20 and lower
    3. the other peer is R77.30 and above (or a 3rd party device)

    The following logs might appear in SmartView Tracker:

    • IKE: Phase1 Received Notification from Peer: payload malformed
    • IKE: Auth exchange: Peer's message is unacceptable

     

  • IPsec VPN tunnel is established between peers, but no traffic passes over the tunnel in the following scenario:

    1. SHA-384 is selected for data integrity for IKE Phase 2 (IPSec VPN community properties - "Encryption" pane - in section "Encryption Suite", select "Custom" - click on "Custom Encryption..." button - go to section "IPsec Security Association (Phase 2) Properties" - in the field "Perform data integrity with", select "SHA-384")
    2. one peer is R77.20 and lower
    3. the other peer is R77.30 and above (or a 3rd party device)

    The following log might appear in SmartView Tracker:

    • encryption failure: Authentication failure. Sequence Number 1 (Expected 0)
Cause

Starting in R77.30, the HMAC-SHA384 algorithm used by the Security Gateway was updated to conform to RFC 2104.

Security Gateways using different versions of the HMAC-SHA384 algorithm are not able to interoperate.


Solution
Note: To view this solution you need to Sign In .