Hi, Using WFP, I've set up a tunnel policy for between a Windows 7 endpoint and proprietary device, using pre-shared key authentication. After initiating traffic from the Windows side, IKE MM succeeds through the key exchange messages. Then, the Windows enpoint sends an IDENITIFCATION payload containing only 40 bytes of encrypted data. More specifically, there is an ISAKMP header identifying "Identification (5)" as the next payload, but the payload is only 40 byes of encrypted data. There is no ISAKMP payload header. Since there is no header, the remote endpoint rejects it, sending a NOTIFICATION of "UNEQUAL-PAYLOAD-LENGTHS". Can anyone tell me why Windows is not putting an ISAKMP payload header on the IDENTIFICATION payload? Thanks.

Hi, Firstly, would you please provide more information about this proprietary device? Per my knowledge, the IPSec Key Exchagne (IKE) operation is based on a 2-phase ISAKMP. The 1st phase is a negotiation between the two peers about how to exchange further communication. It creates a security association (SA) for the ISAKMP itself. In my opinion this phase is just negotiating the encryption protocols that the two peers both support. (e.g. The encryption algorithm to be used, The hash algorithm, etc.) In the 2nd phase, the ISAKMP SA established in Phase 1 is used to create SAs for other security protocols. Normally, this is where the parameters(The encrypted pre-shared key?) for the real SAs for the AH and ESP protocols would be negotiated. The issue(rejection from the device) seems to happen on the 2nd phase of the ISAKMP, so far we cannot make sure if there is anything incorrect in the packet sent from Windows device, that's why I also would like to know the details of proprietary device. Is it convenient for you to perform a network capture via the MS-Network Monitor Tool <http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=983b941d-06cb-4658-b7f6-3088333d062f> and then copy & paste the information in the packets of the problematic round here? Best regards, Steven XiaoPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, Is there any update regarding the WFP issue? Just feel free to let know. Thanks! Best regards, Steven XiaoPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.